Re: [dnsext] WGLC ENDS0-bis

Florian Weimer <fw@deneb.enyo.de> Wed, 25 May 2011 17:49 UTC

Return-Path: <fw@deneb.enyo.de>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50832E06A1 for <dnsext@ietfa.amsl.com>; Wed, 25 May 2011 10:49:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZDyshdkKGBHl for <dnsext@ietfa.amsl.com>; Wed, 25 May 2011 10:49:50 -0700 (PDT)
Received: from ka.mail.enyo.de (ka.mail.enyo.de [87.106.162.201]) by ietfa.amsl.com (Postfix) with ESMTP id BD240E070A for <dnsext@ietf.org>; Wed, 25 May 2011 10:49:50 -0700 (PDT)
Received: from [172.17.135.4] (helo=deneb.enyo.de) by ka.mail.enyo.de with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) id 1QPIDL-00044f-Qc; Wed, 25 May 2011 19:49:47 +0200
Received: from fw by deneb.enyo.de with local (Exim 4.72) (envelope-from <fw@deneb.enyo.de>) id 1QPIDL-0007ei-Id; Wed, 25 May 2011 19:49:47 +0200
From: Florian Weimer <fw@deneb.enyo.de>
To: Edward Lewis <Ed.Lewis@neustar.biz>
References: <4DC94AE6.5000903@ogud.com> <878vtxku9a.fsf@mid.deneb.enyo.de> <a06240800ca007c696518@[10.31.200.118]>
Date: Wed, 25 May 2011 19:49:47 +0200
In-Reply-To: <a06240800ca007c696518@[10.31.200.118]> (Edward Lewis's message of "Mon\, 23 May 2011 17\:08\:19 -0400")
Message-ID: <87r57mwtz8.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: dnsext@ietf.org
Subject: Re: [dnsext] WGLC ENDS0-bis
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 May 2011 17:49:51 -0000

* Edward Lewis:

>>I would like to see guidance to implementors how they can actually
>>detect EDNS0 support or the lack thereof.  Alternatively, a minimum
>>level of support could be made mandatory, eventually making the
>>existing detection logic obsolete.
>
> As far as declaring "a minimum level of support": an RFC cannot say
> "you must implement me, even if you were implemented last year." That
> just doesn't work.

A vendor which errors out or drops EDNS0-enabled queries would no
longer be able to claim to implement the current version of the DNS
protocol.  It worked for HTTP/0.9 and SSLv2.  It did not work for
extended label types or RIPv1.

> For backwards compatibility, we are stuck with probing for
> functionality.  This is a weakness of the DNS architecture.

It's not an architectural problem, I think.  You could implement
pretty reliable signaling, but EDNS0 doesn't do it.  (Basically, you
need two bits, the query contains 01, and the response 10, so that you
can detect stripping and dumb reflection.)

Anyway, what I'm asking for is documentation for the probing
algorithm.  Are there existing implementations which use the presence
of DNSSEC data as an indicator for EDNS0 support, as suggested in the
draft?