Re: [DNSOP] Why no more meta-queries? (Was: More work for DNSOP :-)

Ray Bellis <Ray.Bellis@nominet.org.uk> Mon, 09 March 2015 16:06 UTC

Return-Path: <Ray.Bellis@nominet.org.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A711C1A9031 for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2015 09:06:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.71
X-Spam-Level:
X-Spam-Status: No, score=-3.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_54=0.6, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eOFJlVAYuGzW for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2015 09:06:04 -0700 (PDT)
Received: from mx2.nominet.org.uk (mail.nominet.org.uk [213.248.242.49]) by ietfa.amsl.com (Postfix) with ESMTP id 4C7C11A9051 for <dnsop@ietf.org>; Mon, 9 Mar 2015 09:05:32 -0700 (PDT)
DomainKey-Signature: s=main2.dk.nominet.selector; d=nominet.org.uk; c=nofws; q=dns; h=X-IronPort-AV:X-IPAS-Result:Received:Received:From:To:CC: Subject:Thread-Topic:Thread-Index:Date:Message-ID: References:In-Reply-To:Accept-Language:Content-Language: X-MS-Has-Attach:X-MS-TNEF-Correlator:x-originating-ip: Content-Type:Content-ID:Content-Transfer-Encoding: MIME-Version; b=IPtbp4o47H9bsWN3dKjB9p5ce69zbOi3J3u/TED02L5VCrxVE8WjyHw6 behbIZ99Y29EdFNU4DOnb4AGfyyR9JMa+g0ONnBRiSLaMdH3f8ohKlC3l DBgN2zwDKX+dUqo22DsKC1K9LhHvSFCcsxQB5RilU5m3BGRJsPguVdc6j chYsbralX2oTUnxLEwBGwgLndLbxAh1au5Rm/mn7Za1g4+uElfEt7Gy2C 4/zSSviiuyF+cItA/yTVWce5bgS5B;
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nominet.org.uk; i=@nominet.org.uk; q=dns/txt; s=main2.dkim.nominet.selector; t=1425917132; x=1457453132; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=UJBxiEIPfPy5OgaZ/4tRHckMypPxVRXSctjEgiC7kCQ=; b=mCgnNznxJWaI8F9Sw2JJoXzQSnlBuNx+W2+fpeN+E46BgVcQhNlwEF16 r+ZFhtCEZR2Stsuo5Xto5UYvTwzpFjEOeSeoXYvSAxk7SLCgoOvsvvvIG JiLBve+KCG6hYXtwoFOnWSgmt9rKzBNOoiY3fscnmgY+HaMo0PHC4Cwzr VYR1LaC3q3gkveNLMjjEq4Tsu2+ljy94ylcZQ1J2uSuuKIW91gL/8Prsi pUxWxy8ZbaA4LPPgD8mDEqQsbz6M4;
X-IronPort-AV: E=Sophos;i="5.11,368,1422921600"; d="scan'208";a="16412093"
X-IPAS-Result: A2AdCgCmw/1U/5HF+NVcgmQiUloEvGmFfoVwAoEnTQEBAQEBAXyEDwEBAQECAToZJgULAgEIGB4QMiUCBA4FiCcJAwnALwEBAQcBAQEBAQEBAQEZixeEOzMHgxeBFgWTc4dCkiEjggIcgVBvgQQkHH8BAQE
Received: from wds-exc2.okna.nominet.org.uk ([213.248.197.145]) by mx2.nominet.org.uk with ESMTP; 09 Mar 2015 16:05:31 +0000
Received: from WDS-EXC1.okna.nominet.org.uk ([fe80::1593:1394:a91f:8f5f]) by wds-exc2.okna.nominet.org.uk ([fe80::7577:eaca:5241:25d4%16]) with mapi id 14.03.0224.002; Mon, 9 Mar 2015 16:05:30 +0000
From: Ray Bellis <Ray.Bellis@nominet.org.uk>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Thread-Topic: [DNSOP] Why no more meta-queries? (Was: More work for DNSOP :-)
Thread-Index: AQHQWnWJPMI5IT01dkySrOwj9GdNc50UUM6A
Date: Mon, 09 Mar 2015 16:05:29 +0000
Message-ID: <C1F43BD2-126F-4C1D-B084-A4B3A1F98ECD@nominet.org.uk>
References: <20150306145217.GA8959@nic.fr> <54F9C29E.9040408@jive.com> <54F9F90D.1020806@redbarn.org> <54F9FCD3.7010204@jive.com> <54F9FDFA.2030405@redbarn.org> <F25411A6-2CBD-4A76-949C-6E236FA87863@isoc.org> <20150306205920.GA17567@isc.org> <20150309142844.GA11602@nic.fr>
In-Reply-To: <20150309142844.GA11602@nic.fr>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.2.1]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <43A11DAAB935B647BED48D95E01F6C9D@okna.nominet.org.uk>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/FjsNDGEEy_9vYP54s1AC_Ze0Z6s>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Why no more meta-queries? (Was: More work for DNSOP :-)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2015 16:06:06 -0000

> On 9 Mar 2015, at 14:28, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
> 
> On Fri, Mar 06, 2015 at 08:59:20PM +0000,
> Evan Hunt <each@isc.org> wrote 
> a message of 28 lines which said:
> 
>> (As an aside: I've often wondered why the DNS doesn't have *more*
>> meta-query types, less extensive than ANY, such as a single type
>> covering A and AAAA.
> 
> Probably for the same reason that makes QTYPE=ANY queries very
> difficult to understand for the beginner and counter-intuitive:
> because it is hard to specify the semantics. Imagine there is an ADDR
> meta-query covering A and AAAA. You send QTYPE=ADDR and you get only A
> record(s). Can you be *sure* (and can you validate with DNSSEC) that
> there was no AAAA? Think of the various cases, RD=0, RD=1, caches,
> forwarders, etc.

I wrote this a few years ago:

http://tools.ietf.org/html/draft-bellis-dnsext-multi-qtypes-01

The primary stumbling block was the possibility (given DNSSEC) for multiple different RCODEs for the different QTYPEs being requested.

I couldn't think of any failure modes in the non-DNSSEC case, but with signed data it's theoretically possible to have valid signatures for the owner name on one QTYPE and invalid signatures on another.

Ray