IETF Logo Mail Archive

[dnsext] Re: DNAME (and CNAME) vs DNSSEC

Wes Hardaker <hardaker@tislabs.com> Wed, 24 September 2008 13:34 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 857E73A6DB8; Wed, 24 Sep 2008 06:34:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.495
X-Spam-Level:
X-Spam-Status: No, score=-4.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zax41agE0pKI; Wed, 24 Sep 2008 06:34:44 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 7CE8A3A6DBA; Wed, 24 Sep 2008 06:34:44 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KiUNs-0007y1-IG for namedroppers-data@psg.com; Wed, 24 Sep 2008 13:26:24 +0000
Received: from [192.94.214.100] (helo=nutshell.tislabs.com) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <hardaker@tislabs.com>) id 1KiUNk-0007x8-9u for namedroppers@ops.ietf.org; Wed, 24 Sep 2008 13:26:18 +0000
Received: (from uucp@localhost) by nutshell.tislabs.com (8.12.9/8.12.9) id m8ODPoqq005512; Wed, 24 Sep 2008 09:25:50 -0400 (EDT)
Received: from nodnsquery(10.66.1.30) by nutshell.tislabs.com via csmap (V6.0) id srcAAAZ6a4Wk; Wed, 24 Sep 08 09:25:50 -0400
Received: from localhost.localdomain (localhost.tislabs.com [127.0.0.1]) by pecan.tislabs.com (Postfix) with ESMTP id 51F973F40C; Wed, 24 Sep 2008 09:24:23 -0400 (EDT)
From: Wes Hardaker <hardaker@tislabs.com>
To: Andrew Sullivan <ajs@commandprompt.com>
CC: namedroppers@ops.ietf.org
Subject: [dnsext] Re: DNAME (and CNAME) vs DNSSEC
Organization: Sparta
References: <20080923072354.BB38011402C@mx.isc.org> <200809230756.m8N7uHdg075258@drugs.dv.isc.org> <20080923133133.GA18300@commandprompt.com>
Date: Wed, 24 Sep 2008 06:26:07 -0700
In-Reply-To: <20080923133133.GA18300@commandprompt.com> (Andrew Sullivan's message of "Tue, 23 Sep 2008 09:31:33 -0400")
Message-ID: <sdr6797k0g.fsf@wes.hardakers.net>
User-Agent: Gnus/5.110011 (No Gnus v0.11) XEmacs/21.4.21 (linux, no MULE)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

[reposting from my proper subscribed address which I need to change;
sorry if you get 2 copies]

>>>>> On Tue, 23 Sep 2008 09:31:33 -0400, Andrew Sullivan <ajs@commandprompt.co
m> said:

AS> Given the discussion between Mike StJohns and Mark Andrews on how to
AS> handle DNAME (or CNAME) chains in a DNSSEC context, it seems to me we
AS> have three choices:

AS> 1.  Do nothing.  The documents are clear enough as they are.

I think given the discussion alone, along with my notes written on the
margins of the DNAME document I have in front of me (which I'll write up
tomorrow) that leaving it as is doesn't really help matters.

AS> 2.  Clarify this behaviour in the 2672bis-dname document.

AS> 3.  Clarify the behaviour, but in the dnssec-bis-updates document.


Nothing is more frustrating that reading a document that isn't fully
descriptive of the current environment it has to be deployed in.
Leaving it underspecified in either document is inappropriate, in my
opinion.  Leaving, for example, the DNAME document as is without
supporting text describing the interactions of DNSSEC and DNAME is not
good service to future readers who don't know where to turn for the
information.


So, IMHO, minimal narrative text is needed describing anything the WG
decides in the end is important to document.

That being said, I have no issues with cross referencing one from the
other to get things right.  However!, a pointer is likely sufficient from
the lesser-complete documentation to the other saying something like
"For a complete discussion of DNAME usage within DNSSEC, please see
[RFCXXX]".  The problem is that silly XXX that has slipped in there.  We
(obviously) can't publish the DNAME document with a referral to a
document that doesn't exist yet.

So, IMHO, you might as well solve it in the DNAME document since it's
likely to go out first.  Unless (ha ha) it's this discussion that holds
it up to the point where the other one will pull out in front.  I don't
think the document should be left in a vague state, however, that brings
about a bunch of arguments from the technical experts.  There is no way
such a document will end up helping new readers get things right.

-- 
"In the bathtub of history the truth is harder to hold than the soap,
 and much more difficult to find."  -- Terry Pratchett

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email