Re: [DNSOP] Fwd: New Version Notification for draft-bellis-dnsop-edns-tags-00.txt
Wes Hardaker <wjhns1@hardakers.net> Mon, 04 March 2019 23:03 UTC
Return-Path: <wjhns1@hardakers.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 560611311EC for <dnsop@ietfa.amsl.com>; Mon, 4 Mar 2019 15:03:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tdSHBeYXWsbp for <dnsop@ietfa.amsl.com>; Mon, 4 Mar 2019 15:03:23 -0800 (PST)
Received: from mail.hardakers.net (mail.hardakers.net [168.150.192.181]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8429131130 for <dnsop@ietf.org>; Mon, 4 Mar 2019 15:03:23 -0800 (PST)
Received: from localhost (74-93-183-173-Sacramento.hfc.comcastbusiness.net [74.93.183.173]) by mail.hardakers.net (Postfix) with ESMTPA id D5507233E8; Mon, 4 Mar 2019 15:03:16 -0800 (PST)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Ray Bellis <ray@isc.org>
Cc: dnsop@ietf.org
References: <155171606493.5281.3957934874516100450.idtracker@ietfa.amsl.com> <5c3cc3f9-2225-9077-fb9e-0fb940bd1c1b@isc.org>
Date: Mon, 04 Mar 2019 15:03:11 -0800
In-Reply-To: <5c3cc3f9-2225-9077-fb9e-0fb940bd1c1b@isc.org> (Ray Bellis's message of "Mon, 4 Mar 2019 16:27:34 +0000")
Message-ID: <yblef7mp7io.fsf@wu.hardakers.net>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/JIBIa5BohhhM7Q_y_VGRren6PRM>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-bellis-dnsop-edns-tags-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2019 23:03:25 -0000
Ray Bellis <ray@isc.org> writes: > This new draft describes a way for clients and servers to exchange a > limited amount of information where the semantics of that information > are completely unspecified, and therefore determined by bi-lateral > agreement between the client and server operators. Hmmm.. very interesting idea, but I'm having a hard time seeing how this will be used in the real world in a scalable and interoperable way. Let's take an example from the draft (which is a good/interesting one, btw): o client-controlled selection of a DNS-based security filter So, my client knows the upstream resolver has published two flags/bits for this: 0x01 - don't filter out malware 0x02 - please filter out ad servers This is all well and good if the client knows what it's talking to. How does it know which resolvers support it? This has to be custom config in clients I assume? So let's assume the (roaming) client has a pre-configured list of IP addresses that know how to send or interpret particular tags. What happens when the upstream software changes? Or the upstream server is taken over by a new company that deploys entirely new semantics? How is that change communicated to all the clients? What if the new bits mean something entirely different, potentially the exact opposite? How are conflicts like this handled? There are cases for this type of behavior already, and they do work. As an example, BGP communities distribute routing policies in a fairly similar way. But BGP connections are small in number, contracts or MOUs at the least are put in place to ensure communication can happen, etc. The problem with a generic mechanism like this for DNS is that the number of clients per server are potentially gigantic. And there is often not a documented relationship or even a known contact mechanism to signal changes taking place. This all makes communication of agreed upon semantics of bits not exactly impossible, but likely between difficult to extremely difficult. And misconfiguration could be potentially be dangerous, depending on the meaning of the bits. Imagine if the new bit for some flipped software suddenly switched to "I trust MD5, go ahead and believe MD5 DS records". But maybe, and hopefully, I'm just misunderstanding how this will be used safely in deployments. -- Wes Hardaker USC/ISI
- [DNSOP] Fwd: New Version Notification for draft-b… Ray Bellis
- Re: [DNSOP] [Ext] Fwd: New Version Notification f… Paul Hoffman
- Re: [DNSOP] Fwd: New Version Notification for dra… Ted Lemon
- Re: [DNSOP] [Ext] Fwd: New Version Notification f… Paul Hoffman
- Re: [DNSOP] [Ext] Fwd: New Version Notification f… Ted Lemon
- Re: [DNSOP] Fwd: New Version Notification for dra… Ray Bellis
- Re: [DNSOP] Fwd: New Version Notification for dra… Wes Hardaker
- Re: [DNSOP] Fwd: New Version Notification for dra… Dick Franks
- Re: [DNSOP] Fwd: New Version Notification for dra… Wes Hardaker
- Re: [DNSOP] Fwd: New Version Notification for dra… Mark Andrews
- Re: [DNSOP] Fwd: New Version Notification for dra… Dick Franks
- Re: [DNSOP] Fwd: New Version Notification for dra… Dick Franks
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Wouters
- Re: [DNSOP] [Ext] Fwd: New Version Notification f… Paul Hoffman
- Re: [DNSOP] [Ext] Fwd: New Version Notification f… Paul Wouters
- Re: [DNSOP] Fwd: New Version Notification for dra… Wes Hardaker
- Re: [DNSOP] Fwd: New Version Notification for dra… Wes Hardaker
- Re: [DNSOP] Fwd: New Version Notification for dra… Ray Bellis
- Re: [DNSOP] Fwd: New Version Notification for dra… Ray Bellis
- Re: [DNSOP] Fwd: New Version Notification for dra… Dick Franks
- Re: [DNSOP] Fwd: New Version Notification for dra… Shane Kerr
- Re: [DNSOP] Fwd: New Version Notification for dra… Ray Bellis
- Re: [DNSOP] Fwd: New Version Notification for dra… Dick Franks
- Re: [DNSOP] Fwd: New Version Notification for dra… Ray Bellis
- Re: [DNSOP] Fwd: New Version Notification for dra… Tony Finch
- Re: [DNSOP] Fwd: New Version Notification for dra… Ray Bellis
- Re: [DNSOP] Fwd: New Version Notification for dra… Petr Špaček
- Re: [DNSOP] Fwd: New Version Notification for dra… Ray Bellis
- Re: [DNSOP] [Ext] Fwd: New Version Notification f… Peter van Dijk
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Wouters
- Re: [DNSOP] Fwd: New Version Notification for dra… Dick Franks
- Re: [DNSOP] Fwd: New Version Notification for dra… Ray Bellis
- Re: [DNSOP] New Version Notification for draft-be… Peter van Dijk
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Wouters
- Re: [DNSOP] Fwd: New Version Notification for dra… Ray Bellis
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Wouters
- Re: [DNSOP] Fwd: New Version Notification for dra… 神明達哉
- Re: [DNSOP] Fwd: New Version Notification for dra… Ray Bellis
- Re: [DNSOP] New Version Notification for draft-be… Peter van Dijk