Re: [DNSOP] comments on dnsop-qname-minimisation-02
Paul Hoffman <paul.hoffman@vpnc.org> Wed, 11 March 2015 16:50 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 279281A1A75 for <dnsop@ietfa.amsl.com>; Wed, 11 Mar 2015 09:50:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RdEXRqMt_gES for <dnsop@ietfa.amsl.com>; Wed, 11 Mar 2015 09:50:10 -0700 (PDT)
Received: from proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9807C1A1A70 for <dnsop@ietf.org>; Wed, 11 Mar 2015 09:50:10 -0700 (PDT)
Received: from [10.20.30.101] (50-1-99-2.dsl.dynamic.fusionbroadband.com [50.1.99.2]) (authenticated bits=0) by proper.com (8.15.1/8.14.9) with ESMTPSA id t2BGo7k7022864 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 11 Mar 2015 09:50:08 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: proper.com: Host 50-1-99-2.dsl.dynamic.fusionbroadband.com [50.1.99.2] claimed to be [10.20.30.101]
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <20150311160258.GA524@nic.fr>
Date: Wed, 11 Mar 2015 09:50:07 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <21E44846-EAA1-4518-A4F7-20304DE78FBC@vpnc.org>
References: <CAHPuVdW6KUongqRBKE8zwK4By=ocJRpS=2MYpq1tYcPjYq6amw@mail.gmail.com> <20150311160258.GA524@nic.fr>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/-O7O6I5fbZvZfGuWTq8NLv-q1Ic>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Subject: Re: [DNSOP] comments on dnsop-qname-minimisation-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2015 16:50:15 -0000
On Mar 11, 2015, at 9:02 AM, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote: > > On Wed, Mar 11, 2015 at 12:35:29AM -0400, > Shumon Huque <shuque@gmail.com> wrote > a message of 400 lines which said: > >> Are we standardizing on the british spelling of "minimisation" in >> preference to the americanized "minimization"? > > Bikeshedding is postponed until Working Group Last Call :-) Or beyond. The RFC Editor allows both types of spelling, and they will make it consistent. >> I'd prefer the simpler "The problem statement is described in ..". >> The term "exposed" in my mind carries a more sensational connotation, >> but I might be nitpicking. > > Advice from english writers here? +1 to Shumon: "exposed" is more sensational, and not appropriate here. >> "The idea is to minimize the form of the query name sent by the >> resolver, by including only the minimum number of rightmost labels >> needed in outbound queries to authoritative servers. Additional >> labels are prepended to the query name for subsequent queries as >> responses and referrals are obtained." > > Rigorous but may be too long and convoluted? I prefer rigor, and it is not convoluted. >>> Under current practice, when a resolver receives the query >>> "What is the AAAA record for www.example.com?", it sends to the root >>> (assuming a cold resolver, whose cache is empty) the very same >>> question. >> >> "Under current practice" implies a description of what is currently >> being done before this new resolution method is introduced. When in >> fact this paragraph is describing the new method. > > No, not at all. It describes the current practice. Under the new > (qname minimisation), the resolver would send only "com" to the root. +1 to Stephane here. >>> To do such minimisation, the resolver needs to know the zone cut >>> [[54]RFC2181]. Zone cuts do not necessarily exist at every label >>> boundary. If we take the name www.foo.bar.example, it is possible >> >> This makes it sound like minimisation requires a resolver to apriori >> know the zone cuts. This is not necessarily correct. A resolver can >> learn the zone cuts in the process of adding labels and doing normal >> iterative resolution. > > Yes, it is explained later. It would be better to say "as described later" right after the reference to RFC 2181 so that the reader doesn't think "therefore I can't do this". We want the document to not only describe the practice, but also to encourage it. > >> One thing this document doesn't make clear is that the algorithm >> being presented not only minimizes the query name, but also hides >> the query type until it reaches the target zone (by using the NS >> query type rather than the actual type). > > Do note the use of NS is not mandatory. See section 3, the paragraph > starting with "Another way to deal with such broken name servers" > (which you mention later) and also section 3, 1st paragraph about the > statistics of qtypes. My strong preference is that this document only deal with qname minimization. If someone wants to extend that to qtype minimization, which covers a different threat model, that should be done in a different document. >> This should more precisely define which types of forwarders will get >> less data. I think you mean the forwarders upstream of the resolver >> performing qname minimization, rather than forwarders that might exist >> between the client and the minimizing resolver. > > They are not typically called forwarders (see the discussion about > draft-hoffman-dns-terminology) Different thread. :-) >> This suggested workaround doesn't help with all forms of broken >> servers. > > Nothing deals with all the brokenness found on the Internet. +1, and unnecessary to state. --Paul Hoffman
- [DNSOP] comments on dnsop-qname-minimisation-02 Shumon Huque
- Re: [DNSOP] comments on dnsop-qname-minimisation-… Bob Harold
- Re: [DNSOP] comments on dnsop-qname-minimisation-… Shumon Huque
- Re: [DNSOP] comments on dnsop-qname-minimisation-… Stephane Bortzmeyer
- Re: [DNSOP] comments on dnsop-qname-minimisation-… Paul Hoffman
- Re: [DNSOP] comments on dnsop-qname-minimisation-… Shumon Huque
- Re: [DNSOP] comments on dnsop-qname-minimisation-… Shumon Huque
- Re: [DNSOP] comments on dnsop-qname-minimisation-… Niall O'Reilly
- Re: [DNSOP] comments on dnsop-qname-minimisation-… Shumon Huque
- Re: [DNSOP] comments on dnsop-qname-minimisation-… Warren Kumari
- Re: [DNSOP] comments on dnsop-qname-minimisation-… Stephane Bortzmeyer
- Re: [DNSOP] comments on dnsop-qname-minimisation-… Warren Kumari
- Re: [DNSOP] comments on dnsop-qname-minimisation-… Tim Wicinski