[DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-values
Yorgos Thessalonikefs <yorgos@nlnetlabs.nl> Wed, 10 July 2024 13:36 UTC
Return-Path: <yorgos@nlnetlabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02CAEC14F60A for <dnsop@ietfa.amsl.com>; Wed, 10 Jul 2024 06:36:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1WqGmEqju1Mp for <dnsop@ietfa.amsl.com>; Wed, 10 Jul 2024 06:36:17 -0700 (PDT)
Received: from mout-b-112.mailbox.org (mout-b-112.mailbox.org [195.10.208.42]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 857C5C14F5F1 for <dnsop@ietf.org>; Wed, 10 Jul 2024 06:36:16 -0700 (PDT)
Received: from smtp2.mailbox.org (smtp2.mailbox.org [10.196.197.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-112.mailbox.org (Postfix) with ESMTPS id 4WJzQh0g1gzDsBk for <dnsop@ietf.org>; Wed, 10 Jul 2024 15:36:12 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nlnetlabs.nl; s=MBO0001; t=1720618572; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=QztUS8sCcL+Bil8g0+Oa5OD3nc1WEYORwV6rm8tCKVM=; b=DdYnOrdSmaTNH+NeDMacXnmU3c69UIcdRgKL4Z3TAiWhozB4i+3Qdn2DFvA6uXetkPVyda Ijp0riNUWvsX3SFsQVLkzWBBEEbnva9RC8lbH7rXw7tsTOJkYVhi8OSSqIIldzk82Ohfeb MkEF6bsgZXA9WPWCp9lbt6WPtbqltwcVcUas+dZWvtrg7gtYKZc0gRkcqnWsQw0JkS8w5s SYBYzKNX6AUGnjBBA7P30rvnLPdXHhsk7qmrwxVSs5RuG3bJyrJsCRn/KH4quQXVqGtnuW viNaLYimxm+oKz3UIVOB1TVkZqJFYOLQBJeL29vzLYICZJU5p2sG4wjDIyohbg==
Message-ID: <8c8e3253-0d96-4a32-a63a-735136e5f180@nlnetlabs.nl>
Date: Wed, 10 Jul 2024 15:36:10 +0200
MIME-Version: 1.0
To: dnsop@ietf.org
References: <20240709.190627.2171739541556622717.fujiwara@jprs.co.jp> <b46fb097-d8d9-4765-b797-18c8e8e74389@bellis.me.uk> <m1sRXLs-0000LpC@stereo.hq.phicoh.net>
Content-Language: en-GB
From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
Autocrypt: addr=yorgos@nlnetlabs.nl; keydata= xsFNBFfYHeYBEAC/8SdeXNspt9ZIoZRSL9juNLHA17TXcHdKSthgWBtwwWZbUPq8SJr7Y+hr 6jMCDKY9800QzLF0nLkyXnZgaBcvR0rRbCT/qvALJ0fpfjcotapZ1hBvomb9s8Bo28uKn8tb TMXYNsElUae4Ch/CrU1vfe50YoyQgLR8UBa15gV+2RmC+6jIqxDYS8sylWlDn6Qim+77feLl ObPnNdzgfWGZo14eJByTsz0qrh8aS/BS1FAsnEQ6W6AqukhpuKuWvoAUXKjfguXQolxeexub mKaLcGOTvecw+cbh/a5SPHRtRVr9qTxpelk6UEpakY5K9UtZkrG55VWih/4KqY9bNyhJBtpA k1fXA+mYfx5BcFpECYdU9kz4UgV5jK0HYRHQTLC91PPVQgH86we+Aae6TaJneCLEIzBK36Tg AP8RKrvFfPUym5OPYbWOom27QTKfRVcyxPKglJxrTSWixnKWS/pqxNY8hF9Ne4crRAF4wX2y BVbGnjNrS9TpYmjMwURbuYm+rWZk/8w5OJG60V3wax56c0jn/42O3Y2hzQ+PbOv2M4UuuajS 2YL3/KUsRLBapUpPQjzChwzdr/vzFEhk9XxK2VGMN+dh2HjYwDFendc5csyt/cVrg3LssVS2 bKy5g3IhrzCKAk0Sky4S5t/mcN+lWztNvCijuLz58GCym5GwJQARAQABzStZb3Jnb3MgVGhl c3NhbG9uaWtlZnMgPHlvcmdvc0BubG5ldGxhYnMubmw+wsGABBMBCAAqAhsjBQkPGq82BQsJ CAcCBhUICQoLAgQWAgMBAh4BAheABQJlEZpoAhkBAAoJEM/zNE2Qh6SQKwQP/2kt4M0be9OB vpRQbQ5Zz5C8eWChCcoEP4aMnS0jYtoe6t4B01WvuqQNplXlxiwFrjIZ/3xwH20jSWtn4wnI