Re: [DNSOP] [dnsext] Re: DNAME-bis issues (was: new draft about idn tld variant implementation)
Alfred Hönes <ah@TR-Sys.de> Wed, 21 October 2009 19:58 UTC
Return-Path: <A.Hoenes@TR-Sys.de>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4B5003A6833 for <dnsop@core3.amsl.com>; Wed, 21 Oct 2009 12:58:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.185
X-Spam-Level: **
X-Spam-Status: No, score=2.185 tagged_above=-999 required=5 tests=[AWL=0.934, BAYES_00=-2.599, CHARSET_FARAWAY_HEADER=3.2, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VjrsXUTSmw6v for <dnsop@core3.amsl.com>; Wed, 21 Oct 2009 12:58:33 -0700 (PDT)
Received: from TR-Sys.de (gateway.tr-sys.de [213.178.172.147]) by core3.amsl.com (Postfix) with ESMTP id 6A04A3A67EC for <dnsop@ietf.org>; Wed, 21 Oct 2009 12:58:31 -0700 (PDT)
Received: from ZEUS.TR-Sys.de by w. with ESMTP ($Revision: 1.37.109.26 $/16.3.2) id AA281685068; Wed, 21 Oct 2009 21:57:48 +0200
Received: (from ah@localhost) by z.TR-Sys.de (8.9.3 (PHNE_25183)/8.7.3) id VAA12840; Wed, 21 Oct 2009 21:57:42 +0200 (MESZ)
From: Alfred Hönes <ah@TR-Sys.de>
Message-Id: <200910211957.VAA12840@TR-Sys.de>
To: cet1@cam.ac.uk
Date: Wed, 21 Oct 2009 21:57:42 +0200
In-Reply-To: <Prayer.1.3.2.0910211630350.17187@hermes-1.csi.cam.ac.uk> from Chris Thompson at Oct "21, " 2009 "04:30:35" pm
X-Mailer: ELM [$Revision: 1.17.214.3 $]
Mime-Version: 1.0
Content-Type: text/plain; charset="hp-roman8"
Content-Transfer-Encoding: 8bit
Cc: namedroppers@ops.ietf.org, dnsop@ietf.org, draft-ietf-dnsext-rfc2672bis-dname@cabernet.tools.IETF.ORG, draft-yao-dnsop-idntld-implementation@cabernet.tools.IETF.ORG
Subject: Re: [DNSOP] [dnsext] Re: DNAME-bis issues (was: new draft about idn tld variant implementation)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Oct 2009 19:58:34 -0000
On Oct 21 2009, Chris Thomson wrote: > On Oct 21 2009, Andrew Sullivan wrote: > >> Dear colleagues, >> >> On Wed, Oct 21, 2009 at 05:54:18PM +1100, Mark Andrews wrote: >>> >>> DNAME's placement is the same as any ordinary resource record (e.g. >>> MX, TXT). There is nothing special about where DNAME can or can't >>> be used. >> >> While that is true, quite plainly the current dname-bis draft doesn't >> leave everyone with that impression. We need proposed text to make >> the intent clearer. Can someone please propose it? Given the >> emergence of this issue, the document is clearly not ready for >> advancement, and it needs to be fixed before we send it on. > > We really need Alfred Hönes to comment on this, as he was the one who > acquired the wrong impression. ... I'll try, also elaborating on thoughts only exchanged off-list so far (last week). First my apologies for not being able to return to this discussion earlier. And maybe I was a bit overshooting in the first instance, too much focussed on the aspects I try to clarify below. Let me first discuss the more generic questions underlying the 'variant' domain (TLD or other) draft and discussion. The basic topic where we started from last week is a delegation. With regard to the root zone (and any other "registry-like" zone), "owner" and "delegation" are not only technical terms related to DNS database and protocol details, but also are contractual and legal terms, and so a lot of care needs to be taken in using these terms. This has repercussions to the protocol and database layer; for instance, in a DNSSEC signed zone the owner of the zone will sign the records there, and will be kept accountable for their content. For brevity, I'll designate the discussed "DNAME at the root" as an instance of a "pseudo-delegation" below (vs. "normal" delegation). For a "normal" delegation, the NS RRset in the delegating zone indeed is owned (in the legal sense!) by the parent zone owner; it is subject to the contractual relationship between the owner of the parent zone and the owner of the delegated zone. The NS RRset at the zone cut is handed over to the parent zone in a technical, contractual and legal sense. (Note that the owner of a zone is free to publish a different NS RRset for the zone at the apex of the zone itself than what he has handed over to the parent -- but he should strongly consider the consequences.) Hence, consistently DNSSEC signs the delegation NS RRs in the parent zone and thereby documents the legal ownership as well. Consequently, any other RRs for the delegated zone, if copied into the parent zone are not signed under DNSSEC there -- independent of their use as "glue" RRs in the narrow sense (address RRs for the name servers specified in the delegating NS RRs) or not. Since with DNAME queries for the owner name (technical!) of a DNAME RR will be answered from the zone where that DNAME RR is located, any other RRs with the same owner (technically!) name must be co-located in the same zone and hence fall technically under the authority (legally) of the owner (in legal terms) of the parent zone. This is entirely consistent with DNSSEC signing authority for all RRsets at the owner name (technically) of the DNAME RR being with the owner (legally and technically) of the 'hosting' zone of the DNAME RR. Many owners (legally) of TLDs and