Re: [DNSOP] New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt
Michael Casadevall <michael@casadevall.pro> Mon, 26 March 2018 15:33 UTC
Return-Path: <michael@casadevall.pro>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 514FE1277BB for <dnsop@ietfa.amsl.com>; Mon, 26 Mar 2018 08:33:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.424
X-Spam-Level: *
X-Spam-Status: No, score=1.424 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_SBL_CSS=3.335, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZHqWpWzOsBti for <dnsop@ietfa.amsl.com>; Mon, 26 Mar 2018 08:33:48 -0700 (PDT)
Received: from casadevall.pro (casadevall.pro [IPv6:2600:3c00::f03c:91ff:febb:64e9]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13447129C51 for <dnsop@ietf.org>; Mon, 26 Mar 2018 08:33:48 -0700 (PDT)
Received: from [192.168.2.2] (cpe-68-174-119-246.nyc.res.rr.com [68.174.119.246]) by casadevall.pro (Postfix) with ESMTPSA id 48A311F81B for <dnsop@ietf.org>; Mon, 26 Mar 2018 15:33:47 +0000 (UTC)
To: dnsop@ietf.org
References: <7CF21F70-9419-4D6A-B555-FC229F90E8A9@isc.org> <5AB546CB.3030408@redbarn.org> <CCAE4014-67F8-4E73-A893-AA06B83E880B@isc.org> <20180324124958.GA29255@puck.nether.net> <CAJhMdTPRn=mUQ6xh_HFdFLBk109b_M2+saS86KFxsttb8_oVvw@mail.gmail.com> <20180325080558.GA18671@isc.org> <066C83F5-5E1C-4DF8-8D45-A7E9F3A44673@vpnc.org> <DCE31CFA-534E-451F-B743-E022F62C7516@isc.org> <20180326124544.GA32080@isc.org> <552cfda4-572b-7c88-b5b8-0cda5c49e2fd@casadevall.pro> <20180326145729.GA35023@isc.org>
From: Michael Casadevall <michael@casadevall.pro>
Message-ID: <446d939d-5353-2f31-3b3f-7097e2c13a54@casadevall.pro>
Date: Mon, 26 Mar 2018 11:33:50 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <20180326145729.GA35023@isc.org>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/4_GbH7TqiWithAD8O-d4kVNoYKE>
Subject: Re: [DNSOP] New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Mar 2018 15:33:49 -0000
On 03/26/2018 10:57 AM, Evan Hunt wrote: >>> 2. responders SHOULD NOT compress rdata when rendering obsolete/deprecated >>> type records to wire format. >>> >> >> The problem here is that right up until the point the camel declares >> these RRtypes dead, the specification specifically allows them to be >> compressed. > > But it's always allowed them not to be compressed, too. The trouble > PowerDNS had was because it wasn't expecting compression, but I would > expect the opposite problem (failing because something *didn't* compress) > to be rarer. > Right, it just happens the DNS compression is common. RFC 3597-compliant resolvers will just take whatever blob they get and kick it along. Anything with specific support for these types realistically are going to support the uncompressed variants limiting interop issues. >> 1. Authoritative servers SHOULD warn when loading zones with obsolete >> record types >> >> 2. Resolvers MUST never send obsolete RRtypes in a compressed format. > > Problem here: If the resolver is treating the record as opaque, then it > can only send it along in whatever format it was received in, so this > requirement doesn't work as written. But I think what you mean is that > even if the resolver is able to parse compressed rdata, it MUST NOT > compress when sending the answer along to its own client. This is > re-stated in point 5, below. > Ah, misthink. You got my intent right, but it should be specifically written as such. 2. Resolvers MUST never generate obsolete RRtypes in a compressed format. If (in line with below) the resolver receives a record in compressed form, it MUST be decompressed before being sent to downstream resolvers as though. Resolvers SHOULD warn that they are unpacking records in transit. How's that sound? I'm still somewhat iffy on my understanding of DNSSEC RRSIG canonical forms, but if I understood the RFCs correctly, the uncompressed record should match the canonical form the RRSIG validates against to which in turn is identical to RFC 3597 (aside from WKS, although RFC 2136 suggests it only applies in the case of DNS update and not validation) It specifically states you're allowed to understand, but thou must not speak. If there's a DNSSEC concern, it should be noted though