IETF Logo Mail Archive

Re: [dnsext] Moving policy data away from DNS

Phillip Hallam-Baker <hallam@gmail.com> Mon, 27 December 2010 11:17 UTC

Return-Path: <hallam@gmail.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C1F7C3A67F6 for <dnsext@core3.amsl.com>; Mon, 27 Dec 2010 03:17:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.89
X-Spam-Level:
X-Spam-Status: No, score=-2.89 tagged_above=-999 required=5 tests=[AWL=-0.292, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VDdqA1SmdmY6 for <dnsext@core3.amsl.com>; Mon, 27 Dec 2010 03:17:30 -0800 (PST)
Received: from mail-yi0-f44.google.com (mail-yi0-f44.google.com [209.85.218.44]) by core3.amsl.com (Postfix) with ESMTP id 113153A67A4 for <dnsext@ietf.org>; Mon, 27 Dec 2010 03:17:29 -0800 (PST)
Received: by yie19 with SMTP id 19so1797861yie.31 for <dnsext@ietf.org>; Mon, 27 Dec 2010 03:19:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=6k+ue8ZWrQghgumu2Knesz7jQj5ym3zdBn+DWzy5YZU=; b=RH2hqOaWlidPKUO3urBYM/bA0Zis8Yk0nYpmNGVFTYNe5p73k1w0DFiSTCOdR7Jg2i wYJlXpdsQLtPYg43bDuRpGXVBDM5Qu3PKd4dZ4Ir2FRzUXIudA6xUNk+jqmEtH0KKm0M S3uMPISHsX+AqqkHU/KIPLToajCalkMio0rHw=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=CTuz7CPE+kdsUeVx/31+ny0Ql5vnXTYYX1Pp8rTQt88UOqrXWrSagZNddoBOYeGoLs 7elvua86TSNj0EYc3Pq0LrYLIU4SE3wy9I7bnbOUSMs/nljl5EOpbjx0hOoHFlJ0cjH7 Mz7TszFLXojr9hJt6cEEUKem8QrbCOq5URGM0=
MIME-Version: 1.0
Received: by 10.100.110.16 with SMTP id i16mr6943736anc.103.1293448772541; Mon, 27 Dec 2010 03:19:32 -0800 (PST)
Received: by 10.100.31.8 with HTTP; Mon, 27 Dec 2010 03:19:32 -0800 (PST)
In-Reply-To: <4D186C11.3070306@nic.at>
References: <2E9C54A5-0E2B-4AF9-960E-CE4CA9C1A7BE@nzrs.net.nz> <p06240879c9383836c67e@10.20.30.150> <1A550BF6-9B35-4DE1-9A83-1CB486B12DA5@nzrs.net.nz> <p0624087ec93857be2a71@10.20.30.150> <A723BDAE-DC0B-43C6-B104-010A390647A6@nzrs.net.nz> <4D186C11.3070306@nic.at>
Date: Mon, 27 Dec 2010 11:19:32 +0000
Message-ID: <AANLkTinc3JofM=crDg4y+Ocj-_ftCtTUuA+V9fmR4Fgv@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Otmar Lendl <lendl@nic.at>
Content-Type: multipart/alternative; boundary="0016e645ab9a9f5c8104986282c6"
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Moving policy data away from DNS
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Dec 2010 11:17:31 -0000

The principle objection to putting policy in the DNS seems to be that doing
so represents a slippery slope and that we might end up with people putting
so much information in their DNS that it 'breaks'.

I don't see any reason that the policy information need go beyond that
needed to establish a sufficient connection to negotiate any additional
parameters that might be needed.

So it is not necessary (at present) to say anything more than 'TLS version
1.0 or better always offered, key is X' as far as TLS configuration goes
since TLS has an adequate mechanism for in-band negotiation of cryptographic
parameters once it is known that it is to be used.

It would be very easy to define a property in an extensible mechanism such
as CAA that would allow for linking to an external policy, but I absolutely
do not see any need to do so at present.


On Mon, Dec 27, 2010 at 10:36 AM, Otmar Lendl <lendl@nic.at> wrote:

> On 23.12.2010 03:45, Jay Daley wrote:
> >
> > Say I wanted to state, for host X
> > - here is how hosts that conform to Y should connect to me
> > - here is how hosts that conform to Z should connect to me
> > - here is the default how hosts should connect to me
> > - here is how I intend to connect to hosts that conform to A
> > - and so on
>
> FYI,
>
> I proposed a scheme to solve these a few years ago in the context of SIP
> peering. In hindsight, the proposal was way too ambitious to catch on in
> the speermint WG. It also relies on the DDDS, which has its own problems,
> especially the selector within the RDATA.
>
> If you want to have a look, check out
>
> http://tools.ietf.org/html/draft-lendl-domain-policy-ddds-02
> (the generic framework)
>
> http://tools.ietf.org/html/draft-lendl-speermint-federations-03
> (a use-case for federation-based SIP peering)
>
> http://tools.ietf.org/html/draft-lendl-speermint-technical-policy-00
> (a use-case similar to what you listed)
>
> There is even running code for this:
> http://www.kamailio.org/docs/modules/stable/modules_k/domainpolicy.html
> Look for "Usage Scenarios" to see some examples on what could be done with
> this approach & code.
>
> ----
>
> No, I'm not proposing that this list is taking these drafts up again. I
> just hope that they might inspire some other ideas, and if they are just
> used to fend off IPR claims in the future, I'm also satisfied.
>
> cheers,
>
> otmar
> --
> // Otmar Lendl <lendl@nic.at>, T: +43 1 5056416 - 33, F: - 933 //
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext
>



-- 
Website: http://hallambaker.com/

v2.23.0 | Report a Bug | By Email