Re: [dnsext] New Version Notification for draft-barton-clone-dns-labels-fun-profit-00

Doug Barton <> Tue, 08 March 2011 01:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 299083A69E0 for <>; Mon, 7 Mar 2011 17:32:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.566
X-Spam-Status: No, score=-2.566 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2QN8rzG97Hct for <>; Mon, 7 Mar 2011 17:31:58 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id A68553A69DF for <>; Mon, 7 Mar 2011 17:31:58 -0800 (PST)
Received: (qmail 13466 invoked by uid 399); 8 Mar 2011 01:33:08 -0000
Received: from (HELO ( by with ESMTPAM; 8 Mar 2011 01:33:08 -0000
Message-ID: <>
Date: Mon, 07 Mar 2011 17:33:07 -0800
From: Doug Barton <>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv: Gecko/20110304 Thunderbird/3.1.9
MIME-Version: 1.0
To: Nicholas Weaver <>
References: <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.1.2
OpenPGP: id=1A1ABC84
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [dnsext] New Version Notification for draft-barton-clone-dns-labels-fun-profit-00
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 08 Mar 2011 01:32:00 -0000

On 03/07/2011 07:47, Nicholas Weaver wrote:
> On Mar 7, 2011, at 5:56 AM, Doug Barton wrote:
>> As promised I've managed to squeak this draft in under the wire. As
>> I say in the Foreword I expect that it will need some polishing,
>> and if the group chooses to adopt the document I look forward to
>> getting lots of help with that. :)
> Interesting,

Thanks. :)

> but a couple of comments:
> For the non-CLONE aware case (no EDNS0 option in query), I think
> instead of returning "as if" its an alias, INSTEAD it should be a
> CNAME or DNAME with TTL=0 with the part the authority is responsible
> for canonicalized.

All due respect, I think you're missing the whole point. :)  Users want 
to be able to use the variant labels (including things like being on the 
RHS of NS and MX records) so the idea is to deal with them on a basis 
that is as equal as possible.

> The more important configuration is probably the model of
> CARNS STUB<---->  Non-CARNS Resolver<--->  CARNS Auth.

I hadn't considered the idea of making a stub CLONE-Aware, but I like 
it. :)

> As it is far more likely that clients will upgrade (EG, as part of
> the browser or OS) rather than resolver authorities in many cases.
> I do not know if unknown EDNS0 options are likely to be passed from
> the stub to the authority through the intermediary resolver,

I'm not sure what the default behavior is there, but if the actual 
resolver is not CLONE-Aware then sending the option wouldn't help since 
it wouldn't understand any CLONE RRs that it received back.

> The CLONE RR really needs to be a "canonicalization program",
> describing a set of character/word transformations that should be
> applied, NOT just a simple pointer.[1]

How would you represent the canonicalization?

> This enables CLONEs to be
> DNSSEC signed offline.  Otherwise, if you want DNSSEC EVEN FOR
> CLONE-aware clients, you need to...
> Discuss online signing.

I'm not sure why, but I'm happy to be educated. The idea I have in mind 
is that the zone for the preferred label can be DNSSEC signed in the 
regular way, and a CLONE-Aware resolver can validate responses for the 
CLONE labels "as if" they had been responses for the preferred labels.

Thanks again for the comments. :)


> [1]  I believe that if CLONE is just a simple pointer, it is
> unnecessary, because 0 TTL CNAMES and DNAMES can accomplish the same
> thing.  The value in a CLONE-type new RR and associated EDNS0
> signaling lies in allowing it to work with the offline DNSSEC
> signature model.


	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)