I don't think it's a showstopper in and of itself. As previously stated, I very much doubt these records are commonly if ever signed. >> 3. Signers MUST treat rdata as opaque >> >> 4. Obsolete RRtypes MUST never be treated as a known-type with respect >> to the wire protocol >> >> 5. Resolvers MAY support legacy compression for received data for >> backward compatibility if desired, but SHOULD warn if such information >> is received. Compressed records MUST never be re-transmitted. > > You use MUSTs where I used SHOULDs, but I think we're both pointing > in the same direction. > My thought process here with MUST is we're basically saying that compressing these types is no longer valid behavior. You can understand it for backwards compatibility, but if you're compliant with this new RFC, you're basically asserting you will not generate compressed responses. It also somewhat aids the process of the special case disappearing from the internet. I see no reason why we should allow them unless someone can come up with an actual usecase (I haven't had a chance to read RFC 2136 in-depth but it looks like it should work just fine with uncompressed records). Michael
- [DNSOP] Fwd: New Version Notification for draft-s… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Martin Hoffmann
- Re: [DNSOP] Fwd: New Version Notification for dra… Matthijs Mekking
- Re: [DNSOP] Fwd: New Version Notification for dra… Mukund Sivaraman
- Re: [DNSOP] Fwd: New Version Notification for dra… Bob Harold
- Re: [DNSOP] Fwd: New Version Notification for dra… Ondřej Surý
- Re: [DNSOP] Fwd: New Version Notification for dra… Bob Harold
- Re: [DNSOP] Fwd: New Version Notification for dra… Ondřej Surý
- Re: [DNSOP] Fwd: New Version Notification for dra… Bob Harold
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Ondřej Surý
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Ondřej Surý
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Ondřej Surý
- Re: [DNSOP] Fwd: New Version Notification for dra… P Vix
- Re: [DNSOP] Fwd: New Version Notification for dra… Dick Franks
- Re: [DNSOP] Fwd: New Version Notification for dra… Jared Mauch
- Re: [DNSOP] Fwd: New Version Notification for dra… Joe Abley
- Re: [DNSOP] Fwd: New Version Notification for dra… Jim Reid
- Re: [DNSOP] Fwd: New Version Notification for dra… Ondřej Surý
- Re: [DNSOP] Fwd: New Version Notification for dra… Viktor Dukhovni
- Re: [DNSOP] Fwd: New Version Notification for dra… Matthew Pounsett
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] Fwd: New Version Notification for dra… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-su… Paul Hoffman
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Wouters
- Re: [DNSOP] Fwd: New Version Notification for dra… Matthijs Mekking
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Shane Kerr
- Re: [DNSOP] New Version Notification for draft-su… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Evan Hunt
- Re: [DNSOP] Fwd: New Version Notification for dra… Tony Finch
- Re: [DNSOP] Fwd: New Version Notification for dra… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Michael Casadevall
- Re: [DNSOP] Fwd: New Version Notification for dra… Dick Franks
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Jim Reid
- Re: [DNSOP] New Version Notification for draft-su… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] New Version Notification for draft-su… Michael Casadevall
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Paul Vixie
- Re: [DNSOP] New Version Notification for draft-su… Richard Gibson
- Re: [DNSOP] New Version Notification for draft-su… Michael Casadevall
- Re: [DNSOP] New Version Notification for draft-su… Dick Franks
- Re: [DNSOP] New Version Notification for draft-su… Paul Vixie
- Re: [DNSOP] New Version Notification for draft-su… Dick Franks
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Robert Edmonds
- Re: [DNSOP] New Version Notification for draft-su… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-su… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-su… william manning
- Re: [DNSOP] New Version Notification for draft-su… william manning
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý