[dnsext] rfc6195bis draft : thoughts on CLASS sub-registry

Alfred Hönes <ah@TR-Sys.de> Wed, 28 March 2012 22:12 UTC

Return-Path: <A.Hoenes@TR-Sys.de>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7ADD121E80FB for <dnsext@ietfa.amsl.com>; Wed, 28 Mar 2012 15:12:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -98.039
X-Spam-Level:
X-Spam-Status: No, score=-98.039 tagged_above=-999 required=5 tests=[AWL=-0.490, BAYES_00=-2.599, CHARSET_FARAWAY_HEADER=3.2, HELO_EQ_DE=0.35, J_CHICKENPOX_52=0.6, J_CHICKENPOX_62=0.6, MIME_8BIT_HEADER=0.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id itWjH3G8X5aC for <dnsext@ietfa.amsl.com>; Wed, 28 Mar 2012 15:12:23 -0700 (PDT)
Received: from TR-Sys.de (gateway.tr-sys.de [213.178.172.147]) by ietfa.amsl.com (Postfix) with ESMTP id AB80A21E8106 for <dnsext@ietf.org>; Wed, 28 Mar 2012 15:12:22 -0700 (PDT)
Received: from ZEUS.TR-Sys.de by w. with ESMTP ($Revision: 1.37.109.26 $/16.3.2) id AA280042673; Thu, 29 Mar 2012 00:11:13 +0200
Received: (from ah@localhost) by z.TR-Sys.de (8.9.3 (PHNE_25183)/8.7.3) id AAA14627; Thu, 29 Mar 2012 00:11:11 +0200 (MESZ)
From: Alfred =?hp-roman8?B?SM5uZXM=?= <ah@TR-Sys.de>
Message-Id: <201203282211.AAA14627@TR-Sys.de>
To: dnsext@ietf.org
Date: Thu, 29 Mar 2012 00:11:11 +0200 (MESZ)
X-Mailer: ELM [$Revision: 1.17.214.3 $]
Mime-Version: 1.0
Content-Type: text/plain; charset=hp-roman8
Content-Transfer-Encoding: 7bit
Subject: [dnsext] rfc6195bis draft : thoughts on CLASS sub-registry
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2012 22:12:24 -0000

Reconsidering the section on the DNS CLASSes sub-registry in the
rfc6195bis draft, some thoughts came to my mind.

I'd like to emphasize that this is a rough sketch to solicit
discussion, not a request to change the draft (at this stage).


* RFC 6410 (2-track) emphasizes the criteria for Internet Standard,
  which include removal of unused protocol options that complicate
  implementations and thereby increase the risk of security flaws.

* The only Data CLASSES registered were originally specified in
  RFCs 882+883 (November 1983) and finally standardized in STD 13,
  RFCs 1034+1035 (November 1987), and in non-IETF documents listed
  in the IANA registry with references dating back to June 1981
  and April 1987.  The only other change to the set of assigned
  DNS CLASS codepoints was the addition of QCLASS NONE by RFC 2136
  (April 1997).

  The only Data CLASS in public use is IN, the other registered
  Data CLASSes are used in the contemporary Internet in some
  obscure, implementation-specific manner (with strictly local
  scope) by diagnostic functions built into DNS servers.
  (This clearly is a hack, but it obviously works sufficiently for
  those who know how to use that.)

* Therefore, the addition of new Data CLASSes seems to be a feature
  that does not fulfill a perceived need of the Internet community
  and isn't expected to happen in the foreseeable future.
  Given the significant potential issues with QCLASSes (see below),
  there alse does not seem to exist a need for new QCLASSes, since
  selection among an essentially one-element set of Data CLASSes
  does not admit a great variety of choices anyway.

  Does that mean that we also should *close* the DNS CLASSes IANA
  subregistry with the rfc6195bis draft ?

  Doing so would allow to significantly shorten the text in the
  draft on CLASS value assignment policy.

  Note that there is a CLASS range dedicated for Private Use, which
  could be used anyway for proprietary functions, if deemed useful.

* Delegation in the DNS happens within the namespace of a Data CLASS.
  The current global, unique DNS root only delegates for CLASS=IN.
  Therefore, the QCLASS=* (ANY) defined in STD 13 is rather
  problematic and complicates implementations much more than it
  might be regarded justified by occasional use for curiosity.
  The basic reason is that, due to the independent delegation trees
  for domain names per Data CLASS, queries with QCLASS=* are of no
  practical value, and might even be regarded as conceptionally
  inappropriate.  This already has been observed repeatedly in the
  past, *very long* ago.

  Both RFC 1034 and RFC 1035 already scratch at that idiosyncrasy
  and specify that responses to QCLASS=* can never be authoritative;
  these clauses already were present in RFCs 882+883.

  STD 3, RFC 1123 (s6.1.2.2) says:
   "A query with "QCLASS=*" SHOULD NOT be used unless the requestor
    is seeking data from more than one class. In particular, if the
    requestor is only interested in Internet data types, QCLASS=IN
    MUST be used."
  (Note that the summary table in s6.1.5 contradicts the above;
   the respective check ('X') should be in the "SHOULD NOT" column,
   not in the "SHOULD" column.)
  Use of the DNS on the public Internet per definition is "interested
  in Internet data types" only, so the "SHOULD NOT already applies
  since October 1989.

* Thus, in the sense of RFC 6410, RFCs 1034 and 1035 contain protocol
  elements that complicate implementations, are of no practical
  benefit and de facto not in use -- since two and a half decades.
  Thereby, any revision to STD 13 would have to eliminate such
  feature as QTYPE=* in order to pass the IESG today.

  So the question arises whether it would be wise to now formally
  deprecate QCLASS=* (maybe declare it HISTORIC and NOT RECOMMENDED
  for implementation).

  This could be done in rfc6195bis or in an independent Standards
  Track RFC, but procedurally it would be much less work if done
  in rfc6195bis.  (Note that the I-D targets BCP status and hence
  actually can update Standards Track RFCs.)


Thoughts, opinions?


Kind regards,
  Alfred.