IETF Logo Mail Archive

Re: [DNSOP] new Resource record?

"Hosnieh Rafiee" <ietf@rozanak.com> Wed, 09 December 2015 21:00 UTC

Return-Path: <ietf@rozanak.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1C9B1A6EF1 for <dnsop@ietfa.amsl.com>; Wed, 9 Dec 2015 13:00:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cSVovtfgXx_P for <dnsop@ietfa.amsl.com>; Wed, 9 Dec 2015 13:00:50 -0800 (PST)
Received: from mail.rozanak.com (mail.rozanak.com [IPv6:2a01:238:42ad:1500:aa19:4238:e48f:61cf]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C0CC1A854C for <DNSOP@ietf.org>; Wed, 9 Dec 2015 13:00:50 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by mail.rozanak.com (Postfix) with ESMTP id 4EA8725CA052; Wed, 9 Dec 2015 21:00:47 +0000 (UTC)
X-Virus-Scanned: amavisd-new at rozanak.com
Received: from mail.rozanak.com ([127.0.0.1]) by localhost (mail.iknowlaws.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HIHgtfGxYCTb; Wed, 9 Dec 2015 22:00:14 +0100 (CET)
Received: from kopoli (p200300864F79677C84E021A055B0AA04.dip0.t-ipconnect.de [IPv6:2003:86:4f79:677c:84e0:21a0:55b0:aa04]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.rozanak.com (Postfix) with ESMTPSA id 2498725CA03E; Wed, 9 Dec 2015 22:00:14 +0100 (CET)
From: Hosnieh Rafiee <ietf@rozanak.com>
To: 'Jared Mauch' <jared@puck.nether.net>
References: <005a01d132bf$b8d31a80$2a794f80$@rozanak.com> <BAF07397-13A0-4E46-AD61-8D5341FBE160@puck.nether.net>
In-Reply-To: <BAF07397-13A0-4E46-AD61-8D5341FBE160@puck.nether.net>
Date: Wed, 09 Dec 2015 22:00:05 +0100
Message-ID: <006a01d132c4$94d83070$be889150$@rozanak.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQIcBJevjW3fUkks0ks22EN/+5YHPQHdFNL/nh6QnwA=
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/D1bvOuJmWJSrX4ERMGcSxi_MOjk>
Cc: DNSOP@ietf.org
Subject: Re: [DNSOP] new Resource record?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2015 21:00:51 -0000

Hi Jared,

Thanks a lot for your quick response.
> 
> People have done things similar to this over the years.  I remember software
> once distributed UNENCODED over sequenced DNS TXT records.
> 
> It seems something like TXT would be the best way to do this, eg:
> 
> dig txt 1.255.42.204.in-addr.arpa.

I might not be aware of that but since you suggested the use of the existing TXT record, Do you think the following conditions for processing this TXT RRs are also supported: 
Assumption: the admin of the DNS server is different from the admin of different zones in the DNS server
1- If a user is the owner of the domain example.com, it must not be able to add a new txt RR with different reference value if and if this reference value is not already assigned to this domain on the DNS server  (prevention of a user to access unauthorized resources)
But this user should be able to add this reference txt RR with one of the already existing value to its subdomains.
2- if a user is the owner of only a sub domain such as xx.example.com then it cannot change this RR but it can again assign it to its sub-subdomain such as yy.xx.example.com

In other word, the owner of the DNS server can update this txt RR (reference number) but the domain owners (any zones) on this DNS server should not be able to change it but they can assign (update), the already existing assigned reference numbers to domains and subdomains inside their zones. Similar to this, the subdomain owner cannot change this assigned value but can assign 1 or all of these reference Numbers to its sub-subdomain. 
Just like a tree that each root node have the possibility to use what is available to it and assign it to its leaves and this can continue until the end of the tree..
This is a kind of delegation of access control to the child leaves.  

If this is already existence in the DNS server, I think I no longer need to suggest such RR or the process to handle such cases. But if this process is not existence, then perhaps it is an advantage to have it.
 

> Nothing really stops you from putting a “Seq-01-Base64-Blob” out there.

Right but just my concern is the process behind this that needs to be a kind of tree based authorization.

> You might be able to use HINFO for that as well since it’s designed for two
> fields already.

I will look at them.
Thanks,
Best,
Hosnieh

v2.23.0 | Report a Bug | By Email