IETF Logo Mail Archive

Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt

Patrik Fältström <paf@cisco.com> Sun, 27 February 2011 20:07 UTC

Return-Path: <paf@cisco.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9B9DC3A67C1 for <dnsext@core3.amsl.com>; Sun, 27 Feb 2011 12:07:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.059
X-Spam-Level:
X-Spam-Status: No, score=-10.059 tagged_above=-999 required=5 tests=[AWL=0.240, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B8nh9qNi3eWz for <dnsext@core3.amsl.com>; Sun, 27 Feb 2011 12:07:33 -0800 (PST)
Received: from ams-iport-2.cisco.com (ams-iport-2.cisco.com [144.254.224.141]) by core3.amsl.com (Postfix) with ESMTP id 4D3013A67B0 for <dnsext@ietf.org>; Sun, 27 Feb 2011 12:07:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=paf@cisco.com; l=2362; q=dns/txt; s=iport; t=1298837312; x=1300046912; h=mime-version:subject:from:in-reply-to:date: content-transfer-encoding:message-id:references:to; bh=urNk8I0GVPM/YKeq6Gio7LHHDW1ILrRGvfWWzTf2fnQ=; b=mUvJk7yrhUd7DWY+IC5lGV0+ZiwMmYeMTIlzvvAHHoF47grYhdkksp0z T3WiWX1JkU/iH532Jf5fggH6U9dNEh8S3sLiF7JfOmRMO0D5qm4tEln+e hBWt7o2zAsZISBUFV0pi3Co0mbsi1sg5gvQhsi+iJjiXC5HtJXoVZgZwV c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AjgGACs+ak2Q/khMgWdsb2JhbACYMY4TFQEBFiIlnlKaTIVhBIwd
X-IronPort-AV: E=Sophos;i="4.62,235,1297036800"; d="scan'208";a="20227954"
Received: from ams-core-3.cisco.com ([144.254.72.76]) by ams-iport-2.cisco.com with ESMTP; 27 Feb 2011 20:08:31 +0000
Received: from ams3-vpn-dhcp629.cisco.com (ams3-vpn-dhcp629.cisco.com [10.61.66.117]) by ams-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id p1RK8URE030327 for <dnsext@ietf.org>; Sun, 27 Feb 2011 20:08:31 GMT
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Apple Message framework v1082)
From: Patrik Fältström <paf@cisco.com>
In-Reply-To: <20110227191542.6824.qmail@joyce.lan>
Date: Sun, 27 Feb 2011 21:08:30 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <335963D7-3440-45E6-843C-38F419462792@cisco.com>
References: <20110227191542.6824.qmail@joyce.lan>
To: dnsext@ietf.org
X-Mailer: Apple Mail (2.1082)
Subject: Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Feb 2011 20:07:34 -0000

There are a few things I think makes this discussion hard...and that is that the overall usability is a requirement in the usability, manageability etc while what we talk about is "only" what we do in DNS. What we should (and can) do in DNS must then match whatever application layer/protocol behaviour, which in turn depends on how the protocol works.

What I *think* could be interesting is one of these things as very high level issues to look at, that btw I think sort of is written in the draft, but using DNS terminology ;-)

1. Aliases

1.1. If we today have two delegations, we do have a risk that one of the delegations changes holder while the other does not. Can one of the two be an alias to the other, and the two then bundled by policy in the registry so we absolutely know one and only one holder controls the data for the names (plural)?

1.2. If we today have two delegations, synchronization of the two delegations imply provisioning systems must place the same records in two zones. Can we solve the problem in different ways?

2. Support of more application layer aliases

2.1. In HTTP and a few other protocols, we have the ability to do a redirect inside the application layer protocol itself. We do not have that in all protocols. In other we have things like the MX records. Do we with IDN etc need more of these, and do we need a mechanism in DNS that "help" such redirect in a "lower" layer in the resolution algorithm?

2.2. When using HTTP HOST header, and SSL where the DN of the cert is matched with the domain name used, it is kind of problematic to match the application layer with what originally was entered by the user. Is there some need for DNS layer aliases that changes what later is matched in the application layer comparisons?

3. Comparison algorithm

3.1. We can not change the matching algorithm in DNS

3.2. Given we can not change the matching algorithm in DNS, do we need something in DNS that matches some new(?) matching algorithm in the application layer so that the two together produce the result we are after?

4. How do we ensure skilled apps people manage to work with skilled DNS people so that the end result is optimal? (something IETF is not always very good at...)

Now beat me up!

   Patrik

v2.23.0 | Report a Bug | By Email