Re: [DNSOP] DNS versioning, was The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"

Ondřej Surý <ondrej.sury@nic.cz> Mon, 24 July 2017 12:55 UTC

Return-Path: <ondrej.sury@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E768131A7C for <dnsop@ietfa.amsl.com>; Mon, 24 Jul 2017 05:55:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.001
X-Spam-Level:
X-Spam-Status: No, score=-7.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vvBM2vpr2Usd for <dnsop@ietfa.amsl.com>; Mon, 24 Jul 2017 05:55:22 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 703BB127869 for <dnsop@ietf.org>; Mon, 24 Jul 2017 05:55:21 -0700 (PDT)
Received: from zimbra.rfc1925.org (calcifer.labs.nic.cz [217.31.192.138]) by mail.nic.cz (Postfix) with ESMTP id A503E61E92; Mon, 24 Jul 2017 14:55:19 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1500900919; bh=82stzSnkUszm1Ewk6LEhOXs7Q/jSVGBvLcosnHDO900=; h=Date:From:To; b=jwNOISeRSTuE42ZumEW0D6bJ+0JJ8s6Eqvj+b72syZAR/oCeuW3qgJnq185Pp/iA3 RAWl+la6oDzGsZ874FVapNbjhfGR3MRJxOQoZRBsBYhIEVXU5BWsWGPiyudg2MrcsX stSJIx7tfzU4UJHXGmfnVtOGo+krwwiPR45OTXQ0=
Date: Mon, 24 Jul 2017 14:55:19 +0200 (CEST)
From: =?utf-8?Q?Ond=C5=99ej_Sur=C3=BD?= <ondrej.sury@nic.cz>
To: John R Levine <johnl@taugh.com>
Cc: "Woodworth, John R" <John.Woodworth@CenturyLink.com>, dnsop <dnsop@ietf.org>
Message-ID: <1600298321.7649.1500900919500.JavaMail.zimbra@nic.cz>
In-Reply-To: <alpine.OSX.2.21.1707220815520.9675@ary>
References: <alpine.LRH.2.20.1707190347390.10419@ns0.nohats.ca> <20170719215749.2241.qmail@ary.lan> <A05B583C828C614EBAD1DA920D92866BD081E78B@PODCWMBXEX501.ctl.intranet> <alpine.OSX.2.21.1707200928290.4118@dhcp-8e4c.meeting.ietf.org> <A05B583C828C614EBAD1DA920D92866BD08233DE@PODCWMBXEX501.ctl.intranet> <alpine.OSX.2.21.1707220815520.9675@ary>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Originating-IP: [217.31.192.138]
X-Mailer: Zimbra 8.7.9_GA_1794 (ZimbraWebClient - GC59 (Linux)/8.7.9_GA_1794)
Thread-Topic: DNS versioning, was The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"
Thread-Index: /pi3F5DkzfJJ+6Zzux+d95zOHMthNg==
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/JyEyppMJth9J1oLeA5SGBzp8rL8>
Subject: Re: [DNSOP] DNS versioning, was The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jul 2017 12:55:25 -0000

----- Original Message -----
> From: "John R Levine" <johnl@taugh.com>
> To: "Woodworth, John R" <John.Woodworth@CenturyLink.com>
> Cc: "dnsop" <dnsop@ietf.org>
> Sent: Saturday, 22 July, 2017 08:33:30
> Subject: Re: [DNSOP] DNS versioning, was The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG
> Adoption"

>>> ...BULK absolutely requires online DNSSEC signing,
>> Unfortunately, I respectfully reject this as a statement of fact.
>> There's even a provision (NPN) ...
> 
>  ... which only works if you upgrade every validating resolver.  If you
> get to do that, you might as well just send the signed BULK record, the
> NSEC and RRSIG that show there's nothing at the name, and let the resolver
> figure it out.  Given how slowly people update their client DNS libraries,
> NPN would be a recipe for decades of DNS flakiness, as some resolvers
> accept the generated records and some don't.

+1

Personally, I think NPN should be just dropped as John L. is correct in his assessment here.

I still think BULK is too complicated[*], but I understand the value
of interoperability between DNS server vendors.


* - compare to our synthrecord plugin:
https://www.knot-dns.cz/docs/2.5/html/modules.html#synthrecord-automatic-forward-reverse-records

Cheers,
--
 Ondřej Surý -- Technical Fellow
 --------------------------------------------
 CZ.NIC, z.s.p.o.    --     Laboratoře CZ.NIC
 Milesovska 5, 130 00 Praha 3, Czech Republic
 mailto:ondrej.sury@nic.cz    https://nic.cz/
 --------------------------------------------