IETF Logo Mail Archive

Re: [DNSOP] Prefixed name spaces and DANE client TLSA

Shumon Huque <shuque@gmail.com> Wed, 13 January 2016 14:30 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78FB31B2E21 for <dnsop@ietfa.amsl.com>; Wed, 13 Jan 2016 06:30:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q__gmkPvDy3X for <dnsop@ietfa.amsl.com>; Wed, 13 Jan 2016 06:30:02 -0800 (PST)
Received: from mail-qg0-x22b.google.com (mail-qg0-x22b.google.com [IPv6:2607:f8b0:400d:c04::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08B381B2E2E for <dnsop@ietf.org>; Wed, 13 Jan 2016 06:30:02 -0800 (PST)
Received: by mail-qg0-x22b.google.com with SMTP id b35so325182196qge.0 for <dnsop@ietf.org>; Wed, 13 Jan 2016 06:30:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=u9Ntrd+inClo24emaMtHVmYo5gUTKc8mphz8Og4zWls=; b=Ydv4MjjJqjcZq3Y4v9d7Wo6aQw8y+cm5c8fFhGQJnznSIreCZxurCA8hlC2O32x/Rg jAvfpP+dblikZSsPe7VP03T6Cj3a53WKJ3Qf5WtDMKWr073RgrhFNBN3EngqqMvAIiPW m12bt8L3VsnROSe5iU9uGzP8o6wqNgx1T4clXVVBcJmuyjet4judofFcs9EpAGY9kV6b kje5nA5Uc8Ivsv3xdMgKacVFlVGXmUtpmMwiLarqmBhC6MgkOkvuheW8JBKBfi9gko1h ynWGyr7z2LjwsX2tg3adDsmWVMN2X+Et0ousaduJ3gNK2fc4/f1i+3xDeLeE4zem33Hi 7g4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=u9Ntrd+inClo24emaMtHVmYo5gUTKc8mphz8Og4zWls=; b=H4M0CxPts58TyCvKnir2InwmYxRhgo4kdia0dOgfL7Dqd9os5BKyMxxTYfhDwyOV9z YyTVBKT2XvyOHLA6/Yjfh56KsjcVbw66AHhQ1FDPkoW7cVgljDNSp/Y33IdCZ3YFt281 B7ee9Bx9KRYOdKpUad71G3razlC0gCG8PnYmNsoWZuTVvvuNeMwqQusxkRDB7D8TUCpE dm/oATzr4KY8JLTkryYdZaUlcxn/mhXAix4Y6WAlNWJQVaZ4ecoOkzxBIOZKfG1mcQ6E AEL777pqd6cI3fnQ7oDutKDhlEvC5eb6DBN7IyH0/s/TuMDZsdys5NXS+jG3c4Nq8sfc cycw==
X-Gm-Message-State: ALoCoQkUx9DIuKOO+8ISWsiFn/K3IRItoZIjQ0T/APQ7zCnWdKAnXUFAcHY9XdakbKP+h9seUgpHTUPnDjL/Ks3xwtuHB0nh5A==
MIME-Version: 1.0
X-Received: by 10.140.201.20 with SMTP id w20mr123950590qha.10.1452695401223; Wed, 13 Jan 2016 06:30:01 -0800 (PST)
Received: by 10.140.102.9 with HTTP; Wed, 13 Jan 2016 06:30:01 -0800 (PST)
In-Reply-To: <alpine.LSU.2.00.1601131015380.8365@hermes-2.csi.cam.ac.uk>
References: <20160113055505.54822.qmail@ary.lan> <alpine.LSU.2.00.1601131015380.8365@hermes-2.csi.cam.ac.uk>
Date: Wed, 13 Jan 2016 09:30:01 -0500
Message-ID: <CAHPuVdVgjj00NE6VasxE4oMKXuqCq5WaxUXVfCKzdiZXN_hxFQ@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
To: Tony Finch <dot@dotat.at>
Content-Type: multipart/alternative; boundary="001a11433be85b5ba1052938011b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/MGABuxelpB-5UFxHxbU8O7CU8Jo>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, John Levine <johnl@taugh.com>
Subject: Re: [DNSOP] Prefixed name spaces and DANE client TLSA
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2016 14:30:04 -0000

On Wed, Jan 13, 2016 at 5:24 AM, Tony Finch <dot@dotat.at> wrote:

> John Levine <johnl@taugh.com> wrote:
> >
> > What's peculiar is the names.  The previous proposal was to look up a
> > TLSA at _smtp.outbound.example.com, then somone noted that _smtp is
> > for servers, so they want to look up the newly invented name
> > _smtp-client.outbound.example.com.  If you have a client for some
> > other service, you make up a name.  (Read the draft if this seems like
> > an implausible summary.)
>

Yes, folks, please read the draft and also the thread on DANE.

(And Shane - it wasn't the "first thing we though of" - in fact all
alternate
suggestions brought up in the thread had already be considered by the
authors of the draft.)


> This naming scheme is a bad idea because it looks very similar to XMPP SRV
> records but has confusingly different semantics.
>
> _xmpp-client refers to an XMPP server endpoint for use by clients.
> _xmpp-server refers to an XMPP server endpoint for use by other servers.
>

Yeah, this was discussed on DANE already, where I said the following:

    Yeah, I'm aware of that. I think the XMPP community made an
    unfortunate choice in those names  - I might have suggested
    "_xmpp-c2s" and "_xmpp-s2s" instead.

There is no established or standardized convention for client service names
in the IANA registry yet. Are we doomed to avoid "-client" just because of
the (unstandardized) precedent set by one application?

_submission refers to SMTP-like server endpoints for use by clients.
> _smtp-client is proposed to refer to SMTP client initiators.
>
> More generally this promises to clutter up the service identifier
> namespace with identifiers for clients, which are not services.
>

Yet the IANA registry seems to have a provision for registering
client service names (i.e. application specific identifiers used by
clients). So, the cluttering is already there. Perhaps there is a need
to create a separate registry.

As for cluttering up the namespace in a DNS zone and causing
collisions (John Levine's contention), I don't buy it. These application
labels
are organized underneath "client-specific" domain names - this does not
meet my definition of cluttering. All labels descending at that point
pertain
to the specific client, and usages for colliding labels are disambiguated
by the resource record type.

I like the idea of taking the server's service labels and prefixing
> them with _client.
>

Actually, that was one my original proposals outlined in -00 of the draft.
It was taken out after deliberations with my co-authors, but I do see a
rationale for it.

Here's the original draft:

    https://tools.ietf.org/html/draft-huque-dane-client-cert-00

The current draft is:

    https://tools.ietf.org/html/draft-huque-dane-client-cert-02

I am fine with reintroducing the "_client" label (and I believe Viktor is
too)
_if_ there is consensus for it. The service label then can rid itself of the
"-client" suffix, assuming IANA service registry folks do not raise
objections.
I can look into that.

The -00 draft did also contain an alternate suggestion that included
the transport label. I am far less convinced this is needed. Client
identities are not expected to be transport specific for the same
application,
so this introduces an unnecessary complication, and we should I think
be conservative in how much application semantics we encode into
domain names.

-- 
Shumon Huque

v2.43.4 | Report a Bug | By Email | System Status