IETF Logo Mail Archive

[DNSOP] Re: Introducing Relative Label for DNS

Alexander Robohm <ar@arobohm.de> Sun, 21 July 2024 19:17 UTC

Return-Path: <ar@arobohm.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D558C15106B for <dnsop@ietfa.amsl.com>; Sun, 21 Jul 2024 12:17:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=arobohm.de header.b="CEF6j0Qo"; dkim=pass (2048-bit key) header.d=arobohm.de header.b="nr6OohNL"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hmPXqIZ-3l9R for <dnsop@ietfa.amsl.com>; Sun, 21 Jul 2024 12:17:49 -0700 (PDT)
Received: from mx.arobohm.de (mx.arobohm.de [85.235.66.77]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71963C14F6A5 for <dnsop@ietf.org>; Sun, 21 Jul 2024 12:17:48 -0700 (PDT)
Message-ID: <af442a04-dfc4-4c6d-9aff-b3ffae56131f@arobohm.de>
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=arobohm.de; s=202405e; t=1721589465; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3nr6xF0s4hbz8FqLJX9ntmw4z+MBpcuyzW9DwJEuIaY=; b=CEF6j0QoUYIKMAzpBLNYpulsN/dEE2UlRGMstcSKaOax6PM0tLOy8KJ/8yqzR+LKYKOvcA fLFRlnf0fp9VP/Ag==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=arobohm.de; s=202405r; t=1721589465; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3nr6xF0s4hbz8FqLJX9ntmw4z+MBpcuyzW9DwJEuIaY=; b=nr6OohNL0LTFetHL4O9wSBIs1oUspEho7Saht1PASEuH59kT5SCMY4w/wgmfvlkgKo+LBa IqnQ/mp4/TQwG68z4tuioMOAw3oJ6U2TWqUE7U5gUP9A0vcU+1hwv1eBPZIc0afXlM8RCO nLHv66sIext2ZGEvuSBI2sXfSSM6/8oHybi6p5VOzyKku50z3fXyy5fBw1LoLEPG0qErF2 NlYabQLy4G58RHJwK1HSow2khHGm61F/OPDAVet1ZzNggm61vu4Hf/8KlPSWMADJzO7hYf tXV2rZWT92Z2tLN6mw/DTFILzSG6ujl7U+aaWi5wYyzmZTmPZ+pdp2eUunmsdw==
Authentication-Results: ORIGINATING; auth=pass smtp.auth=ar@arobohm.de smtp.mailfrom=ar@arobohm.de
ARC-Seal: i=1; s=202405r; d=arobohm.de; t=1721589465; a=rsa-sha256; cv=none; b=Itp7cmNG+xIAhyDhywHQejiTkuR7o4AYsR+PYBhpCtxcBQWkgD3zXnp33qvkel1xa/++Ux HFU4VYLf/YBOABz8aEnpPtCjxFXWzdy/HgEyIuoU+0T6fOeDgH5D/BKAWpLvZeZDAw3G6j XV/yUt5yn2duaZzmZn65ttMxOC8g3gCXD+owIzgxPpObaZJpiVgl9QV5OLDkpQaC8+exQE DaxAPgJytOPc2c6PtA5qx8kyJf4QNUPnMW7kDzy/eBbgvCXp8xVScZZwQExM7kyLQXRrgH bepg1T95mcaCPdyU1GHSb1mC0bAGWENB8u29YMv7WDlL0OglaN6YAMFF/L/GEw==
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=ar@arobohm.de smtp.mailfrom=ar@arobohm.de
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=arobohm.de; s=202405r; t=1721589465; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=3nr6xF0s4hbz8FqLJX9ntmw4z+MBpcuyzW9DwJEuIaY=; b=cMC1J4fpfzklivb3ZnOwgMM3jZYwgw9XLAPZTE1tSBOv3cUct3Vm3BTuKLvnxiPbLg2ZR4 SzNTEcsTlyBm1vaY2z+jgWid9eeyot8U90gYzELr9e8KJOSW4JUQqRtnkhtvQkUzr4rJJa uBQXR1HSoAOgcaJbMQuiPPO16zUE32XudihNv3ucGtN3WegQ4SaKIPEHNQxQS8RUEROeKA p9HKyraI/MBcIfdeN9rHNXrDtHjwBIk7I1982YQcz1vU0RPfcNtu98RB70dqkaTdHf3iDe m8gY+aUAQg7yMBmGHzKg5bbOTUaMw4rQ9Z1KzSlmId8H97lYO/iGfcM5EHDFqQ==
Date: Sun, 21 Jul 2024 21:17:43 +0200
MIME-Version: 1.0
To: dnsop@ietf.org, ben.vanhartingsveldt@yocto.com
References: <32cb827b0875605f8fbf47ccae1d4a9c@yocto.com>
Content-Language: de-DE
From: Alexander Robohm <ar@arobohm.de>
In-Reply-To: <32cb827b0875605f8fbf47ccae1d4a9c@yocto.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Message-ID-Hash: RZBDCLPJNTLMIV23FF5JCRWCAGSIGN36
X-Message-ID-Hash: RZBDCLPJNTLMIV23FF5JCRWCAGSIGN36
X-MailFrom: ar@arobohm.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Introducing Relative Label for DNS
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/FxkF6v06tMxIY2WtXLF0oBEvLfU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi,

