Re: [dnsext] experimental/testing DNSSEC algorithm identifiers

[Edward Lewis <Ed.Lewis@neustar.biz>]

At 9:54 +0200 8/12/09, Jelte Jansen wrote:

>Any thoughts?

In summary - I have doubts about the future of this proposal, no 
matter how worthy it is.

Why I am being a grump:

We (DNSIND/DNSEXT WGs)'ve had a bad experience with proposals to 
allocate "general pool" numbers.  There is the Kitchen SINK RR 
(RRType = 40, 
http://tools.ietf.org/html/draft-ietf-dnsind-kitchen-sink-02) and a 
generic key application for the old KEY RR 
(http://tools.ietf.org/html/draft-lewis-dnsext-key-genprot-00).

(Okay, those both wanted a number for general purpose use.  But the 
pool could have been greater than "one" in size.)

The dynamic in the development process is this.  (Assuming the goal 
is to get something on the standards track.)  First you want initial 
development you need to plug in a number.  You then need to produce a 
document to get the idea out.  Following this you want there to be 
some wide spread experimentation, which often borders on initial 
deployment.  With this you are prepared for standards vetting and 
then initial deployment.

The snag in this process is that your experimental deployment will 
use value 243 but IANA will give you the value 93.  You then need to 
uproot all the early adopters.  This problem is what has driven many 
applications to use the TXT record - in the case when the number in 
question is the RR type.

The difference here is that you are talking about a different 
protocol parameter, one that is more obscure.  But you will have the 
same issue when you do from -draft-" to RFC/PS and then DS.

Another problem is the documentation issue.  Look at SINK.  Yes, 
there's no RFC because the WG lost it's will to finish off the 
experiment.  On the one hand, we have the number burned into the 
registry and a way to find information about SINK.  Yes, it says 
"Eastlake" and if you know him, you can reach him.  You can also 
search for the draft in many repositories, now even the IETF has one.

If SINK had used an experimental value, you couldn't even do that. 
You might tcpdump and see something using value 243 - but until you 
fingerprinted the source IP address you might not be able tell if 
that was Jelte's bad idea of 2009 or Blacka's bad idea of 2003 (or 
even Jelte's bad idead of 2010, 2011, ...).  Reused numbers make it 
hard to do a text search for "what's happening?"

(Recall the question of "where are all the A6 queries coming from?" 
asked in 2007.  Many of knew right away - BIND - because A6 was a 
specific allocation, fully documented, moved to experimental and 
recognized as a truly had idea by all sane people.  I said "sane.")

The only place that allocating numbers for "private use" that has 
worked is in IPv4 because we have NAT.  (Which everyone "hates" to 
some extent.)  I know there's a call for them in IPv6 because we are 
used to them in IP address management.  Reusable numbers work in IP 
because we control them with the routing system, we don't have a 
similar scoping mechanism available for an application protocol.

I wish that I could be more optimistic about this effort.  I wanted 
to do it once too (for the KEY RR).  But it never seems to work.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

As with IPv6, the problem with the deployment of frictionless surfaces is
that they're not getting traction.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>