IETF Logo Mail Archive

Re: [dd] [Ext] Desired extensions to today's DNS delegation?

Paul Wouters <paul@nohats.ca> Thu, 08 February 2024 15:55 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dd@ietfa.amsl.com
Delivered-To: dd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2773BC14F617 for <dd@ietfa.amsl.com>; Thu, 8 Feb 2024 07:55:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Za3Juc_R6HxD for <dd@ietfa.amsl.com>; Thu, 8 Feb 2024 07:55:36 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AD3EC14F61D for <dd@ietf.org>; Thu, 8 Feb 2024 07:55:35 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4TW1m54dXTz3Ml; Thu, 8 Feb 2024 16:55:33 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1707407733; bh=HoWmwnw031E+pJj6ZCG8bB16fFGD7NwxNGBkTWsAkBQ=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=MJwDpu3QSlhwM/yz+bY/+5gB62nZJxmlREMHdBAk6JVacx/mS7PcyrXGDKjkfbSuA wadnidbDGFhS5SkGqyLmSFrjCLn0TU9U5YDxCTbyUOk7zWNyEa6qesgdg7RkujBopY 7e4Wm6v6Yg+swQQWPn4+dq0DyMQZvzKdHHxx3er4=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 4C6_eUvY1dr1; Thu, 8 Feb 2024 16:55:32 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Thu, 8 Feb 2024 16:55:32 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 529A3111A27E; Thu, 8 Feb 2024 10:55:31 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 4FC80111A27D; Thu, 8 Feb 2024 10:55:31 -0500 (EST)
Date: Thu, 08 Feb 2024 10:55:31 -0500
From: Paul Wouters <paul@nohats.ca>
To: Paul Hoffman <paul.hoffman@icann.org>
cc: "dd@ietf.org" <dd@ietf.org>
In-Reply-To: <4E8ECD82-586C-4C2A-ABB9-2071681D62C6@icann.org>
Message-ID: <18893980-6dd5-2e5f-06dc-d375533bcd44@nohats.ca>
References: <B7E6F8FD-0B14-41BF-BFE0-5CF2FEB576E9@icann.org> <4E8ECD82-586C-4C2A-ABB9-2071681D62C6@icann.org>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dd/uIRqkqBord6WZSqwthRKoc8Nk40>
Subject: Re: [dd] [Ext] Desired extensions to today's DNS delegation?
X-BeenThere: dd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS Delegation <dd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dd>, <mailto:dd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dd/>
List-Post: <mailto:dd@ietf.org>
List-Help: <mailto:dd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dd>, <mailto:dd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Feb 2024 15:55:41 -0000

On Thu, 8 Feb 2024, Paul Hoffman wrote:

>> It's not clear to what extent this is related to DNS delegations at all (see draft-sullivan-dbound-problem-statement-02 Section 2) -- but perhaps it may be worth thinking about it for a little (even if only to declare it out of scope).
>
> That's a good addition to the list. Note that this informal list is just possibilities, not definitive. Personally, I'd be happy if people here investigated DBOUND and PSL ideas to see if they might apply.

I generalized this a bit in my draft email yesterday:

- signed statements of child zone policies or properties mapped into parent record (think dnskey flags).

You also had in your list:

> - Signed NS and glue records: Greater assurance for validating resolvers of information they receive currently

I think you mean "signed delegation pointer to delegation material". Eg
I don't think you mean actually signing the current NS/glue at the
parent by the parent?

Other items I have:

- A usuable method to kickstart and/or update the alias method purely in
   DNS (think CDS/CSYNC like), avoiding RRR-model issues and delays.

- A controversial one, that might be impossible, but would be cool to have
   so would like the WG to think about it. If we could see multiple DNS hosters
   for the child (each with NS/DS like records), and if one DNS hoster gives
   a non-existent result, to try the other DNS hoster. This would help
   people that feed (eg via REST API) zone updates to multiple DNS
   hosters, in case one of them fails in various different ways.

- Another accidental feature or bug is if the parent contains enough
   information that looking up the child isn't even neccessary anymore.
   eg this is almost like serving without a zone cut. (eg if you have
   A/AAAA/MX of apex, perhaps you don't need anything else from a real child
   zone). Similar to the .de deployment options.

Paul

v2.23.0 | Report a Bug | By Email