Re: [DNSOP] call for adoption: draft-vandergaast-dnsop-edns-client-subnet
Marcus Grando <marcus@sbh.eng.br> Thu, 12 February 2015 16:44 UTC
Return-Path: <marcus@sbh.eng.br>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62ADF1A006F for <dnsop@ietfa.amsl.com>; Thu, 12 Feb 2015 08:44:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Eoq3T6Spoa_e for <dnsop@ietfa.amsl.com>; Thu, 12 Feb 2015 08:44:45 -0800 (PST)
Received: from mail-ob0-x236.google.com (mail-ob0-x236.google.com [IPv6:2607:f8b0:4003:c01::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 596531A00A2 for <dnsop@ietf.org>; Thu, 12 Feb 2015 08:44:45 -0800 (PST)
Received: by mail-ob0-f182.google.com with SMTP id nt9so10835075obb.13 for <dnsop@ietf.org>; Thu, 12 Feb 2015 08:44:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sbh.eng.br; s=google; h=mime-version:date:message-id:subject:from:to:content-type; bh=TUXQHj4MGoLA+G84fz8VxeejR7ZYvbiW1hKvb2B++Qw=; b=HK3hK455cQeiL1HzUMXezHYIDi4Jy1/kwWbTBlbex+Lq9u2sO+UQACGYxovgf1Jlr8 q+enoMNktqojtaLdxjC5mP2TTt4WW42WVDHV7MPgz067QUfCsIFfynGlfMvh29k7IEC8 AS09GKSOozJTNff6pPJ678e1NFxLjDv8F6BCc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=TUXQHj4MGoLA+G84fz8VxeejR7ZYvbiW1hKvb2B++Qw=; b=Q17Mlt/V/SpOJ4Zwtkq8CuGC2/BaQIUzyWjDiaQBU6/1KA+xssNJ/bU9oLLHG2jFGv +Sb5l/hOqErnP7XRLdooXumY0WZMNxosxarvUfZ8bNOm3uLCPaGFknEEDaGoqZ2aP1PV y7/WzhYN/Zz+5yNVXXLlVDmMZIPMUbfXVQSze2nl7CLu9dULCnBuA75D0CUPlW6l1JKE Sw2tRmssv/rcwkh3NI6742Es2tk+WB5wmPt3KdBgFGIkj3YnaFu3zhe6cxjCqy//qG9G pvvP4JEpq+sXowwEQw84/jRfZCJPIQWIDRvQYTDjbAJgH9dP8pQF2g+oGoA3bh4OWqMs DrBg==
X-Gm-Message-State: ALoCoQlp/fHW3n9HckFAV3KKowW5x1grIjZHL7gmPELEUELdvnn/5rrbtvYuBcyHzBpjFhk0w24V
MIME-Version: 1.0
X-Received: by 10.182.213.102 with SMTP id nr6mr3343026obc.5.1423759484665; Thu, 12 Feb 2015 08:44:44 -0800 (PST)
Received: by 10.182.169.5 with HTTP; Thu, 12 Feb 2015 08:44:44 -0800 (PST)
X-Originating-IP: [177.43.249.158]
Date: Thu, 12 Feb 2015 14:44:44 -0200
Message-ID: <CAEyu5L8HnazCEgLR34U9MbgHky3N-QDqhVy59HU0Z3BKpbbqsg@mail.gmail.com>
From: Marcus Grando <marcus@sbh.eng.br>
To: dnsop@ietf.org
Content-Type: multipart/alternative; boundary="001a11c3234c54570c050ee6d66a"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/1QTuoGwHcESRxoLM0ZkcguNCKhs>
Subject: Re: [DNSOP] call for adoption: draft-vandergaast-dnsop-edns-client-subnet
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Feb 2015 16:44:48 -0000
The question about whitelist is the problem. I think it need to be addressed on this doc. There's some approaches, like Google does, doing low rate ECS query: https://groups.google.com/forum/#!topic/public-dns-announce/67oxFjSLeUM Or something not so traditional like TXT record on domain record or hostname based like "ns1.ECS.domain.tld". It's not an clean way, but can optimize latency and can address problems like keep approved domains in memory or save on disk. It's almost impossible to authoritative guys, guess each one resolver that support ECS. It's need to be automatically. The other side of this problem is about resources of DNS resolver. If more domains enable ECS, it can increase exponentially memory usage keeping approved list and cache itself. With this, the minimum netmask