IETF Logo Mail Archive

Re: [dnsext] Obsoleting SPF RRTYPE

David Conrad <drc@virtualized.org> Tue, 30 April 2013 03:22 UTC

Return-Path: <drc@virtualized.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 427E521F9C2F for <dnsext@ietfa.amsl.com>; Mon, 29 Apr 2013 20:22:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id au2yf8PnwaYf for <dnsext@ietfa.amsl.com>; Mon, 29 Apr 2013 20:22:31 -0700 (PDT)
Received: from trantor.virtualized.org (trantor.virtualized.org [199.48.134.42]) by ietfa.amsl.com (Postfix) with ESMTP id 6AA1A21F9C25 for <dnsext@ietf.org>; Mon, 29 Apr 2013 20:22:29 -0700 (PDT)
Received: from [10.0.1.4] (c-24-4-109-25.hsd1.ca.comcast.net [24.4.109.25]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: drc) by trantor.virtualized.org (Postfix) with ESMTPSA id C6E4217184; Tue, 30 Apr 2013 03:22:28 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: David Conrad <drc@virtualized.org>
In-Reply-To: <92BBD83F-676D-4B05-B927-4101DD5CAD3E@neustar.biz>
Date: Mon, 29 Apr 2013 20:22:27 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <72539563-0FA7-4C5E-901B-A5AFCE9CE038@virtualized.org>
References: <20130425013317.36729.qmail@joyce.lan> <80ADB3EE-17FD-4628-B818-801CB71BCBFE@virtualized.org> <alpine.BSF.2.00.1304242309150.38677@joyce.lan> <46778ED3-35A2-44B4-BE3C-AAC4F7B314FF@virtualized.org> <92BBD83F-676D-4B05-B927-4101DD5CAD3E@neustar.biz>
To: Edward Lewis <Ed.Lewis@neustar.biz>
X-Mailer: Apple Mail (2.1503)
Cc: "dnsext@ietf.org Group" <dnsext@ietf.org>
Subject: Re: [dnsext] Obsoleting SPF RRTYPE
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Apr 2013 03:22:37 -0000

Ed,

On Apr 29, 2013, at 7:49 AM, Edward Lewis <Ed.Lewis@neustar.biz> wrote:
> On Apr 25, 2013, at 0:37, David Conrad wrote:
>> Actually, I'm more intrigued as to the view of the folks on DNSEXT on this issue.
> I'm tired of hearing about it.

Sorry to hear that.

> The only concern is that pushing more data into TXT records is that, if more than one application does this and involves the same name, we are increasing the number of large RRsets pushed around.

Well, no. That's not the only concern:

1) it moves the mechanism to uniquify a DNS response out of the DNS library and into the application, forcing every protocol-specific library or application to have to deal with uniquifying the response in their own unique (and undoubtedly in some cases fascinating) way;

2) given individual RR order within an RRset is not guaranteed, it significantly complicates TXT RDATA parsing logic for any application that cares about TXT RRs;

3) It means you've reduced the amount of usable space in the RDATA since you have to have some unique string in the RDATA to key off of; and

4) because other protocols may use TXT at the same (unfortunately common) ownername, it becomes more probable that the size of the response will go over the 512 limit resulting in fragmentation or fallback to TCP increases, which imposes potential load and reachability issues, not just for SPF but for any other protocol that is using TXT at that ownername

> It's not so much a DNS *protocol/architectural" or "operations* issue.  It's more of a matter for applications (to avoid bloat) and for anti-abuse techniques (to avoid amplification).

While I agree that bloat/amplification is an issue, SPFBIS's decision impacts any future protocol that might use TXT at the same ownername as SPF.  The implication to DNSEXT is obviously that we should discourage TXT at the same ownernames as SPF uses (if not generally), but I figure that's already sort of been done. Unfortunately, I suspect "pragmatists" won't listen to such advice and then you get all of the above fun.

That's why I said "I personally believe deprecating the SPF RR is the wrong way to go".

Regards,
-drc

v2.23.0 | Report a Bug | By Email