Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt
Niall O'Reilly <Niall.oReilly@ucd.ie> Tue, 01 March 2011 00:37 UTC
Return-Path: <Niall.oReilly@ucd.ie>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 41DC73A6D02 for <dnsext@core3.amsl.com>; Mon, 28 Feb 2011 16:37:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9GYBhuKimTxb for <dnsext@core3.amsl.com>; Mon, 28 Feb 2011 16:37:38 -0800 (PST)
Received: from smtp.ucd.ie (mgmtirp1.ucd.ie [137.43.231.111]) by core3.amsl.com (Postfix) with ESMTP id A8DEF3A6D06 for <dnsext@ietf.org>; Mon, 28 Feb 2011 16:37:37 -0800 (PST)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApIBAGrPa01TjVE0/2dsb2JhbAAMhBzNepBkgSeBV4FtdgSPUSY
X-IronPort-AV: E=Sophos;i="4.62,244,1297036800"; d="scan'208";a="2732358"
Received: from unknown (HELO [10.0.1.177]) ([83.141.81.52]) by smtp.ucd.ie with ESMTP/TLS/DHE-RSA-CAMELLIA256-SHA; 01 Mar 2011 00:38:36 +0000
Message-ID: <4D6C3FD3.7010801@ucd.ie>
Date: Tue, 01 Mar 2011 00:37:39 +0000
From: Niall O'Reilly <Niall.oReilly@ucd.ie>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-IE.utf8; rv:1.9.2.13) Gecko/20101208 Thunderbird/3.1.7
MIME-Version: 1.0
To: dnsext@ietf.org
References: <20110227191542.6824.qmail@joyce.lan> <335963D7-3440-45E6-843C-38F419462792@cisco.com>
In-Reply-To: <335963D7-3440-45E6-843C-38F419462792@cisco.com>
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Subject: Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasing-requirements-00.txt
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Mar 2011 00:37:44 -0000
On 27/02/11 20:08, Patrik Fältström wrote: > There are a few things I think makes this discussion hard...and that > is that the overall usability is a requirement in the usability, > manageability etc while what we talk about is "only" what we do in > DNS. What we should (and can) do in DNS must then match whatever > application layer/protocol behaviour, which in turn depends on how > the protocol works. Or, should we look at the use cases at a higher level, and identify which components, including (but not limited to) the DNS, need to be adjusted to achieve the desired result? In this case, the question becomes no longer one of matching the DNS to how the other components actually work, but to how they will work in the future to support a coherent, rather than a fragmented, "aliasing" concept. I'm pretty sure that solving "the aliasing problem", whatever it is, cannot be done by adjusting only the DNS. > What I *think* could be interesting is one of these things as very > high level issues to look at, that btw I think sort of is written in the > draft, but using DNS terminology ;-) I'm not sure quite what you're saying. Expressing higher-level issues in DNS terminology can either help us to visualize those issues, or blind us to the non-DNS aspects; perhaps both of these effects occur at the same time. > 1. Aliases > > 1.1. If we today have two delegations, we do have a risk that one of > the delegations changes holder while the other does not. Can one of the > two be an alias to the other, and the two then bundled by policy in the > registry so we absolutely know one and only one holder controls the data > for the names (plural)? > > 1.2. If we today have two delegations, synchronization of the two > delegations imply provisioning systems must place the same records in > two zones. Can we solve the problem in different ways? I believe that this is one strong attraction of the BNAME concept. Performing pseudo-delegation in parallel with traditional delegation in the parent zone leaves the registrant/deleg[at]ee with just a canonical instance of the child zone to look after. But this only applies when there is a common (bundle of) parent zone(s). So, it would work for example[+/-final_sigma+/-tonos].gr, but not for the vixie.sf.ca.us/vix.com bundle mentioned in Paul's slides of almost a year ago. That this is so is not intrinsically problematic, as the motivations are different in each case. In the .gr (also .cn, IIUC) case, the motivation appears (to me) to arise from a desire on the part of the TLD registry to provide a coherent offering to customers (registrants) in support of what might be called "naturally arising" bundles. Paul's example is rather "bottom-up" than "top-down", and is driven by the customer rather than by the provider (or the provider's politico-regulatory circumstances). > 2. Support of more application layer aliases More in terms of quantity, or just "more coherent"? > 2.1. In HTTP and a few other protocols, we have the ability to do a > redirect inside the application layer protocol itself. We do not have > that in all protocols. In other we have things like the MX records. Do > we with IDN etc need more of these, and do we need a mechanism in DNS > that "help" such redirect in a "lower" layer in the resolution algorithm? SMTP has MX; others have SRV; HTTP is an outlier in that it avoids this kind of assistance from the DNS. It's a significant and pathological outlier because of the way HTTPS works. > 2.2. When using HTTP HOST header, and SSL where the DN of the cert > is matched with the domain name used, it is kind of problematic to match > the application layer with what originally was entered by the user. Is > there some need for DNS layer aliases that changes what later is matched > in the application layer comparisons? 