Re: [dnsext] DNS-AS RRTYPE PARAMETER ALLOCATION
"Wolfgang Riedel (wriedel)" <wriedel@cisco.com> Sat, 13 February 2016 20:36 UTC
Return-Path: <wriedel@cisco.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6C031A7013 for <dnsext@ietfa.amsl.com>; Sat, 13 Feb 2016 12:36:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -13.806
X-Spam-Level:
X-Spam-Status: No, score=-13.806 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, GB_I_LETTER=-2, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fizRxFmbGErj for <dnsext@ietfa.amsl.com>; Sat, 13 Feb 2016 12:36:41 -0800 (PST)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C4991A1AB3 for <dnsext@ietf.org>; Sat, 13 Feb 2016 12:36:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=24772; q=dns/txt; s=iport; t=1455395801; x=1456605401; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=M4Zre4w66sk4oaiGdGcH2kzUY+krGUQJElx1ZqhQi2Q=; b=JkhV5EJvNsGELQKp6zKGNFQx0VQHKwt291i8/zDX8nDfr6u9gL3ATpo6 ssWEfycTSX281E+m2IpaRlvJrmhbngG30tI/DNVYHT+TJrfGqE1m8epPi JeFh2MIcP1Y4ttUNSff5slkw7sTlR13WCa2a+4UHfnP/RYoru+At7VACo o=;
X-Files: signature.asc : 872
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0C/AgDWkr9W/5hdJa1UCoJuTFJtBrd9ghMOgWcZhXQCgSg4FAEBAQEBAQGBCoRBAQEBAwEjSA4FCwIBCBggCgICMiUCBA4FDgYLh3MIrDuOQgEBAQEBAQEBAQEBAQEBAQEBAQEBAQ0IhhGBa4JKhAgSVoJCK4EPBYdVhVKFR4QLAYMAgWRqiAaBXIRDiFWOPQEPDwFDg2NqiTV8AQEB
X-IronPort-AV: E=Sophos;i="5.22,442,1449532800"; d="asc'?scan'208,217";a="238045796"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Feb 2016 20:36:40 +0000
Received: from XCH-RCD-010.cisco.com (xch-rcd-010.cisco.com [173.37.102.20]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id u1DKadIT024899 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Sat, 13 Feb 2016 20:36:40 GMT
Received: from xch-rcd-008.cisco.com (173.37.102.18) by XCH-RCD-010.cisco.com (173.37.102.20) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Sat, 13 Feb 2016 14:36:39 -0600
Received: from xch-rcd-008.cisco.com ([173.37.102.18]) by XCH-RCD-008.cisco.com ([173.37.102.18]) with mapi id 15.00.1104.009; Sat, 13 Feb 2016 14:36:39 -0600
From: "Wolfgang Riedel (wriedel)" <wriedel@cisco.com>
To: Ray Bellis <ray@bellis.me.uk>
Thread-Topic: DNS-AS RRTYPE PARAMETER ALLOCATION
Thread-Index: AQHRY/5NTWKudmU6QEKjV5II8zU5uZ8q2Q6A
Date: Sat, 13 Feb 2016 20:36:38 +0000
Message-ID: <DFB4B3AE-596E-45F5-A2E8-58620BD53FE0@cisco.com>
References: <56BB2C7E.2000206@bellis.me.uk>
In-Reply-To: <56BB2C7E.2000206@bellis.me.uk>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.60.215.77]
Content-Type: multipart/signed; boundary="Apple-Mail=_F8EDD7BC-C6D6-410A-8E5F-90BE60FCDC47"; protocol="application/pgp-signature"; micalg="pgp-sha512"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsext/tB7JPW6gZvB7lFk4FDdZwa4fu2s>
X-Mailman-Approved-At: Sat, 13 Feb 2016 13:42:04 -0800
Cc: "dnsext@ietf.org" <dnsext@ietf.org>
Subject: Re: [dnsext] DNS-AS RRTYPE PARAMETER ALLOCATION
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Feb 2016 20:36:44 -0000
Hi Ray, may thanks for your reply. I consultant with some colleagues and were good with filing a new request and replace the mnemonic = DNSAS with mnemonic = AVC as you suggested. Also some answer to your question inline. For all other on list, if you’re looking for more details on DNS-AS please have look at http://dns.as.org Thank you, Wolfgang > On 10 Feb 2016, at 13:26PM, Ray Bellis <ray@bellis.me.uk> wrote: > > Wolfgang, > > I've been appointed as the designated expert to review your RRTYPE > application per RFC 6895. > > In principle the application is OK, and it's highly desirable that you > avoid use of TXT. > > Within my remit however I do have some concerns over the name of the RRTYPE: > > - the term "authoritative" has a particular meaning