Re: [DNSOP] discussion for draft-woodworth-bulk-rr-00.txt

["Woodworth, John R" <John.Woodworth@CenturyLink.com>]

See inline comments:

> -----Original Message-----
> From: Edward Lewis [mailto:edward.lewis@icann.org]
> Subject: Re: [DNSOP] discussion for draft-woodworth-bulk-rr-00.txt
>
> Process wise, you should seek to have this on the experimental track.  It
> has potential but is far from a sure thing.


Edward, Thank you very much for your time.  I will need to research more in
regard to the experimental track, thank you.  Any more advice you could
offer here would be great.


>
> The idea of being able to send formulas for generating responses,
> particularly for address records, reverse map and CNAME is a latent need
> in the DNS hosting industry.  These types are special in that way, so it's
> no surprise they are singled out.
>
> I'll admit that I read and scanned portions to get an idea of what is
> discussed.  I do like that you have the section 7.1, addressing DNSSEC.
>
> One "red flag" to me is the idea of hidden wildcards.  One of the design
> principles of DNSSEC is that it exposes the "thinking" process of the
> server to the requestor.  That alone isn't a dead end - hidden records and
> on-the-fly signing would "work" (but as you note not all name server
> implementations have the ability to sign on-the-fly).


Good point.  Our reasoning behind this was to avoid undue discrimination.
Many providers, especially in the context of "anti-spam" make seemingly
arbitrary decisions to block or disable huge batches of addresses based
on coin-toss accuracy.  I've personally seen the simple changing of "dyn"
to "static" in a hostname make all the difference and wanted to entirely
avoid this set of circumstances where possible.  By hiding the fact the
records are part of a pattern (i.e. hiding a "BULK" RR request with the
same owner) the generated records are no longer susceptible to this form
of discrimination.  Since one of our primary motivations was in essence to
provide $GENERATES which could AXFR there is a zero externally-identifiable
change to $GENERATEd records (i.e. no change to operational support).

This, of course, is negated where pre-signed DNSSEC records are used and
supplemental "NPN" records are required.  In this case, hiding the wildcards
would prove moot for this purpose.  However, the NPN record provides a
level of transparency for DNSSEC's "thinking" process while also offering
some additional protection against would-be attackers probing DNS for a
zone's internal organizational structure a la NSEC.


>
> Cutting to the chase, there are various elements here that could work
> together.  But also combinations that wouldn't work so well.  Simply put,
> this is complicated.  For reasons I'll not include here, complicating the
> protocol isn't leading in the right direction.


Before continuing let me state your opinion is greatly respected and
appreciated and my enthusiasm should not be taken as disrespect toward you
or your comments in any way.

While I wholeheartedly agree this adds a fair amount of complexity to the
authoritative side of the equation, disregarding DNSSEC the burden on the
recursive side is unaffected.  Where DNSSEC is required and on-the-fly is
available, the recursive side is just as unaffected.  Where DNSSEC is
required and on-the-fly is unavailable, we feel this complication is
unavoidable.

When placed into a similar context as DNSSEC and the complexity of
recursively chained cryptographic validation the added complexity supporting
these records would add is relatively trivial.


>
> I do get the desire for this.  I also would like to see someway to augment
> response synthesis (beyond wildcards).  Perhaps a scaled down version
> would be more manageable (like removing the hidden records and answering
> with the signed formula plus unsigned result - just as for DNAME).


Definitely worth a discussion should we get the opportunity.  I had no
expectation of a first draft making it through the process intact.
Thanks again for your prompt response and invaluable insight.


Best regards,
John


>
> On 11/2/15, 5:50, "DNSOP on behalf of Woodworth, John R"
> <dnsop-bounces@ietf.org on behalf of John.Woodworth@CenturyLink.com> wrote:
>
> >All,
> >
> >Apologies for any procedural missteps as I am new to the group but am
> >trainable.
> >
> >I am looking to get some traction on a recent I-D my group is working on
> >and
> >am looking for advice along the way.
> >
> >We are confident this draft can play a significant role in the future of
> >DNS
> >especially as it relates to IPv6.  While there are many problems we are
> >attempting to address with this draft, we believe the biggest among them
> >are related to IPv6 and the scarcity of IPv4 address space.
> >
> >If, by contacting this mailing list, we are heading down the wrong path
> >we are
> >particularly fond of any advice to move this forward as we see the need
> >for it
> >becoming more and more important as the adoption of IPv6 increases.
> >
> >
> >The draft announcement is here:
> >
> >> -----Original Message-----
> >> Subject: New Version Notification for draft-woodworth-bulk-rr-00.txt
> >>
> >>
> >> A new version of I-D, draft-woodworth-bulk-rr-00.txt has been
> >>successfully
> >> submitted by John Woodworth and posted to the IETF repository.
> >>
> >> Name:         draft-woodworth-bulk-rr
> >> Revision:     00
> >> Title:                BULK DNS Resource Records
> >> Document date:        2015-06-30
> >> Group:                Individual Submission
> >> Pages:                28
> >> URL:
> >>https://www.ietf.org/internet-drafts/draft-woodworth-bulk-rr-00.txt
> >> Status:
> >>https://datatracker.ietf.org/doc/draft-woodworth-bulk-rr/
> >> Htmlized:       https://tools.ietf.org/html/draft-woodworth-bulk-rr-00
> >>
> >>
> >> Abstract:
> >>    The BULK DNS resource record type defines a method of pattern based
> >>    creation of DNS resource records to be used in place of NXDOMAIN
> >>    errors which would normally be returned.  These records are currently
> >>    restricted to registered DNS resource record types A, AAAA, PTR and
> >>    CNAME.  The key benefit of the BULK resource record type is the
> >>    simplification of maintaining "generic" record assignments which
> >>    would otherwise be too many to manage or require scripts or
> >>    proprietary methods as bind's $GENERATE.
> >>
> >
> >
> >Thanks and best regards,
> >John
> >This communication is the property of CenturyLink and may contain
> >confidential or privileged information. Unauthorized use of this
> >communication is strictly prohibited and may be unlawful. If you have
> >received this communication in error, please immediately notify the
> >sender by reply e-mail and destroy all copies of the communication and
> >any attachments.
> >_______________________________________________
> >DNSOP mailing list
> >DNSOP@ietf.org
> >https://www.ietf.org/mailman/listinfo/dnsop
>
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.