Re: [DNSOP] Root reasons (aka "why") - HTTP vs SRV vs ANAME vs CNAME

Brian Dickson <brian.peter.dickson@gmail.com> Fri, 09 November 2018 04:09 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97DE91292F1 for <dnsop@ietfa.amsl.com>; Thu, 8 Nov 2018 20:09:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WGeNeRWxs60L for <dnsop@ietfa.amsl.com>; Thu, 8 Nov 2018 20:09:16 -0800 (PST)
Received: from mail-vs1-xe36.google.com (mail-vs1-xe36.google.com [IPv6:2607:f8b0:4864:20::e36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A04D1277BB for <dnsop@ietf.org>; Thu, 8 Nov 2018 20:09:16 -0800 (PST)
Received: by mail-vs1-xe36.google.com with SMTP id x1so291921vsc.10 for <dnsop@ietf.org>; Thu, 08 Nov 2018 20:09:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=aJO07rdxKdW3ysp9qDOmaPl67uE2rFtf17sh1oUm20M=; b=DjGm2f9OYpKoORb2pQ4vLZVvzk2fxV7nR6lxkI158h0QU23CU1zed0nNdgY+ksQwLj pzMIhp88LTx4foQYw4R+xh/Bnx084gyHDLG2fPGr5kR/SyJ94A+AsAJzhmsUGI5ij+IR 7pe0YrhiofcTtrFuG7DGGLv6XCtj6FG3/wrZvyHLVD22bvI+gfo/nyMNjpYYWPrNVtp4 Q1tYvnUlrSaoeRCIkLuMZ5NIiqEy/bU46bnOgkqeC4i6dauebx+os1BL4ABV9pHlgQW+ 95stwrq+0fkzWAsCE3Q1llOtTJ6Sg6+Cl7+WEHUfkLaRHbAHop7R42c3dBRtTQMdbu+p wuJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=aJO07rdxKdW3ysp9qDOmaPl67uE2rFtf17sh1oUm20M=; b=Qp9LCTqSdS+fGlb2/kZOGnskFdYuLNMkCXy9BKgIt3pKB2q9hw54Gsb9hX94YapXuP Kzle5A3KHq+Bca4gklZ0OYTuCEfCFQYKhuIOshyBPRZ6G0x08nX9AQMt/p2tdfdz+kta XtQuQMQsQsGivuWFfAlZ7u+l7v76vm0B+P8NMdfxdve6DJ7bW0GihaBujD7NWQNeSNe9 dnPt2SiapHKXh97QUDbrBFuE7dlEREbEvGFkkmxyz8rMeO60zOhEPtq1qj46b/ZG9uhe Y2EXMN6ctawdXXqBiJAPW226jGNophkw6pq0hg7207wJngXi6yUKacLOwMZvE6HPWfk/ bHjg==
X-Gm-Message-State: AGRZ1gJ9jGZBSEAnHfdjkasX0oXt8iJdaplKff83DyQYHSov0n0NsWD3 E+F75G76bGQZV0VasNp8/wq4fqYHN7uM8mkfGq9/GZcSoF0=
X-Google-Smtp-Source: AJdET5f+xoZlBMmUPPxjcR9vAEaLUmrOAV5mvmkTtXzQvSt4tiZKxAHJMkhiK/vWKMZ/2nH1korotbxrRxL4GmCg8+s=
X-Received: by 2002:a67:7b0a:: with SMTP id w10mr3143248vsc.5.1541736555115; Thu, 08 Nov 2018 20:09:15 -0800 (PST)
MIME-Version: 1.0
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Fri, 9 Nov 2018 11:09:02 +0700
Message-ID: <CAH1iCiqnzV6NE2FaRapFK_SQ4bhbraLs5GAbBuU+DYe15E54XA@mail.gmail.com>
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b47ba4057a338304"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/IpArNi6UgsNpPLPl-O0jV1cvslY>
Subject: Re: [DNSOP] Root reasons (aka "why") - HTTP vs SRV vs ANAME vs CNAME
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Nov 2018 04:09:18 -0000

Paul Vixie wrote:

> Ray Bellis wrote:
>
> On 09/11/2018 07:14, Tony Finch wrote:
>
> But remember: the goal is to make the DNS easier to use for people
> who don’t know about the restrictions on CNAMEs.
>
> I'd say the goal is to make the DNS *possible* to use for people who
> don't know about the restrictions on CNAMEs.
>
> i regret not adding ANY as an RR type (not just a Q type) back when the DNS
> was small and i supported 90% of it. what we actually needed is a wildcard
> on types so that if there's no more-specific type you get thatone, which
> would have an rdata of the target name, but act like PTR (which the DNS
> requester has to follow) rather than like CNAME (which the recursive has
> to follow.)
>
> I concede that ANAME perhaps makes that easier than HTTP does, but it
> does so at the expense of significant complexity in authority servers by
> still requiring A and AAAA lookups to be somehow "magic", and doesn't
> fix the architectural problem of lack of a service identifier.
>
> i am loath to create per-service record types. that's why SRV. if you really
> want every client of a service to query for something other than AAAA/A,
> can you try to fix what's wrong with SRV regarding wildcards,but avoid a
> new type code for every new thing like MX and HTTP as they come along in
> the decades to follow? also, does SSH count as a service? what about FTP?
> Gopher? RSync? NNTP? IMAP(S)? it may not be too late to think
> architectural thoughts like "what will the internet engineering community
> think, 50 years from now, that we should have done for them?"


Funny anecdote:

I was actually going to add a suggestion for a "fall-back catch-all" aka
wildcard RR type, to the first message in this new thread, but was
concerned about muddying the waters.

I'll just point out the semantics of having both service-specific, and
wildcard, service-RRtypes, and their poster-child use cases.

Semantics:

   1. Client queries for service-specific RRtype
   2. If present, the response is returned, optionally with A/AAAA (i.e. if
   resolver is upgraded)
   3. If absent, but a wildcard service RRtype is present, the wildcard is
   returned, optionally with A/AAAA (ditto)
   4. If neither is present, noerror/nodata response, possibly with A/AAAA
   of original owner (i.e. if resolver is upgraded)

Typical instructions to domain owner:

   - If all your services are on some third party at the same FQDN, put in
   a wildcard pointing there
   - If most of your services are on one third party at the same FQDN, put
   in a wildcard pointing there, with any other type-specific services which
   are on other third parties, added with pointers to each of them
   - If you are wanting to ensure only responses for specific types, use
   those types and do not use the wildcard type.

The logic required on authority servers is exactly analogous to wildcard
names. Look up the specific thing first, and if absent, look up the
wildcard. Return what you find.
The logic required on resolvers is similarly analogous, including the logic
for following the RHS returned with any such record type: rewrite the query
and rerun resolution (just like CNAMEs).

I think this is the right time to add this to the proposal (before any
implementations exist). You can't put the cart before the horse if there is
no {cart,horse}.

Not exactly speaking for an authority server operator/developer, I don't
think the difference between either implementing or operating the
wildcarded version is in any way problematic.
(No authority requirement to track or add A/AAAA == we're good; solves apex
issue == we are happy; multiple types of "pointer" at same owner name
(better than CNAME) == we are ecstatic.)

Minimizes level of effort on nearly-trivial zones; gives control for zones
operated by folks who want control; minimizes total minimum record count
(provably) in all situations. Easy to add more types without ANY logic-flow
changes to any implementations (assuming RDATA is just an FQDN), beyond
adding new types to the enum set of "things like this".

Are we converging on consensus, possibly?

Brian