Re: [DNSOP] CSYNC. Or CDS. Or something completely different.
Mark Andrews <marka@isc.org> Thu, 07 November 2013 01:09 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC74711E81C0 for <dnsop@ietfa.amsl.com>; Wed, 6 Nov 2013 17:09:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.179
X-Spam-Level:
X-Spam-Status: No, score=-3.179 tagged_above=-999 required=5 tests=[AWL=-0.580, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6iMjbtbXfx2f for <dnsop@ietfa.amsl.com>; Wed, 6 Nov 2013 17:09:07 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id 73B0D11E816D for <dnsop@ietf.org>; Wed, 6 Nov 2013 17:09:07 -0800 (PST)
Received: from mx.pao1.isc.org (localhost [127.0.0.1]) by mx.pao1.isc.org (Postfix) with ESMTP id 44B79C94B1; Thu, 7 Nov 2013 01:08:54 +0000 (UTC) (envelope-from marka@isc.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=dkim2012; t=1383786547; bh=Su/rSaHXb8pD/8Jz+aa7kR1YyiWlbyMo4/452F480IU=; h=To:Cc:From:References:Subject:In-reply-to:Date; b=uJAA/TBZwexBjFdkpzWKTZYjC36aTtcOldjprPxhVzkNxD5HBgeMQx7AwteSn6lbM IGEo/aaPU1QpTCzdGHkn9KK1lYm+EcxtRPOQOMpLDdf4yBMByr4qDqVabfu58EPEfO 2gkn+2OBcIZN3RbGyA5q2QoS6WIHKTrzNULqWUbk=
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.pao1.isc.org (Postfix) with ESMTP; Thu, 7 Nov 2013 01:08:54 +0000 (UTC) (envelope-from marka@isc.org)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 8E8B9160470; Thu, 7 Nov 2013 01:14:43 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 5D9EF1603E9; Thu, 7 Nov 2013 01:14:43 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 4340D9A372B; Thu, 7 Nov 2013 12:08:51 +1100 (EST)
To: Matthijs Mekking <matthijs@nlnetlabs.nl>
From: Mark Andrews <marka@isc.org>
References: <527A17A6.3050400@nlnetlabs.nl>
In-reply-to: Your message of "Wed, 06 Nov 2013 11:19:18 +0100." <527A17A6.3050400@nlnetlabs.nl>
Date: Thu, 07 Nov 2013 12:08:51 +1100
Message-Id: <20131107010851.4340D9A372B@rock.dv.isc.org>
X-DCC--Metrics: post.isc.org; whitelist
Cc: 'IETF DNSOP WG' <dnsop@ietf.org>
Subject: Re: [DNSOP] CSYNC. Or CDS. Or something completely different.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2013 01:09:11 -0000
In message <527A17A6.3050400@nlnetlabs.nl>, Matthijs Mekking writes: > Hi, > > In yesterday's meeting, it was not clear to everyone why there are two > approaches to synchronize records between child and parent. Also, a > "new" approach by Mark was being discussed, doing the synchronization > with an UPDATE message. It was obvious when UPDATE was being developed. What was hard was getting past the stupid reaction that sending a UPDATE request to a Registry controlled devices violates the RRR arrangments even if the change is authorised by the Registrar as it is the Registrant communicating the the Registry. Guess what every time the Registrant does a DNS lookup in the Registry zone it is talking directly with the Registry. All the scraping etc. is a reaction to that. > First of all, Mark's approach is not new, this has already been > discussed in 2010 [1] [2]. At that time, people thought this would not > fit in the traditional RRR model, but I feel that consensus has shifted > now, probably because the use cases became more clear (thanks Paul!) [3] > [4]. > > Also, back then there was more merit for a pull strategy (like CDS) than > a push strategy, mainly because of scaling concerns with the push strategy. > > I am very much in favor of having CSYNC to announce what RRtypes to > synchronize and use CDS (or CDNSKEY) to announce the data for Delegation > Signer synchronization. CSYNC only is not enough for DS/DNSKEY > synchronization: > > 1. > CSYNC's way of doing DS/DNSKEY synchronization is complex. That is > because there are many corner cases. I like simple. CDS is simple ("copy > this"). Now that might not be a good reason for having a separate > solution for DS/DNSKEY syncing. Or maybe it is? Anyway, there's more: > > 2. > CSYNC cannot handle the use case where the child announces the digest > algorithm (what CSYNC can do is announce that there is a CDS (or > CDNSKEY) record that needs to be dealt with). > > 3. > With CDS, you can support all kinds of rollovers, like Double-DS > (pre-publish DS, swap DNSKEY if old DS RRset has expired from all > caches). How would you do Double-DS with CSYNC only? > > 4. > Last but not least, I really appreciate the argument that Joe Abley made > yesterday: with CDS it is very clear what the intentions of the child > zone are, providing a sort of audit-trail that can be used for example > for monitoring (sorry if I misquote you, I don't remember your exact > words, it was quite late in my time zone). This is something CSYNC also > cannot do without additional RRtypes. > > > I hope this helps in understanding why we have CSYNC and CDS (not one or > the other). > > Best regards, > Matthijs > > > [1] http://datatracker.ietf.org/doc/draft-mekking-dnsop-auto-cpsync/ > [2] http://tools.ietf.org/wg/dnsop/minutes?item=minutes78.html > [3] > http://datatracker.ietf.org/doc/draft-wouters-dnsop-secure-update-use-cases/ > [4] http://tools.ietf.org/wg/dnsop/minutes?item=minutes-84-dnsop.html > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [DNSOP] CSYNC. Or CDS. Or something completely di… Matthijs Mekking
- Re: [DNSOP] CSYNC. Or CDS. Or something completel… Mark Andrews
- Re: [DNSOP] CSYNC. Or CDS. Or something completel… Joe Abley
- Re: [DNSOP] CSYNC. Or CDS. Or something completel… Edward Lewis
- Re: [DNSOP] CSYNC. Or CDS. Or something completel… Tim Wicinski
- Re: [DNSOP] CSYNC. Or CDS. Or something completel… Mark Andrews