other "registry-like" zones place various RRs not directly related to the delegation (in the technical sense) at the zone apex for the delegated zone. For instance, I've seen TXT and NAPTR RRs recently there, but other RR types might be likely too. In the case of a 'pseudo-delegation' with DNAME in the parent zone these RRsets all would need to be stored in the latter, for instance in the root zone. Without DNSSEC, doing so and maintaining these RRs might be regarded as an O&M issue that could be organized on a contractual base, overriding to some extent the basic legal split of responsibility. But with a DNSSEC signed parent zone, the sibling RRsets of the DNAME would become subject of the parent zone signing policy and practice; I seriously doubt that this would be practical; furthermore, it is likely that the DNSSEC signature over such RRsets would be taken under some legislation as a strong sign of ownership and hence accountability of the parent zone owner for the content of these RRsets. This seems to be in perfect accordance with the DNSSEC trust model. Even more, the user of an 'alias' domain name will want to gain full legal authority of this name and consequently also will be held accountable for it; delegating registration-like domains will most likely not want to become accountable for these names. For a 'normal' delegation, there's a visible 'proof' of ownership for the delegation by the SOA RR at the apex of the delegated zone, which might legally serve as a strong indication of ownership of the delegation -- there's a pointer to "layer 8 and above" in the SOA in the form of the RNAME element in the SOA RDATA. A DNAME RR however does not carry such link to higher layers. Therefore, 'pseudo-delegations' via DNAME will most likely not be regarded as delegations of ownership, authority and accountability in the legal sense. All these complications do not arise if the owner (technically) of a DNAME RR is owned (legally) by the same administrative entity as the TARGET domain of the DNAME. Thus, it look like to avoid administrative, operational, and legal issues with DNAME, it seems to be evident that 'pseudo-delegations' are inappropriate for cases where the semantics of a true delegation (in the legal sense) is inherent and/or intended. This is obviously not the case in certain company-internal structured zones, where the ownership and authority for both domains related to a DNAME are within a single administrative domain, and most likely equally in many regions of the reverse DNS trees. So the terse rule of thumb might be: 'normal' delegations are for cases where the semantics of a (plain English etc.) delegation is expected, 'pseudo-delegations' can be used where the semantics of a "hint" or "shortcut" prevails. Back from the 'variant' domain arguments to the protocol specification undergoing revision (I-D.dnsext-rfc2782bis-dname): > ... My feeling is that the confusion is > confined to section 2.3, and I would now suggest the following: > > --- draft-ietf-dnsext-rfc2672bis-dname-17.xml Wed Oct 21 16:17:14 2009 > +++ draft-ietf-dnsext-rfc2672bis-dname-17a.xml Wed Oct 21 16:19:51 2009 > @@ -214,7 +214,7 @@ > for the YXDOMAIN (value 6) RCODE. > </t> > </section> > -<section title="DNAME Apex not Redirected itself"> > +<section title="DNAME Owner Name not Redirected itself"> Good clarification. Agreed. > <t> > Unlike a CNAME RR, a DNAME RR redirects DNS names subordinate to its > owner name; the owner name of a DNAME is not redirected itself. > @@ -224,9 +224,10 @@ > DNAME RRs are not allowed at the parent side of a delegation point > but are allowed at a zone apex. > </t><t> > - There still is a need to have the customary SOA and NS > - resource records at the zone apex. This means that DNAME does not > - mirror a zone completely, as it does not mirror the zone apex. > + If a DNAME record is present at the zone apex, there is still a need > + to have the customary SOA and NS resource records there as well. Such > + a DNAME cannot be used to mirror a zone completely, as it does not > + mirror the zone apex. Good. Maybe even better (arrow lines tagging proposed changes): v > + If a DNAME record is present at a zone apex, there is still a need > + to have the customary SOA and NS, and perhaps other resource records ^^^^^^^^^^^^^^^^^^^ > + there as well. Such a DNAME cannot be used to mirror a zone > + completely, as it does not mirror the zone apex. > </t><t> > These rules also allow DNAME records to be queried through RFC 1034 > <xref target="RFC1034" /> compliant, DNAME-unaware caches. > > -- > Chris Thompson University of Cambridge Computing Service, > Email: cet1@ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH, > Phone: +44 1223 334715 United Kingdom. Kind regards, Alfred Hönes. -- +------------------------+--------------------------------------------+ | TR-Sys Alfred Hoenes | Alfred Hoenes Dipl.-Math., Dipl.-Phys. | | Gerlinger Strasse 12 | Phone: (+49)7156/9635-0, Fax: -18 | | D-71254 Ditzingen | E-Mail: ah@TR-Sys.de | +------------------------+--------------------------------------------+
- Re: [DNSOP] [dnsext] Re: DNAME-bis issues (was: n… Alfred Hönes