IETF Logo Mail Archive

Re: [dnsext] Advice sought on DNS file format for new RRs

Phillip Hallam-Baker <hallam@gmail.com> Fri, 19 November 2010 23:55 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9D2503A6929 for <dnsext@core3.amsl.com>; Fri, 19 Nov 2010 15:55:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.524
X-Spam-Level:
X-Spam-Status: No, score=-2.524 tagged_above=-999 required=5 tests=[AWL=0.074, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WysVvr4XkQtp for <dnsext@core3.amsl.com>; Fri, 19 Nov 2010 15:55:22 -0800 (PST)
Received: from mail-gw0-f44.google.com (mail-gw0-f44.google.com [74.125.83.44]) by core3.amsl.com (Postfix) with ESMTP id 650373A6927 for <dnsext@ietf.org>; Fri, 19 Nov 2010 15:55:22 -0800 (PST)
Received: by gwj23 with SMTP id 23so161814gwj.31 for <dnsext@ietf.org>; Fri, 19 Nov 2010 15:56:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=NVwjYz3xyIQTCVlcUn+psh/a566u7rGY8uC7LG73jZc=; b=ujyfDR1BDHMRtRvscFgE2ukSYqZ1qy+8OtXyeXopMtydTiw6mhrrDTaozyAolGUYP0 fqFNUDBNFxpuInrb8VY1jjkLICe/IjU+3PBDO6HSR4ddO6zFSGz2ftTe1kACyBpTX3Tj ckJyls1KfcwzBcsIGs2r6l9fM/s95UelzizmQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=ekNWv6DzTbotZxlk1CRfVbpSY7+XLW4r3itTqo6RhhJpkzgvS5T/FQLJwQE9U7fNgB vfOyjsg0vZkdfbJEhTJUrj0//7b+VqEqkxZAWxlZRdK/8kmgJf6/mFibVNtJXjjbeNpD wB30FwnW0S8/jmSsVdf6XRoTz/HdOLm/Hd96E=
MIME-Version: 1.0
Received: by 10.100.174.7 with SMTP id w7mr1936916ane.134.1290210972375; Fri, 19 Nov 2010 15:56:12 -0800 (PST)
Received: by 10.100.41.14 with HTTP; Fri, 19 Nov 2010 15:56:12 -0800 (PST)
In-Reply-To: <4CE6FB61.8000009@ogud.com>
References: <AANLkTimBPLaFZQSbx8W7Dwy0r9SzHsrV-rA9yQU83sZw@mail.gmail.com> <20101119124127.GB8050@shinkuro.com> <AANLkTimX06RCm6_FJSe1mZ5nOi3OTRhh-1QGOtttPpR9@mail.gmail.com> <20101119181144.GK8050@shinkuro.com> <AANLkTi=SYFxL+n+9WuseT+xsWHSzjxatOH2FUX9P2iQq@mail.gmail.com> <4CE6E1F4.4070400@isc.org> <AANLkTimcWPFi7Q1np4JtAe2ozAWdB0oTUtGKJ53JoXBh@mail.gmail.com> <4CE6FB61.8000009@ogud.com>
Date: Fri, 19 Nov 2010 18:56:12 -0500
Message-ID: <AANLkTinKyvq8NpZcFAzaPvrbm=CZ2HY-TCj4Sf+KRV5s@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Olafur Gudmundsson <ogud@ogud.com>
Content-Type: multipart/alternative; boundary="0016e644cf50b198ef049570a616"
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Advice sought on DNS file format for new RRs
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Nov 2010 23:55:23 -0000

On Fri, Nov 19, 2010 at 5:34 PM, Olafur Gudmundsson <ogud@ogud.com> wrote:

> On 19/11/2010 4:50 PM, Phillip Hallam-Baker wrote:
>
>> Thanks,
>>
>> The records are independent of each other, Each record specifies one
>> Authorization Entry and the set of RRs make up an Authorization Set
>> similar to an ACL but a set not a list.
>>
>> We did have a concern raised for the possibility that a RR set would
>> become fragmented and a relying party might only get some of the
>> records. In other words there are 5 CAA records in a domain and the
>> resolver only caches 3. Would this really be an issue? I would have
>> thought not since signatures are over the full RR set.
>>
>>
> Impossible, DNS caches store either all or none.


That was my belief, but I wanted to check.



> What I am trying to do at this stage is to work out what the range of
>> options is here. I see the following choices:
>>
>> 1) Binary encoding with potentially different data types depending on
>> the sub tag.
>>
>> CAA   policy <oid> | path <base64> | critical <string>
>>
>> 2) Binary encoding with a uniform data structure like in the CERT tag:
>>
>> CAA <tag> <critical flag> <base64>
>>
>> 3) TXT style encoding in the manner of DKIM
>>
>> CAA <tag> <TXT data>
>>
>>
>>
> You are still confusing DNS wire format and DNS presentation format.
>

No I understand the difference.

The constraint here is that if I have a complex binary format, then DNS
servers are going to have to be able to parse a correspondingly complex
syntax to encode the data. That may not be desirable.


Wire format is always binary i.e. all base64 blocks are translated to
> 8bit binary, Text blocks are translated to a special text format, etc.
>

That is not the case in DKIM.

In DKIM the key blobs are encoded in base64 and that is how the data is
stored in the DNS TXT record.



> Format 1 is fine if the records are dependent on each other (i.e. atomic),
> If the records are independent subsets you should use different types. Every
> time DNS has started using sup-typing we have run into problems.
>

The TXT approach appears to work in DKIM because the records in question do
not affect the operation of DNS itself.


-- 
Website: http://hallambaker.com/

v2.23.0 | Report a Bug | By Email