SYZYob3DvkUy5f4GglP0lGb4yZiLMNBWBOwVNPr5E77FZWJ6n7cPxkB30VUZhv0L+k6gUYXg 6jZm6Mij7c0wU1/M7KPn+ZwQC5IT/TTue1+CfaQwJJMQHUv96EwnrohiwROb70wyt+ZfUIdK E/2uaF8d2DR03rgr179I2sFfiraDxcS5Gzij0ZdtdD51tRZ+S3JG7wCpQ+yZSaF+SeN9yAjM 4sMe00xT0e8L2xhFPqaBiDoxbQxRP3rhwg8OfQ8eSO7Th+TqqfM08ijcTjhHCTD/PSanC7CJ dP0+Uvk1wO8xlM5q5bGEExoNcUrrLUf9UZc5VbVjxmGz/m6uDQZhGoPYv0wASEhlO976nM6V lwmn7XfwqbmgvwtwKTzxeCyjhYneamM72If9TuypV2Fyi98RmqiJ0lxHrQ5dD/SDHWOjmONU TSHMsdhpFndH1QlKgDJ6mY1BMLHE4m568mTn1jMvs5iHyMzjJTUBvsSb4zZHyyIuizKz1YUZ gDfq7ALIoMfSt63P6D7vXdidEEMDjcnsSQpvJ/LQWfwWx9E4PhmkBuH1vdk3/SH7U+5QCgJL 9g9I59Ipgsr0zhJSNXBuD4BYzsFNBFfYHeYBEAC2h9yjSe2SgtcB0H+E0ndaewaZaQCE7q+R O43dotGH9eFnVwE4/ftcK1SN42ihlF5OnTaKPyXvgQ6U8W8VB8eLjeTwA/dSXuJX7kJpEK8s aPqJP6zTUmPqp/GSzS6YrhKLfpFn4chmywpDFcGNMz0sYXiJgPqKL7W0KuG+ziPToAeWl8ck eXyl77/lHVhWYylaQJEASklqCViPXSp9vI7/57UEm4MQPXwsDBOwuVVqcSu3ZM5MtY9XlbVP NCYmZIMqmh8HgYwbiq9dTfJi+6v17+uDQGZewWK/WwFM+9dDx7YkTeOBiUduYtJPW64NW/RJ 7pskbLAy+OZApTZWg0cISN6GOmPN3F0AiWzUjvSMREHhFHyxj4Y15vuDOFvPGFxr4xBiyMX1 JLCKK6OFnyPfoJ9v/o3UgrQgLrfXCmKdvkwBCgJvN3Fsxzha6Dtf6RcZ02fr7SCZZhdBrlrf lvC1uWZ0g3A87ss7h4Iw3njlO3aX6Bo9R4VOLUkiRKi4hmQBxPvXxI2ERmKRomo6lrMaDMzI jD4APSM1vUfZguzQxVYpM8lwy1COeqxsj5p+LH6f/EU+4dXZwooJ1uanBOvG2ntnz8SErE+e 7wNYE4a/fb8xYM4j7p6qYtnNZPb8sj8bvx8iWXp4A1csVetyVSchBhTVQhhNos6ouYpc4ibr YwARAQABwsFlBBgBCAAPAhsMBQJlEZm7BQkPGq9VAAoJEM/zNE2Qh6SQS0MP/16XU1WaPLyY 8wIeincUS52KzudWWi9nfQvZvL0H7+w8iRpkP3qjFRMW3jYKOKGD4hF7FXl8hKHNxhyFgmIh T/beqrA9MhgQslIHZ88Jd7P0Jfi+EiCqzOCVo86avBxCi74Uk0AEzSQ3lpmqfiYnViXxs6tH IUsdcd/m3lwv5M/O/wu/WlPNFx0HSkZlWIRAEsyL13zaoF+UwRRjrMrELL6s4lffO3jzGo9F Z3BTDB7gRlU26sxwPHrIva91txhtZbNlE81/zvRmkOAMKG8HA3y9atwez4jP8pn+wJnj/WlI jWTcrmVv8uBTh2CtYymI2/fHIyJ1HElBb/V77JMlhNK/3eMOLLO8ajc96K/O1Y3R/5pijDDG DELPWrqNdGV9mGq5owG7sjYGSKQ9WFJ0Y5WvEzg11z8/Fh2Pw6O0ojteWhhNrI0s7HbudZn2 xO4QY9kdNA+UzUxmealXgef5kb8M2msF0tWuGn+xP/hcljLg2bk8V5ZCzVNTO9b8Z+bGVQR1 GmnkLePj7NGBVSciCvcR79JJG0kyPsirdjORMXQQWA5i8IYukO8amUcYeSQW6MR7tKq7+7+4 mLKtwOXV2EZ2B+nHhiTTiqb8rCt0nsY0lt7gHni83InToz4k2eFo4WuOXMdLPwmQPJwaXCFg 3B8+NrtIAE8F4VHNKaM70rYX
In-Reply-To: <m1sRXLs-0000LpC@stereo.hq.phicoh.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Message-ID-Hash: RQQBTI6YAVXXLSDCWETDE4TUJM24J7Y4
X-Message-ID-Hash: RQQBTI6YAVXXLSDCWETDE4TUJM24J7Y4
X-MailFrom: yorgos@nlnetlabs.nl
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-values
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/1jf3b1RqTbrfOsFjnydqp9jTXR0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
