IETF Logo Mail Archive

Re: draft-yao-dnsext-identical-resolution Re: [dnsext] DNSEXT sessions at IETF 78

Brian Dickson <brian.peter.dickson@gmail.com> Tue, 20 July 2010 18:33 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BCBC03A6C6F; Tue, 20 Jul 2010 11:33:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.494
X-Spam-Level:
X-Spam-Status: No, score=-0.494 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, HTML_MESSAGE=0.001, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eoUi3Z3D-ZRT; Tue, 20 Jul 2010 11:33:54 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id EE2AD3A6C44; Tue, 20 Jul 2010 11:33:52 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1ObHWD-000Bsy-4i for namedroppers-data0@psg.com; Tue, 20 Jul 2010 18:26:17 +0000
Received: from [209.85.161.180] (helo=mail-gx0-f180.google.com) by psg.com with esmtp (Exim 4.72 (FreeBSD)) (envelope-from <brian.peter.dickson@gmail.com>) id 1ObHW8-000BsH-TZ for namedroppers@ops.ietf.org; Tue, 20 Jul 2010 18:26:13 +0000
Received: by gxk22 with SMTP id 22so5142918gxk.11 for <namedroppers@ops.ietf.org>; Tue, 20 Jul 2010 11:25:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=NoRczoyyNILYuEJJU/vrAyx13+ydZGfaxEXYJW6RdPc=; b=ccRyAjAdiKRWbB/HNceJUuvV/IxuMhH3nekx7XGiLwQP2fw20C1LZPFDxRQQ8WLxK/ 8fE1M0zSbj1hR/Zo1ecA1eFehkev8U2wLhAfXQ1+ChFKlTes+Rg/D8rIJlXTaogDrspG nIjZlVgG9ug9elrHELWgBnN8kYlev+dYE4chw=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=klbLuGM70E/o+WRGtI4ARF5Y0BUXNGAYYWvgTKYF6OpXKI9KRP8mlpvIGqckrwN81e Mq9oGUKguHhU1mMYoDOcsbzzLq9uKRxfbO4pWqrUDUpF/1dsCH6v4CK4lyPk2SklvXnp NghBviNxuTtnGrLbw/wou4QIPeqpqu/pDuNkE=
MIME-Version: 1.0
Received: by 10.90.33.20 with SMTP id g20mr398353agg.133.1279650336631; Tue, 20 Jul 2010 11:25:36 -0700 (PDT)
Received: by 10.90.19.29 with HTTP; Tue, 20 Jul 2010 11:25:36 -0700 (PDT)
In-Reply-To: <20100720171727.GE44683@farside.isc.org>
References: <20100625012414.GC9741@shinkuro.com> <20100716004404.GA89502@farside.isc.org> <82vd8b6168.fsf@mid.bfk.de> <20100720171727.GE44683@farside.isc.org>
Date: Tue, 20 Jul 2010 15:25:36 -0300
Message-ID: <AANLkTik7K1FuBPxlLIxHCBgrokBTYCncRiUSADSM5lE4@mail.gmail.com>
Subject: Re: draft-yao-dnsext-identical-resolution Re: [dnsext] DNSEXT sessions at IETF 78
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: Suzanne Woolf <woolf@isc.org>
Cc: Florian Weimer <fweimer@bfk.de>, namedroppers@ops.ietf.org
Content-Type: multipart/alternative; boundary="001636283b0ec08c69048bd5cfe1"
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>

On Tue, Jul 20, 2010 at 2:17 PM, Suzanne Woolf <woolf@isc.org> wrote:

> On Mon, Jul 19, 2010 at 01:39:27PM +0000, Florian Weimer wrote:
> > * Suzanne Woolf:
> >
> > > 4. Other concerns?
> >
> > I don't think pseudo-equivalence based on non-canonical names will be
> > good enough because canonical names cannot be used in some places (and
> > software actually enforces that).
>
> Examples? Send text :)
>
> > This comes pretty close to a requirement for complete
> > interchangeability.
>
> Then we have to figure out where it applies and where we can get away
> with a more relaxed requirement. As the draft already notes, all of
> the proposals we currently have treat one name as "canonical" or
> "preferred" and others as "aliases" or "variants"-- a one-way,
> asymmetrical transformation. "Shadow zones" comes closest, but one
> domain is still designated "the domain being shadowed" and the others
> are "shadows" of it.
>
>
There was a suggestion I raised earlier, for a method similar to, but
significantly different from, shadow zones...

(Given the volume of discussions, it's easy to miss new ideas or solutions.)

The idea doesn't specifically require any changes to the protocol, only to
the implementation methods.

It involves the idea of the equivalent to a "hard link" in the filesystem
analogy (an analogy which quickly breaks down, unfortunately).

The basic issues with [bcd]name et al, are that they are "client-side"
aliasing. The resolver sees the [bcd]name (or in some cases a synthesized
*name), and chases that down.

The idea of hard-linking zones, involves having the "server-side" being
aware of the aliasing, and in fact literally hard-linking zone data.

Given two names to resolve, foo.ex1.example.com and foo.bar.ex2.example.com,
we want to have zone "foo" underneath ex1.example.com be linked (and thus
identical) to "foo" underneath bar.ex2.example.com.

On the "upstream" side, the delegations for both ex1.example.com and
bar.ex2.example.com, point to the same NS set. They are ordinary, regular
delegations (optionally with suitable DNSSEC stuff like DS et al.)

The "magic" happens on the nameservers in that NS set. The nameservers serve
up data which is not only identical, but literally linked (e.g. using
pointers to the same data structure, from the different zone names). The
linking avoids the need to maintain duplicate data, and the corresponding
size bloat (exponentiation is not your friend.)

Obviously, some implementations would need slightly non-trivial changes,
e.g. NSD having the entire answer ready-to-go; it would need to concatenate
two pieces of data (the non-unique zone "name", joined with the relative
name within the zone and the RDATA).

On the plus side (and I think this a HUGE plus, especially for the likes of
MX), the clients don't need to be changed, and in fact are compatible back
to the earliest implementations, as far as I can tell. If they understand
zone delegation, it works for them.

The down side is that some new logic is likely needed to allow DNSSEC
signing to not require signatures from all possible SEP (secure entry point)
signer names for a given zone. Perhaps allowing for "null" values of signer?
I'm not sure what implications this has on the relative strength of signing,
or other aspects of keys/signing/etc. Unchanged DNSSEC behaviour is unclear
to me - I suspect "insecure" rather than "bogus", which I think is pretty
reasonable.

The DNSSEC issue is a potential can of worms, but the length of the tail
(i.e. number and age of DNSSEC validators, vs number and age of DNS
resolvers) is significantly shorter, and arguably leads to easier
justification to incorporating this method as ONE of the methods to
consider.

IMHO, we don't need to go either/or on these ([BCD]name, shadows,
hard-links), as long as some combination of the methods available are able
to meet all the requirements we have identified.


> Some of the folks who have contributed to this discussion as it's
> evolved to this point have some convincing arguments that a
> "requirement for complete interchangeability" can't be met in the
> current DNS or, depending on how it's stated, at all. Let's be careful
> with this one.
>
>
Agreed - but let's also give thought to exploring methods that can provide
complete interchangeability, if/when we identify them.

Brian

v2.23.0 | Report a Bug | By Email