Re: [DNSOP] Call for Adoption for draft-wessels-edns-key-tag

Evan Hunt <each@isc.org> Mon, 30 November 2015 18:12 UTC

Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3B061B2ADC for <dnsop@ietfa.amsl.com>; Mon, 30 Nov 2015 10:12:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X0mvvUXt0Xfi for <dnsop@ietfa.amsl.com>; Mon, 30 Nov 2015 10:12:45 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D9371B2AE1 for <dnsop@ietf.org>; Mon, 30 Nov 2015 10:12:45 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [149.20.48.19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.pao1.isc.org (Postfix) with ESMTPS id 3D5383493BE; Mon, 30 Nov 2015 18:12:44 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id 12396216C1C; Mon, 30 Nov 2015 18:12:44 +0000 (UTC)
Date: Mon, 30 Nov 2015 18:12:44 +0000
From: Evan Hunt <each@isc.org>
To: "Wessels, Duane" <dwessels@verisign.com>
Message-ID: <20151130181243.GA33631@isc.org>
References: <5659A1DB.5090102@gmail.com> <20151130025526.1FF813DBD937@rock.dv.isc.org> <4BDC4E85-3A98-4120-991B-EDE20E923ADD@verisign.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4BDC4E85-3A98-4120-991B-EDE20E923ADD@verisign.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/-u7A5tmy0dg_D35-Kpacln65on8>
Cc: Tim Wicinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Call for Adoption for draft-wessels-edns-key-tag
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Nov 2015 18:12:46 -0000

On Mon, Nov 30, 2015 at 05:29:53PM +0000, Wessels, Duane wrote:
> As I've said a number of times before, the edns-key-tag proposal is modelled
> after RFC 6975, which does the same thing for algorithms.  If it works for
> algorithms why wouldn't it work for key tags?

Does it work?  Has anyone deployed 6975?  We have an experimental
implementation of it in a development branch for BIND, but we decided not
to release it because the benefits didn't seem commensurate with the extra
complexity and packet size.  I haven't checked to see whether any other
implementations are using it.

We've certainly encountered operational difficulties when sending unknown
EDNS opcodes to broken servers.  Mark has been pushing hard on this issue,
and things are getting better, but it's still a problem.

> > without needing the entire ecosystem to be upgraded
> > which this proposal requires.
> 
> I disagree with this characterization that "the entire ecosystem" needs
> to be upgraded.  Yes a non-key-tag-aware recursive won't know to forward
> the option, but this is true for all EDNS options.

But it isn't true for query names.

-- 
Evan Hunt -- each@isc.org
Internet Systems Consortium, Inc.