On 10/07/2024 15:27, Philip Homburg wrote: > So the question becomes, do we want some limits in an RFC that everybody > agrees on or do we want to keep the current informal system where limits > are not fixed and people can get unlucky if they exceed limits they didn't > know exist. I do find the possible values in the document very strict at the moment and maybe further categorizing by QTYPE is even stricter. For example the KeyTrap vulnerability that is mentioned, is handled by the validator logic. I don't see a reason to restrict only to 3 DSes and hinder future operations and protocol development. My first attempt would be to bring the number or RRs down to a "sensible number" than the current as-many-as-it-fits. In contrast I do think that there should be a low limit on CNAME chains and NS records since they already allow for (resource) amplification factors that is not trivially tied to rogue users of resolvers. In general having limits in an RFC that people can point to goes a long way than developers trying to argue with users; for example on what a sensible length of a CNAME chain is. Best regards, -- Yorgos
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Joe Abley
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Mukund Sivaraman
- [DNSOP] draft-fujiwara-dnsop-dns-upper-limit-valu… Kazunori Fujiwara
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Yorgos Thessalonikefs
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Ray Bellis
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Ray Bellis
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Philip Homburg
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Yorgos Thessalonikefs
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Mukund Sivaraman
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Ben Schwartz
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Ben Schwartz
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Geoff Huston
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Kazunori Fujiwara
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Yorgos Thessalonikefs
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Philip Homburg
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Mukund Sivaraman
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Philip Homburg
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Philip Homburg
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Peter Thomassen
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Mukund Sivaraman
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Philip Homburg
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Dave Lawrence
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Ondřej Surý
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Jim Reid
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Philip Homburg
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… libor.peltan
- [DNSOP] Re: draft-fujiwara-dnsop-dns-upper-limit-… Mukund Sivaraman