in the DNS > protocol, and "authoritative source" is a commonly used term > too. Typing "dns authoritative source" into Google already > produces 75,000 results, none that I could see relating to > your project. yes I agree and we have chosen the wording by intension to outline that we leverage the authoritative name server as a sigle source of truth for application metadata. > - using "DNS" within the RRTYPE name seems redundant - we’re already in the DNS. agree > - the letters "AS" are also commonly used to refer to a BGP "Autonomous System”. agree > [FWIW, when I first saw your requested mnemonic in the subject of your > application I was expecting to see an application for an RRTYPE to > represent a BGP AS number!] it’s not so far off given that BGP expresses routing policy intend and DNS-AS metadata for application policy intend > Also missing is any explicit statement that the intended wire and > presentation format are identical to that of a TXT record. > Consideration should also be given to what happens if the data does not > fit within a single 255 octet "character-string" sub-field. OK will adress this > Incidentally, the "CISCO-CLS=" prefix in the RDATA would appear to be > redundant when you get your own RRTYPE, and if it's expected that other > vendors would use this then I suggest that you either omit it or use > something more neutral. yes good catch and I agree and will remove this > At a higher level I have concerns about the overall use case that > should be addressed if you plan to document "DNS Authoritative Source" > in an Internet Draft (although I don't expect these to be a factor in my > decision as they're probably outside the scope of RFC 6895): at this time there are not plans to submit this as an Internet Draft > - why DNS? Readily available tool - already leveraged to identify an application by DNS-NAME > How does the client know what domain names are supposed to be looked up? it’s a function of an DNS-AS client which snoop DNS request as an trigger and raises it’s own query for a DNS-AS Resource Record to get the metadata to enforce policy later > - if the "Application Name" is the primary key, why not incorporate > that into the domain name? This ‘could be done’ - but most customers don’t or won’t always identify what application is running on a server via it’s FQDN. > - (corollary) is it expected that a client would want to (or even > be allowed to) obtain information about all known applications at > a domain with a single DNS query? there is nothing confidential inside a DNS-AS resource record. The key is that it it authoritative! > - what about DNS Security? What happens in your SDN if someone > manages to poison a record? what happens if I haven't done my homework and didn’t secure and harden my DNS infrastructure ;-) If DNS is compromised you have bigger problems than how a network element chooses mark and service (queue) for a given application... > The decision will be reached within two weeks of today, and before > approval the explicit linking to the TXT record format must be resolved. > > I urge you to reconsider your project name of "DNS Authoritative Source" > as being a clash with existing terminology. I'm not currently inclined > to reject the application on that basis of the requested DNSAS mnemonic, > but welcome community feedback on that issue. yes will file a new request for mnemonic = AVC > > kind regards, > > Ray Bellis
- Re: [dnsext] DNS-AS RRTYPE PARAMETER ALLOCATION Ray Bellis
- Re: [dnsext] DNS-AS RRTYPE PARAMETER ALLOCATION Ray Bellis
- Re: [dnsext] DNS-AS RRTYPE PARAMETER ALLOCATION Wolfgang Riedel (wriedel)
- [dnsext] Fwd: [dns-rrtype-applications] DNS-AS RR… Ray Bellis
- Re: [dnsext] [dns-rrtype-applications] "AVC" RRTY… Ray Bellis