Re: [DNSOP] Request reviews of catalog zones draft (draft-muks-dnsop-dns-catalog-zones-01)
Tony Finch <dot@dotat.at> Mon, 13 June 2016 17:04 UTC
Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC5FB12D898 for <dnsop@ietfa.amsl.com>; Mon, 13 Jun 2016 10:04:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VXAEsMqy7Rxe for <dnsop@ietfa.amsl.com>; Mon, 13 Jun 2016 10:04:04 -0700 (PDT)
Received: from ppsw-32.csi.cam.ac.uk (ppsw-32.csi.cam.ac.uk [131.111.8.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6053C12D63B for <dnsop@ietf.org>; Mon, 13 Jun 2016 10:04:04 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:46362) by ppsw-32.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1bCVHO-000LyJ-1j (Exim 4.86_36-e07b163) (return-path <dot@dotat.at>); Mon, 13 Jun 2016 18:04:02 +0100
Date: Mon, 13 Jun 2016 18:04:02 +0100
From: Tony Finch <dot@dotat.at>
To: Mukund Sivaraman <muks@mukund.org>
In-Reply-To: <20160613141624.GC30965@jurassic.l0.malgudi.org>
Message-ID: <alpine.DEB.2.11.1606131615580.31104@grey.csi.cam.ac.uk>
References: <20160613135227.12466.44790.idtracker@ietfa.amsl.com> <20160613141624.GC30965@jurassic.l0.malgudi.org>
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/4zTzIjN4K9WCa6u5PKtNS5BN0tI>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Request reviews of catalog zones draft (draft-muks-dnsop-dns-catalog-zones-01)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jun 2016 17:04:06 -0000
I'll start by saying that I have not tried out catalog zones properly yet.
This review is from the point of view of how I currently manage my
configurations.
(Aside: there should probably be a copy of the draft in the BIND
distribution in doc/draft/.)
There is a lot of TBD in this draft which makes it hard to give a
meaningful review.
There's a big section mapping abstract configuration to DNS master file
syntax, which seems OK.
However, there doesn't seem to be anything about what member zone
properties are available and what they mean - I would expect them to be in
section 2.9 but that is almost empty.
There's a bit more in the latest BIND 9.11 ARM. This amounts to being able
to set the default-masters server addresses in named.conf, which can be
overridden by a global masters setting inside the catalog zone, which can
be overridden by per-member-zone masters settings.
(Aside: the BIND 9.11 release notes refer to chapter 9 of the ARM which I
think should be section 4.14.)
In my current configuration I have a two-level setup: the automatically
managed zone configuration (which would ideally be one or more catalog
zones in the future), and some more hands-on config for things like ACLs
and lists of masters. The zone configs just use names, e.g.
zone cam.ac.uk {
type slave; file "/zone/cam.ac.uk";
masters { master-ipreg; };
allow-transfer { secondaries; };
allow-query { any; };
also-notify { notify-isc; };
};
The relevance for catalog zones is that indirect ACLs with names make it
easy to support secure zone transfer of the catalog zone without exposing
the TSIG keys used by the member zones. And using names for the other
settings gives us a sort of templated zone config.
For instance, for my public zones on my authoritative servers, the
allow-transfer ACL includes our local IP addresses, and TSIG keys for
ic.ac.uk and isc.org; if we could all use the same catalog zone then
ic.ac.uk could define their version of my ACL as "none" and isc.org could
define it to cover their anycast cloud.
... Having written that I have second thoughts because the coupling
between ACL names and third-party catalog zone contents is probably a
really bad idea :-)
Maybe for my own cluster I want really rich catalog zones, but if I'm
slaving a catz from a third party I want the member zone configurations to
be firmly pinned down.
Tony.
--
f.anthony.n.finch <dot@dotat.at> http://dotat.at/ - I xn--zr8h punycode
Fisher: East 4 or 5, occasionally 6 later. Slight or moderate. Showers. Good,
occasionally poor.
- [DNSOP] Request reviews of catalog zones draft (d… Mukund Sivaraman
- Re: [DNSOP] Request reviews of catalog zones draf… Tony Finch