will be extremly important. I don't know if it's a good idea fix the limit of how many different answers one authoritative can emit. This can be a problem. It's clear for everyone that it's much more easier to implement this on authoritative side than resolver side, so it need to be clear and easy for both sides. Best regards On 12Feb15, George Michaelson allegedly wrote: > > > > we've got two agencies who do DNS, and probably have > 20% worldwide > > eyeball share in DNS (I don't know, thats a guesstimate) now doing > > edns0_client_subnet albiet with whitelist, so its a permit-list, but its > > functionally 'there' > > Whitelists are my biggest bugbear actually. All my other comments are > nice-to-haves. I hear that Google now adaptively whitelist which is a > nice strategy but I'd really like to see the whitelist approach > deprecated as much as possible. (And yes, I understand MarkA's stats > that show some small percentage of auth queries will break). > > I've been in other conversations lately where it was all about how do > we get "pick some larger resolver" to whitelist us? We all know that > doesn't scale. So interest appears to be growing. > > > Its probably already more widely deployed than IPv6... > > On the auth side I think you're right. It's the client side that's the > missing link. But this is a classic alignment-of-interest problem. The > relatively small number of auths who care implement, but there is > little incentive on the resolver side. > > > Mark. > -- Marcus Grando
- [DNSOP] call for adoption: draft-vandergaast-dnso… Suzanne Woolf
- Re: [DNSOP] call for adoption: draft-vandergaast-… Warren Kumari
- Re: [DNSOP] call for adoption: draft-vandergaast-… Paul Hoffman
- Re: [DNSOP] call for adoption: draft-vandergaast-… Paul Ebersman
- Re: [DNSOP] call for adoption: draft-vandergaast-… David C Lawrence
- Re: [DNSOP] call for adoption: draft-vandergaast-… Paul Wouters
- Re: [DNSOP] call for adoption: draft-vandergaast-… Allison Mankin
- Re: [DNSOP] call for adoption: draft-vandergaast-… Suzanne Woolf
- Re: [DNSOP] call for adoption: draft-vandergaast-… Warren Kumari
- Re: [DNSOP] call for adoption: draft-vandergaast-… Mark Delany
- Re: [DNSOP] call for adoption: draft-vandergaast-… Mark Delany
- Re: [DNSOP] call for adoption: draft-vandergaast-… George Michaelson
- Re: [DNSOP] call for adoption: draft-vandergaast-… Mark Delany
- Re: [DNSOP] call for adoption: draft-vandergaast-… Marcus Grando
- Re: [DNSOP] call for adoption: draft-vandergaast-… Livingood, Jason
- Re: [DNSOP] call for adoption: draft-vandergaast-… Livingood, Jason
- Re: [DNSOP] call for adoption: draft-vandergaast-… Livingood, Jason
- Re: [DNSOP] call for adoption: draft-vandergaast-… jewforice .
- Re: [DNSOP] call for adoption: draft-vandergaast-… Peter DeVries
- Re: [DNSOP] call for adoption: draft-vandergaast-… Marcus Grando
- Re: [DNSOP] call for adoption: draft-vandergaast-… Livingood, Jason
- Re: [DNSOP] call for adoption: draft-vandergaast-… Suzanne Woolf
- Re: [DNSOP] call for adoption: draft-vandergaast-… Paul Hoffman
- Re: [DNSOP] call for adoption: draft-vandergaast-… Mark Delany
- Re: [DNSOP] call for adoption: draft-vandergaast-… Warren Kumari