IETF Logo Mail Archive

[dd] A generalised delegation extension mechanism

Roy Arends <roy@dnss.ec> Fri, 22 March 2024 00:17 UTC

Return-Path: <roy@dnss.ec>
X-Original-To: dd@ietfa.amsl.com
Delivered-To: dd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 246B3C151076 for <dd@ietfa.amsl.com>; Thu, 21 Mar 2024 17:17:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dnss.ec
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pXV2ljdlWWgN for <dd@ietfa.amsl.com>; Thu, 21 Mar 2024 17:17:30 -0700 (PDT)
Received: from mail-qv1-xf2d.google.com (mail-qv1-xf2d.google.com [IPv6:2607:f8b0:4864:20::f2d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5449C14F70C for <dd@ietf.org>; Thu, 21 Mar 2024 17:17:29 -0700 (PDT)
Received: by mail-qv1-xf2d.google.com with SMTP id 6a1803df08f44-69625f89aa2so13909026d6.3 for <dd@ietf.org>; Thu, 21 Mar 2024 17:17:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dnss.ec; s=google; t=1711066648; x=1711671448; darn=ietf.org; h=to:message-id:subject:date:mime-version:content-transfer-encoding :from:from:to:cc:subject:date:message-id:reply-to; bh=Ga/OyMZXNw1CEhEMJUlYZgMB6y/uJgWDHu5CuT0HBy8=; b=QXgv69iKWzz1se41sm6N0KFVjrumk2TrhQ2Cb4EzzfqjPRaiZb9W56J4p41vTZjhk8 uzIWDHPTDE0vvwBgensa1tPGKS/AbK0lkYee+ySEbqfQZPXEAF7988Pd2MVYtj/ZKFl0 U4VpubGMvsbVq+ypID8Y4HChLC88G4HoSi05M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711066648; x=1711671448; h=to:message-id:subject:date:mime-version:content-transfer-encoding :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Ga/OyMZXNw1CEhEMJUlYZgMB6y/uJgWDHu5CuT0HBy8=; b=oH12wc/jJjOltI3RXQxaqyFiHarmB8Kqmltb3py5gn7iYLx3dxqqD2QYdnEWVyfBJ6 v3AgeNc7O41/qBMPdeOxxba7U93Nzs6JabgNbvLSunbFhqM0/6pt1s/sa/U/It3fZsoX mGZujMnC+1tpzKCefkXFwMIu1nPh37qDrRha8C+i8XrVja1YpyRK+kW0CVHQPlsDT8sr ovax8SR2U5ZLuF+MYt/levK/LrqpLDIyofklg6Pe1PbR0vftEQXFC2ZPGi/BLJulT3nM NSyvxorewuXrUvyw7aVVrqs4dwzES/5ji+JPSIihk9/xR6etLnfiifbp8/DoetFNHxHn 77UQ==
X-Gm-Message-State: AOJu0YzTGQr2o+Fes3yyLgnD4Ex06Ynf4L32CQu/B1b66QEABNnp0IIp kjiSh7qXfrvSos7/di0Xe/FndSpPPNIy8mhqXb1u2tNKlzo4ALC7sLrNLc0yKc/TSsDD56Jv4rH SkkQ=
X-Google-Smtp-Source: AGHT+IE+cVcLLDwRxpdlwDXV+IqzeEixXXE+AP9jwA0fECl3OU6EzSOeZjIV0HoqHcJE9pYt5DQ59A==
X-Received: by 2002:a05:6214:d6c:b0:696:309f:6dd with SMTP id 12-20020a0562140d6c00b00696309f06ddmr918228qvs.45.1711066648453; Thu, 21 Mar 2024 17:17:28 -0700 (PDT)
Received: from smtpclient.apple ([88.81.146.139]) by smtp.gmail.com with ESMTPSA id q15-20020ad45caf000000b0069124066c2fsm461605qvh.140.2024.03.21.17.17.27 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 21 Mar 2024 17:17:28 -0700 (PDT)
From: Roy Arends <roy@dnss.ec>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.400.31\))
Date: Fri, 22 Mar 2024 00:17:15 +0000
Message-Id: <788F5802-B7BB-4C18-A274-9A6BE2C23E30@dnss.ec>
To: dd@ietf.org
X-Mailer: Apple Mail (2.3774.400.31)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dd/b4LZMqF4FfgbcUhsWyxxUpa6Bx8>
Subject: [dd] A generalised delegation extension mechanism
X-BeenThere: dd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS Delegation <dd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dd>, <mailto:dd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dd/>
List-Post: <mailto:dd@ietf.org>
List-Help: <mailto:dd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dd>, <mailto:dd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2024 00:17:35 -0000

The following is based on [1] by Petr Spacek and Peter van Dijk and conversations with Paul Wouters and Ben Schwartz (This namedropping should not be seen as endorsements for the following, but merely credit where credit is due).

To make delegations truly extensible, the extension mechanism (the changes to the DNS protocol) to allow DELEG to work, and DELEG (the record, and what it facilitates) should be separate and the extension mechanism should be generalised..

The “generalised” delegation extension mechanism states what to include in a delegation response and how to signal to the validator that it must expect this information. It would contain an IANA request to mark a range of RRTYPEs as “parent side only”. (See [1]). An authoritative server must include these in a delegation when they are present in a zone (such as DS records), including the authenticated denial record (this “always include NSEC/NSEC3” is an idea from Ben Schwartz)

Why?

Future "parent side only” record types should not require a new signalling mechanism. (Paul Wouters insight, and I agree)
Authoritative (secondary) servers that know to include records from a range in a delegation do not need to understand these records. They can be an opaque blob. 

Roy Arends

[1] see https://www.ietf.org/archive/id/draft-peetterr-dnsop-parent-side-auth-types-00.txt

v2.35.0 | Report a Bug | By Email | System Status