I have read your draft and have a few questions:
- How does the server receiving the UPDATE decide where too put it? The
   draft, AFAICT, doesn't specify what domain should be appended to the
   relative label to fully qualify it.
- How are multi-label relative names handled? (say selector._domainkey)
- Is this really necessary when the software generating the UPDATEs can
   fully qualify the names for you?

For the last point, consider section 5 of RFC 6891:
    Extended label types are extremely difficult to deploy due to lack of
    support in clients and intermediate gateways, as described in
    [RFC3363], which moved [RFC2673] to Experimental status; and
    [RFC3364], which describes the pros and cons.  As such, proposals
    that contemplate extended labels SHOULD weigh this deployment cost
    against the possibility of implementing functionality in other ways.

You should also check your citations - [RFC2671] links to RFC 2119, and
RFC 2065 was obsoleted in 1999.

Alexander Robohm


Am 21.07.2024 um 20:50 schrieb Ben van Hartingsveldt:
> Dear all,
> 
> In the recent years I started working on my own coded DNS server, 
> because I was done with the synchronization between BIND and DirectAdmin 
> that broke all the time. It resulted in a Java server that is running on 
> 4 IPs for some years now. Because of this, I had to read many RFCs to 
> have it pass tests like Zonemaster, DNSViz, IntoDNS, etc. While reading 
> and implementing things, I also came across some shortcomings of DNS. On 
> advice of someone at SIDN, I will share my draft that I published today. 
> It solves one of the shortcomings that DNS has in its core: relative 
> domain names.
> 
> I'm talking about 
> https://datatracker.ietf.org/doc/html/draft-yocto-dns-relative-label-00. 
> This draft is meant to solve the problem that we cannot use relative 
> domain names in the DNS system, specificly in DNS UPDATE and in binary 
> zone files. This also means that this draft is not meant for use with 
> the QUERY opcode (except for possibly AXFR and IXFR). Let me explain 
> those two usecases.
> 
> 1) DNS UPDATE: In DNS UPDATE it is possible to update the zone using DNS 
> itself. This can be used in routers when dynamic DNS is wanted, but also 
> in other situations. Imagine wanting to add an MX record. Using a 
> webinterface, you are likely able to chooses one of the following four 
> options:
> - mail IN MX 10 mx
> - mail IN MX 10 mx.example.com.
> - mail.example.com. IN MX 10 mx
> - mail.example.com. IN MX 10 mx.example.com.
> However, using DNS UPDATE you are only able to add the record with 
> fourth format; both record name and FQDN field have to be absolute. This 
> means that when I return to the webinterface, I will likely see absolute 
> domain names, even when I use relative domain names in my other records. 
> My draft wants to give the client more control over when to use relative 
> and when to use absolute domain names by adding a new label type.
> 
> 2) Binary Zone Files: Since BIND 9, it is possible to save zones in a 
> binary format. This is possible to enable/disable using 
> `masterfile-format`. It is possible to convert the textual format to 
> binary and vice versa. However, when converting to binary, the zone file 
> will loose the knowledge of knowing which domain names where absolute 
> and which where relative. This means that converting the zone back from 
> binary to text will likely give you a zone with only absolute domain 
> names. As with DNS UPDATE, this is a shortcoming of the wire format used 
> by DNS.
> 
> That is why I wrote this draft. Like BIND, my own DNS system also uses 
> binary zone storage and in the future I'm planning to implement DNS 
> UPDATE too. I also believe my draft is not yet perfect. I'm not a native 
> English speaker and maybe just format to mention something important. 
> That is why I want you to give your honest opinion on this topic. Do you 
> agree with the problem? Does DNS need such label? Did I make a typo? Etc.
> 
> Please let me know.
> 
> Thanks in advance
> 
> Ben van Hartingsveldt
> 
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org

v2.39.1 | Report a Bug | By Email | System Status