Re: [DNSOP] Mapping IANA deprecated to YANG status deprecated [was RE: Robert Wilton's Discuss on draft-ietf-dnsop-iana-class-type-yang-03: (with DISCUSS and COMMENT)]

Benno Overeinder <benno@NLnetLabs.nl> Wed, 16 June 2021 11:00 UTC

Return-Path: <benno@NLnetLabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3462A3A112E; Wed, 16 Jun 2021 04:00:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.8
X-Spam-Level:
X-Spam-Status: No, score=-2.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uyown-G6O3KA; Wed, 16 Jun 2021 03:59:59 -0700 (PDT)
Received: from outbound.soverin.net (outbound.soverin.net [116.202.65.218]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E78E3A1128; Wed, 16 Jun 2021 03:59:58 -0700 (PDT)
Received: from smtp.soverin.net (unknown [10.10.3.24]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (No client certificate requested) by outbound.soverin.net (Postfix) with ESMTPS id 1366B6008B; Wed, 16 Jun 2021 10:59:55 +0000 (UTC)
Received: from smtp.soverin.net (smtp.soverin.net [159.69.232.138]) by soverin.net
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nlnetlabs.nl; s=soverin; t=1623841193; bh=QU835XZ+DlIxBuuwxKAx+QYhAnW5BWBTBgKp589Y+vM=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=qbI1fKXikrDe8n9dIyAbChXxU61vPTPm2BvpyBC+yvB2LEsRlKl6QETQ9kOMV4mSw tOZ3n0W2+zcErOraiuM5N1d/I3mQpnqwRJWQVHRLb7LzjMJEtAwd0voytMv0IcFcpT ExszpMc8maYSo1R5LWFhSNQSJnxbIPOuQ3ygsneuv6qyQU0O7d27o0y+1Bw7rwPfDN qnDqf1Mkz08c+ewk4bYv90w7oHuAf7f1IpzkcG/n6Mg1619TjCYTHVuTDV4C9rHBOZ PpTkwoCwFS33radMiyy8wXcAEaTjSQrrefmgaC9V21krcLF2BzxbVfnzEL7zrNxxZI KkUZeaLUNEIdA==
To: "Rob Wilton (rwilton)" <rwilton=40cisco.com@dmarc.ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>
Cc: "dnsop-chairs@ietf.org" <dnsop-chairs@ietf.org>, "draft-ietf-dnsop-iana-class-type-yang@ietf.org" <draft-ietf-dnsop-iana-class-type-yang@ietf.org>, Ladislav Lhotka <ladislav.lhotka@nic.cz>, The IESG <iesg@ietf.org>, Paul Wouters <paul@nohats.ca>, "michelle.cotton@iana.org" <michelle.cotton@iana.org>
References: <DM4PR11MB5438640E293969D040407683B5359@DM4PR11MB5438.namprd11.prod.outlook.com>
From: Benno Overeinder <benno@NLnetLabs.nl>
Message-ID: <b0426518-2b91-3eb0-1b2e-ddd0ac606b7c@NLnetLabs.nl>
Date: Wed, 16 Jun 2021 12:59:48 +0200
MIME-Version: 1.0
In-Reply-To: <DM4PR11MB5438640E293969D040407683B5359@DM4PR11MB5438.namprd11.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/JyjL0uZw4oG95py2I7BnFq35OtA>
Subject: Re: [DNSOP] Mapping IANA deprecated to YANG status deprecated [was RE: Robert Wilton's Discuss on draft-ietf-dnsop-iana-class-type-yang-03: (with DISCUSS and COMMENT)]
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Jun 2021 11:00:07 -0000

Thank you Rob.

I am the document shepherd, but reply with no hats.

I understand the concern, and I am fine with the proposed change.

