Re: [dbound] Fw: New Version Notification for draft-yao-dbound-dns-solution-00.txt
Andrew Sullivan <ajs@anvilwalrusden.com> Fri, 02 October 2015 21:33 UTC
Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dbound@ietfa.amsl.com
Delivered-To: dbound@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67A001B2EFE for <dbound@ietfa.amsl.com>; Fri, 2 Oct 2015 14:33:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Level:
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5 tests=[BAYES_05=-0.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZYBbafuYcQlm for <dbound@ietfa.amsl.com>; Fri, 2 Oct 2015 14:33:24 -0700 (PDT)
Received: from mx2.yitter.info (mx2.yitter.info [IPv6:2600:3c03::f03c:91ff:fedf:cfab]) by ietfa.amsl.com (Postfix) with ESMTP id 159D11B2F02 for <dbound@ietf.org>; Fri, 2 Oct 2015 14:33:24 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mx2.yitter.info (Postfix) with ESMTP id 9F6381072E for <dbound@ietf.org>; Fri, 2 Oct 2015 21:33:23 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at crankycanuck.ca
Received: from mx2.yitter.info ([127.0.0.1]) by localhost (mx2.yitter.info [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dr46yzmOMNzj for <dbound@ietf.org>; Fri, 2 Oct 2015 21:33:22 +0000 (UTC)
Received: from anvilwalrusden.com (unknown [IPv6:2601:18d:8600:1da9:611b:b371:ffeb:72e7]) by mx2.yitter.info (Postfix) with ESMTPSA id 9092C10662 for <dbound@ietf.org>; Fri, 2 Oct 2015 21:33:22 +0000 (UTC)
Date: Fri, 02 Oct 2015 17:33:21 -0400
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dbound@ietf.org
Message-ID: <20151002213320.GN91013@anvilwalrusden.com>
References: <2015092917052161861514@cnnic.cn>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <2015092917052161861514@cnnic.cn>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dbound/tXlWrsUbOxqTxkDafFV7ToT-nvw>
Subject: Re: [dbound] Fw: New Version Notification for draft-yao-dbound-dns-solution-00.txt
X-BeenThere: dbound@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS tree bounds <dbound.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dbound>, <mailto:dbound-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dbound/>
List-Post: <mailto:dbound@ietf.org>
List-Help: <mailto:dbound-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dbound>, <mailto:dbound-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Oct 2015 21:33:26 -0000
Hi, On Tue, Sep 29, 2015 at 05:06:23PM +0800, Jiankang Yao wrote: > Dear all, > > I submit a draft about dbound solution. > any comments are welcome. Thanks for this contribution. I've read it, and I have some comments. It seems to me that this approach is not too dissimilar to a couple of the earlier approaches I took to the problem. In https://tools.ietf.org/html/draft-sullivan-domain-origin-assert-02 I had two different ways to assert the policy boundaries: either with names alone, or else with ports and schemes as well. In https://tools.ietf.org/html/draft-sullivan-zone-policy-assertions, I had a target document that included various policies for the zone. In draft-yao-dbound-dns-solution, there is a combination of these approaches, AFAICT, such that either the mechanism can do what the current SOPA draft offers (the one Jeff and I are working on), or else you can get a policy document from elsewhere. The features of the get-document-from-elsewhere part seem to me to be somewhat underdefined in the draft, so it's hard to know what is intended for it, but I suspect it shares the same problem that the zone-policy-assertions draft I wrote did: you could put more or less anything in the target policy, so it's nearly impossible to understand what the effects of this mechanism would be, and the ways to express the policies need to be well worked out in advance. RRTYPEs are not that expensive, so we probably don't need a general-purpose mechanism here. So I think the flag field is probably not a good idea in its own right. I'm also extremely uncomfortable with an RRTYPE that includes its own subtyping mechanism, because it isn't clear to me what an application ought to do in case both types are at the same owner name (which is certainly legal under the DNS). The relation field seems unnecessary. The "ancestry" relationship in draft-deccio-dbound-name-relationships can be read directly off the domain name itself, so explicitly including data for it in the DNS seems wasteful. The service type field got me into trouble when I tried to do this with draft-sullivan-domain-origin-assert-02. There are two reasons. First, this effectively ties DNS RDATA directly to other services, whereas we've traditionally used the DNS as a lookup device to find more stuff. (SRV and related data types already strain this boundary, and arguably DANE does too, so maybe it's no big deal.) The bigger problem, however, is that it involves a new specification of how to construct (e.g.) the same-origin rules that is totally incompatible with existing policy-enforcement deployed code. As a result, it seems fantastically unlikely to get deployed. It also isn't clear whether how the proposal can be used in the absence of the data: it seems to require a lookup at the time resources are being used. Anything that involves additional lookups in real time will simply not fly: the browsers (and mobile device people) are terribly sensitive to additional latency, lookups, and so on. So it needs to offer a way that existing code that uses a built-in PSL can work. I can see how one could construct such a list with this mechanism, but the addition of the service field means that it won't be a drop-in replacement. (Without that service field, as John Levine already noted, this proposal is no different from the SOPA type Jeff and I suggested.) Finally, I _really_ dislike the Expiration and Inception fields. I get what they're for, and they're attractive in themselves, but experience with DNSSEC has shown how hard it is to get such values right in the presence of caches, propagation times in the DNS, and so on. I don't even want to think about the timing considerations of TTL && propagation && RRSIG validity && policy validity. I think they should be shed. Best regards, A -- Andrew Sullivan ajs@anvilwalrusden.com
- [dbound] Fw: New Version Notification for draft-y… Jiankang Yao
- Re: [dbound] Fw: New Version Notification for dra… Daniel Kahn Gillmor
- Re: [dbound] Fw: New Version Notification for dra… John Levine
- Re: [dbound] Fw: New Version Notification for dra… Andrew Sullivan
- Re: [dbound] Fw: New Version Notification for dra… yaojk
- Re: [dbound] Fw: New Version Notification for dra… manning
- Re: [dbound] Fw: New Version Notification for dra… yaojk
- Re: [dbound] Fw: New Version Notification for dra… John R Levine
- Re: [dbound] Fw: New Version Notification for dra… yaojk
- Re: [dbound] Fw: New Version Notification for dra… yaojk
- Re: [dbound] Fw: New Version Notification for dra… John R Levine
- Re: [dbound] Fw: New Version Notification for dra… Andrew Sullivan
- Re: [dbound] Fw: New Version Notification for dra… yaojk
- Re: [dbound] Fw: New Version Notification for dra… Jiankang Yao
- Re: [dbound] Fw: New Version Notification for dra… yaojk
- Re: [dbound] Fw: New Version Notification for dra… Andrew Sullivan
- Re: [dbound] Fw: New Version Notification for dra… Andrew Sullivan
- Re: [dbound] Fw: New Version Notification for dra… Casey Deccio
- Re: [dbound] Fw: New Version Notification for dra… Jiankang Yao
- Re: [dbound] Fw: New Version Notification for dra… Kurt Andersen (b)
- Re: [dbound] Fw: New Version Notification for dra… Andrew Sullivan
- Re: [dbound] Fw: New Version Notification for dra… Andrew Sullivan
- Re: [dbound] Fw: New Version Notification for dra… Kurt Andersen
- [dbound] wildcard issue and two way assertion Jiankang Yao