Re: DNS vs. non-DNS Data (was Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt))

[Kevin Darcy <kcd@daimlerchrysler.com>]

Eric A. Hall wrote:

> > > in general, we discourage storing non-dns data in the dns.
> >
> > What is the definition of "DNS data", actually?
>
> Actually, it's probably a good idea to develop a concept consensus.
>
> My definition is that the DNS is a lookup service similar to ARP. It just
> happens to be distributed across a collection of interconnected partitions
> in a hierarchical structure -- and there's a bunch of referral stuff to
> make sure queries are sent to the right place -- but in the end devices
> just issue targetted lookups for named resources and they expect an
> unambiguous and consistent answer.
>
> In that model, www.ehsco.com., mail.daimlerchrysler.com and ops.ietf.org
> are all peer entries in a massive *FLAT* database (they happen to be
> stored in separate partitions represented by a namespace but the global
> database itself is flat).
>
> Stuff that belongs in DNS is stuff that benefits from being used in a
> non-authenticated, unambiguous, lightweight lookup service which is backed
> by a global hierarchy of independent partitions. Stuff that doesn't belong
> is anything that requires authentication, is ambiguous, can be served by a
> standalone lookup, or consumes more valuable resources than it provides.

This is possibly too narrow a definition. With DNSSEC, authentication of
queries is possible and perhaps even desirable. As for "ambiguous", what
exactly do you mean by that term? It is perfectly normal and acceptable for
different clients to get different answers to the same DNS question
(depending on their source address and/or which DNS server they ask, when
they ask it, etc.). Does that constitute "ambiguity"? As for "consumes more
valuable resources than it provides", we'll wait to see how efficient DNSSEC
proves to be :-)

> MX RRs work okay in that model. SRV RRs work okay (if they are picked up
> and used to refer to richer or low-commodity-value services). Application
> configuration does not belong (local only). User data does not belong
> (requires authentication).
>
> or was your question rhetorical

Would I ask a rhetorical question? :-)

No, actually, it wasn't rhetorical. I'm looking for a *principled* standard
by which to judge what kinds of data should go into DNS and what kinds of
data shouldn't. Seems to me the determinations have been pretty much
_ad_hoc_ thusfar.

I should perhaps point out that I have no vested interest here. I have no
proposals in mind for new resource-record types, or new uses for existing
types, that could reasonably be considered "non-DNS data". I just don't like
arbitrariness or even the appearance of same.

Question: wasn't it the whole *point* of DNSSEC to offer a secure key
repository to applications? It's hard to believe that so much time and effort
would be expended just to secure DNS *itself*...


- Kevin





to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.