Best,

-- Benno


On 10/06/2021 18:05, Rob Wilton (rwilton) wrote:
> Hi DNS Ops,
>   
> Warren, Lada and I discussed this further today.  Warren and I think that mapping IANA deprecated to YANG deprecated is the right behaviour here, and Lada is fine with either outcome.
>   
> The main concern of mapping from IANA 'deprecated' to YANG 'status obsolete' is that it would force a hard transition if any DNS classes or RR's ever needed to be deprecated.  I.e., when a server picks up a new version of the generated YANG types file it would be obliged to immediately remove support for the 'status obsolete' definition with no grace period and no option to continue using it (RFC 7950 describes this is a SHOULD NOT, but this constraint is effectively stronger in the versioning related drafts currently progressing in the NETMOD WG).
>   
> So, the following change is proposed:
>   
> OLD:
>   	"status":  Include only if a class or type registration has been
>    	deprecated or obsoleted.  In both cases, use the value "obsolete"
>    	as the argument of the "status" statement.
>   
> NEW:
>                "status":  Include only if a class or type registration has been
>    	deprecated or obsoleted.   IANA "deprecated" maps to YANG
>    	status "deprecated", and IANA "obsolete" maps to YANG status
> 	"obsolete".
>   
> Does anyone in the WG strongly object to this change?  If so, please let us know by Wed's 16th.
>   
> Regards,
> Rob
> 
> 
>> -----Original Message-----
>> From: Ladislav Lhotka <ladislav.lhotka@nic.cz>
>> Sent: 10 June 2021 12:37
>> To: Rob Wilton (rwilton) <rwilton@cisco.com>; The IESG <iesg@ietf.org>;
>> Warren Kumari <warren@kumari.net>; michelle.cotton@iana.org
>> Cc: draft-ietf-dnsop-iana-class-type-yang@ietf.org; dnsop-chairs@ietf.org;
>> dnsop@ietf.org; benno@NLnetLabs.nl
>> Subject: RE: Robert Wilton's Discuss on draft-ietf-dnsop-iana-class-type-yang-
>> 03: (with DISCUSS and COMMENT)
>>
>> "Rob Wilton (rwilton)" <rwilton@cisco.com> writes:
>>
>>> Hi Lada,
>>>
>>> I've also copied Michelle on - since I think that it would be helpful for IANA
>> to at least be aware of this discussion.
>>>
>>> Sorry for being slow to get back to you.  I've expanded on my discuss
>> comment below, but it may be helpful for you, Warren, I, possibly Michelle,
>> to have a quick chat to see if we can resolve it.
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: Ladislav Lhotka <ladislav.lhotka@nic.cz>
>>>> Sent: 03 June 2021 14:17
>>>> To: Rob Wilton (rwilton) <rwilton@cisco.com>; The IESG <iesg@ietf.org>
>>>> Cc: draft-ietf-dnsop-iana-class-type-yang@ietf.org; dnsop-chairs@ietf.org;
>>>> dnsop@ietf.org; benno@NLnetLabs.nl
>>>> Subject: Re: Robert Wilton's Discuss on draft-ietf-dnsop-iana-class-type-
>> yang-
>>>> 03: (with DISCUSS and COMMENT)
>>>>
>>>> Hi Rob,
>>>>
>>>> On 03. 06. 21 13:16, Robert Wilton via Datatracker wrote:
>>>>
>>>> ...
>>>>
>>>>> ----------------------------------------------------------------------
>>>>> DISCUSS:
>>>>> ----------------------------------------------------------------------
>>>>>
>>>>> Hi,
>>>>>
>>>>> One issue that I think we should should discuss and resolve (sorry for
>> the
>>>> late
>>>>> discuss ballot):
>>>>>
>>>>> In section 4, it states:
>>>>>
>>>>>     "status":  Include only if a class or type registration has been
>>>>>        deprecated or obsoleted.  In both cases, use the value "obsolete"
>>>>>        as the argument of the "status" statement.
>>>>>
>>>>> I know that we have had some previous discussion on this on Netmod,
>> but,
>>>> if
>>>>> draft-ietf-netmod-yang-module-versioning-02 gets standardized then it
>> will
>>>>> effectively evolve YANG's "status deprecated" into "must implement or
>>>>> explicitly deviate" and YANG's "status obsolete" into "must not
>> implement".
>>>> It
>>>>> wasn't clear to me that marking one of these fields as being deprecated
>> in
>>>> an
>>>>> IANA registry would mean that existing implementations must stop
>> using it
>>>> if
>>>>> they migrate to a new version of the generated YANG module.  Hence, I
>>>> think
>>>>> that at this stage, it may be safer to map IANA "deprecated" into YANG's
>>>>> "status deprecated"?
>>>>>
>>>>
>>>> Yes, this was discussed repeatedly in NETMOD and DNSOP WGs. I think
>> we
>>>> currently have to use RFC 7950 for the status definitions, and so in YANG
>>>>
>>>>     o  "deprecated" indicates an obsolete definition, but it permits
>>>>        new/continued implementation in order to foster interoperability
>>>>        with older/existing implementations.
>>>>
>>>> This is incompatible with the meaning of "deprecated" in IANA
>>>> registries, which is per RFC 8126: "use is not recommended".
