Re: [DNSOP] Fwd: New Version Notification for draft-bellis-dnsop-edns-tags-00.txt

Wes Hardaker <> Mon, 04 March 2019 23:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 560611311EC for <>; Mon, 4 Mar 2019 15:03:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tdSHBeYXWsbp for <>; Mon, 4 Mar 2019 15:03:23 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A8429131130 for <>; Mon, 4 Mar 2019 15:03:23 -0800 (PST)
Received: from localhost ( []) by (Postfix) with ESMTPA id D5507233E8; Mon, 4 Mar 2019 15:03:16 -0800 (PST)
From: Wes Hardaker <>
To: Ray Bellis <>
References: <> <>
Date: Mon, 04 Mar 2019 15:03:11 -0800
In-Reply-To: <> (Ray Bellis's message of "Mon, 4 Mar 2019 16:27:34 +0000")
Message-ID: <>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-bellis-dnsop-edns-tags-00.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 04 Mar 2019 23:03:25 -0000

Ray Bellis <> writes:

> This new draft describes a way for clients and servers to exchange a
> limited amount of information where the semantics of that information
> are completely unspecified, and therefore determined by bi-lateral
> agreement between the client and server operators.

Hmmm..  very interesting idea, but I'm having a hard time seeing how
this will be used in the real world in a scalable and interoperable

Let's take an example from the draft (which is a good/interesting one, btw):

   o  client-controlled selection of a DNS-based security filter

So, my client knows the upstream resolver has published two flags/bits
for this:

  0x01 - don't filter out malware
  0x02 - please filter out ad servers

This is all well and good if the client knows what it's talking to.  How
does it know which resolvers support it?  This has to be custom config
in clients I assume?

So let's assume the (roaming) client has a pre-configured list of IP
addresses that know how to send or interpret particular tags.

What happens when the upstream software changes?  Or the upstream server
is taken over by a new company that deploys entirely new semantics?  How
is that change communicated to all the clients?  What if the new bits
mean something entirely different, potentially the exact opposite?  How
are conflicts like this handled?

There are cases for this type of behavior already, and they do work.  As
an example, BGP communities distribute routing policies in a fairly
similar way.  But BGP connections are small in number, contracts or MOUs
at the least are put in place to ensure communication can happen, etc.

The problem with a generic mechanism like this for DNS is that the
number of clients per server are potentially gigantic.  And there is
often not a documented relationship or even a known contact mechanism to
signal changes taking place.  This all makes communication of agreed
upon semantics of bits not exactly impossible, but likely between
difficult to extremely difficult.  And misconfiguration could be
potentially be dangerous, depending on the meaning of the bits.  Imagine
if the new bit for some flipped software suddenly switched to "I trust
MD5, go ahead and believe MD5 DS records".

But maybe, and hopefully, I'm just misunderstanding how this will be
used safely in deployments.

Wes Hardaker