2.3 (?) It may be worth examining the semantics of distinct, but seductively similar, elements in different URL schemes. For example, in the "mailto:" URL scheme, there is a "domain part" which is essentially a reference to a naming authority. In contrast, the "http:" scheme uses a superficially similar component strictly as a reference to a host. This is arguably an incoherence at the semantic level between the different URL schemes which, if resolved, could eliminate the difficulty which arises today from matching the DN of the cert to the "host" component of a URL whose scheme is "http:". I'm suggesting that this incoherence should be resolved by having the application exploit already available DNS mechanisms. New DNS-layer aliasing seems to be un-necessary. Re-writing the definition of the "http" URL scheme so that not only 'http' ':' '//' host [: port] '/' ... but also 'http' ':' '//' domain-part '/' ... would be allowed, might lead to a resolution based on SRV records. I suggest that this approach is worth following, and will be no more painful than transitions we have already chosen (or been forced) to face, as between A and MX, or between A and AAAA records. If we want the omelette, we can't insist on not breaking the eggs. With this approach the DN of the SSL cert would match the target host of each SRV record. > 3. Comparison algorithm > > 3.1. We can not change the matching algorithm in DNS > > 3.2. Given we can not change the matching algorithm in DNS, do we > need something in DNS that matches some new(?) matching algorithm in the > application layer so that the two together produce the result we are after? For example, in the case where the HTTP HOST header refers to a domain-part for which the server is not configured, the server might query the DNS for a matching [BCD]NAME record, and use the URL corresponding to the corresponding canonical name (which it could cache) as the key to its document store. Alternatively, in the same circumstances, the server could send the browser a "please canonicalize" error response. Either of these approaches, if feasible, would appear to eliminate the need to pre-configure an application server for all of the potential "equivalent keys" which might appear in an incoming request. > 4. How do we ensure skilled apps people manage to work with skilled > DNS people so that the end result is optimal? (something IETF is not > always very good at...) Pass ... 8-) IHTH, but I'm not at all sure. I think we're still in a brainstorming phase, so "off-the-wall" is (so I hope) not necessarily "bad". Niall
- [dnsext] I-D Action:draft-ietf-dnsext-aliasing-re… Internet-Drafts
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Suzanne Woolf
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Ted Hardie
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Doug Barton
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Stephane Bortzmeyer
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Doug Barton
- Re: [dnsext] I-DAction:draft-ietf-dnsext-aliasing… George Barwood
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Alex Bligh
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… John Levine
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Patrik Fältström
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Stephane Bortzmeyer
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Alex Bligh
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Paul Hoffman
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Dan Schlitt
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Paul Vixie
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Alex Bligh
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Alex Bligh
- [dnsext] How to bring discussion to a close (was:… Andrew Sullivan
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Niall O'Reilly
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Alex Bligh
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Stephane Bortzmeyer
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Niall O'Reilly
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Niall O'Reilly
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Alex Bligh
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Niall O'Reilly
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Phillip Hallam-Baker
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Tony Finch
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Mark Andrews
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Tony Finch
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Tony Finch
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Mark Andrews
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Tony Finch
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Mark Andrews
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Phillip Hallam-Baker
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Tony Finch
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Alex Bligh
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Mark Andrews
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Mark Andrews
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Masataka Ohta
- [dnsext] errata on RFC1034 for recursive aliasing… Masataka Ohta
- Re: [dnsext] errata on RFC1034 for recursive alia… Mark Andrews
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Stephane Bortzmeyer
- Re: [dnsext] errata on RFC1034 for recursive alia… Andrew Sullivan
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Niall O'Reilly
- Re: [dnsext] errata on RFC1034 for recursive alia… Masataka Ohta
- Re: [dnsext] errata on RFC1034 for recursive alia… Andrew Sullivan
- Re: [dnsext] errata on RFC1034 for recursive alia… Paul Vixie
- Re: [dnsext] errata on RFC1034 for recursive alia… Masataka Ohta
- Re: [dnsext] errata on RFC1034 for recursive alia… Brian Dickson
- Re: [dnsext] errata on RFC1034 for recursive alia… John Levine
- Re: [dnsext] errata on RFC1034 for recursive alia… Masataka Ohta
- [dnsext] pricing for equivalent localized domain … Masataka Ohta
- Re: [dnsext] pricing for equivalent localized dom… John Levine
- Re: [dnsext] errata on RFC1034 for recursive alia… Brian Dickson
- Re: [dnsext] pricing for equivalent localized dom… Masataka Ohta
- Re: [dnsext] errata on RFC1034 for recursive alia… Masataka Ohta
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Brian Dickson
- Re: [dnsext] I-D Action:draft-ietf-dnsext-aliasin… Doug Barton