>>>
>>> I don't think that there is a perfect answer here, and I think that for the
>>> moment we are looking for the least bad option.
>>>
>>> The YANG and IANA definitions of deprecated are obviously different,
>>> but it isn't clear to me how different they actual are from those definitions.
>>>
>>> E.g., in neither case do they indicate why they are going away (e.g.,
>>> because they are no longer used, or there is a better way, or there is a
>>> security issue).
>>>
>>> I would also argue that "use is not recommended" applies to the YANG
>>> "deprecated" as well, and generally matches what I understand what
>> deprecated means.
>>
>> One strong case that was mentioned in DNSOP discussions was a
>> compromised crypto algorithm. It will be marked as deprecated in IANA
>> registries, and it is highly undesirable to "foster interoperability" by using it.
>>
>> In fact, this I-D started with mapping IANA deprecated/obsolete to the same
>> term in YANG (which is what RFC 7224 does), but we were forced to change it
>> due to the above objection.
>>
>>>
>>> But ultimately there are two choices here:
>>>
>>> (1) Map both IANA deprecated and obsolete to YANG obsolete as your
>> draft
>>> proposes.  If the text in draft-ietf-netmod-yang-module-versioning-02 gets
>>> standardized then this means that there will be no way to indicate a DNS
>>> class type that shouldn't be used anymore and is going away.  Either it is
>>> "current" and can/should be implemented, or it is "obsolete" and it cannot
>> be
>>> used once the server pulls in the new revision of the types YANG file.  I.e.,
>>> there isn't even a mechanism to deviate it to indicate that it is still
>> supported,
>>> there is no possible transition window.
>>
>> Maybe the RFC can then be updated to reflect this evolution? In our view,
>> mapping both terms to "obsolete" in YANG is currently the safest option.
>>
>>>
>>> (2) Map IANA deprecated -> YANG deprecated.  IANA obsolete -> YANG
>>> obsolete.  With vanilla RFC 7950, the server may or may not
>>> implement the deprecated value, and it can use a deviation to be
>>> explicit.  If draft-ietf-netmod-yang-module-versioning-02 gets
>>> standardized: The server is expected to implement it or use a
>>
>> You probably mean "The server is expected NOT to implement it or ...",
>> right?
>>
>>> deviation.  I.e., there is still a mechanism to allow a server to
>>> implement if they need to, but equally they can also choose not to
>>> implement it.
>>>
>>> I'm still of the opinion that (2) is the least bad option out of the two above.
>>
>> Our YANG module probably doesn't have anything as critical as crypto
>> algorithms, so it might work. I am a bit worried about the reaction of DNSOP
>> WG though: it will open another round of discussion, and some people might
>> fiercely oppose this change. This seemingly simple I-D was started already
>> almost 3 years ago. :-/
>>
>>>
>>> A third possibility, a variant of (2), would be to map IANA deprecated to
>> YANG
>>> deprecated, but also update the type description to indicate that "Per the
>>> IANA [XXX] definition of 'deprecated', use is not recommended.  New
>>> implementation should not use it; existing implementations should phase
>>> out support for it."
>>
>> This would be possible, too, but my concern about further delays still
>> applies, so I would prefer to avoid any changes.
>>
>> Pragmatically, I don't think that a DNS CLASS or RR TYPE will ever become
>> deprecated (obsolete is OK), so it might be a non-issue anyway.
>>
>> Cheers, Lada
>>
>>>
>>>
>>>
>>>>
>>>> I agree that this discrepancy should be solved in a new version of YANG,
>>>> possibly along the lines of draft-ietf-netmod-yang-module-versioning-02,
>>>> but we can't wait for that with this draft.
>>>
>>> Agreed.  I'm not suggesting that we wait.
>>>
>>> Regards,
>>> Rob
>>>
>>>
>>>>
>>>>>
>>>>> ----------------------------------------------------------------------
>>>>> COMMENT:
>>>>> ----------------------------------------------------------------------
>>>>>
>>>>> Hi,
>>>>>
>>>>> Thanks for this document.  I think that documenting this fields in YANG
>> is a
>>>> good thing.
>>>>>
>>>>> One minor nit:
>>>>>
>>>>> In an couple of places you have used 'analogically' but perhaps meant
>>>> 'analogously' instead?
>>>>
>>>> Yes, I will change all occurrences.
>>>>
>>>> Thanks, Lada
>>>>
>>>>>
>>>>> Thanks,
>>>>> Rob
>>>>>
>>>>>
>>>>>
>>>>
>>>> --
>>>> Ladislav Lhotka
>>>> Head, CZ.NIC Labs
>>>> PGP Key ID: 0xB8F92B08A9F76C67
>>
>> --
>> Ladislav Lhotka
>> Head, CZ.NIC Labs
>> PGP Key ID: 0xB8F92B08A9F76C67
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>