Re: [DNSOP] some 2015-era thoughts about RFC 7706 -bis
Brian Dickson <brian.peter.dickson@gmail.com> Wed, 24 July 2019 00:55 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 120071209B0 for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2019 17:55:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o-v79BF7RrCB for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2019 17:55:02 -0700 (PDT)
Received: from mail-vk1-xa35.google.com (mail-vk1-xa35.google.com [IPv6:2607:f8b0:4864:20::a35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11E75120297 for <dnsop@ietf.org>; Tue, 23 Jul 2019 17:55:02 -0700 (PDT)
Received: by mail-vk1-xa35.google.com with SMTP id m17so9100979vkl.2 for <dnsop@ietf.org>; Tue, 23 Jul 2019 17:55:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6S+XySOXo06hi5sbJqzMYUr4WITdJubZ5tOq92KXEkg=; b=fM35PHXPGPgXccbQPV9pH5xOMgcXVRPo1ASlVhGPwIgcrLSiGXLjAo8vSeOGXXBLYv hrse4DCp+cmAG92soE7hKr41GdxKy1odA6yZ0zwta8+Fx7X1sIHDv62jBtPB/b1y10U8 T0JikWHMoGgn/KIP9nG4SwmkKbq2oXLaMY7bq1/1Y8wdOyviDX7theVCKTzxEvNeiowc 2UrEFZd7h5/wbO7ND2ub7AVwu0hTv7GxTneGDh0FJe73KvweL9Nl5xAQWGg0XSovb9Mz RXEfAbp4MvbwI+RhsrD66y0ZKnGAjZk1JnZL9OFUrhL+k/ATr1UPoUSKZer1ht+7XChr duwQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6S+XySOXo06hi5sbJqzMYUr4WITdJubZ5tOq92KXEkg=; b=a/OZRTwreedT5HzTOM5kIV9CcmddfLBPqKW7XG9Aa7qOb8kUyoPSfBtuWl6oiZ2rir //ZAlej+6SPCb6p+m7tw0/GMA0BrGNnzTKl39O6Nt/qyyqcnUZhvycrmj8yDJXmUD3yA A4tjo66qH78BIxaUjrUfi0LwJmsETvsOxVNGJ3X2ci/kDc3CCaoBtK3IdWJGC46YkBrs rZH3Ow84CdPocSNhJO48hwSlecYSbDX6sz2t+fKY6gsRvcHgzwrkeCykUbK+qFbD4mDH 9ydOpZgWhOmJZfYq1vJEly/3xQhcx3z6iAwtA/0BXnYVnLYybLGDVKqurv3hCRPFw3px 4tDQ==
X-Gm-Message-State: APjAAAW90O9cqWPkdwmI4veHvxuD+QNjlwDuXEsH+7wxMaORJICYjDWF vAm7H+W24CELjp2i8v+vkzrV3HPV3qLoadXlVaY=
X-Google-Smtp-Source: APXvYqyw/1NndyCMpvCBRW9+ouJkYshzpjtkpC9xwQiNKx/7qkw7LYYY5zKzokjqDi7yXMBJ6PG+6I6920O1o3YPUjE=
X-Received: by 2002:a1f:6e8e:: with SMTP id j136mr31750862vkc.80.1563929700827; Tue, 23 Jul 2019 17:55:00 -0700 (PDT)
MIME-Version: 1.0
References: <3673081.H4C9ml97Qf@linux-9daj>
In-Reply-To: <3673081.H4C9ml97Qf@linux-9daj>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Tue, 23 Jul 2019 20:54:49 -0400
Message-ID: <CAH1iCipdGOH_UTaBnz_ozEGcbdf9pFD6GicYsw=A1ePhd8pEOQ@mail.gmail.com>
To: Paul Vixie <paul@redbarn.org>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000458673058e62c2ca"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/SPrzFe64X2Y1H3J88A1qIGkFDPQ>
Subject: Re: [DNSOP] some 2015-era thoughts about RFC 7706 -bis
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 00:55:05 -0000
Small couple of comments in a top-reply...
I think the concept of having the root zone integrated into the RDNS is
something that Paul correctly indicates as something RDNS practices have
moved away from.
I happen to agree that doing so is a mistake, with particular reasoning:
- When integrated into the RDNS servers' db/cache and loaded at start time,
the {potential,likely,known} effect is to short-circuit DNSSEC validation,
as well as TTLs.
- OTOH, having a root zone served on one or more of the original anycast IP
(v4 and/or v6) addresses, which is on the same host (reachable by a
loopback address) or very close by, avoids those issues (and avoids needing
to change RDNS implementations)
With a small amount of operator work, it should be feasible to have on-host
or very-close-by root anycast instance(s) available and preferred (by e.g.
routing, such as BGP) IFF the "local" instance is conditionally announced
by the host/server using suitable software (e.g. quagga). The advantage of
such a set-up is that if it is done right, an unavailable local instance
will result in fall-back to a "real" anycast instance. It is important, of
course, to not export the announcement beyond the "local" scope, at least
not without the permission and cooperation of the operator of the specific
anycast address.
In addition, I think it would be helpful/advisable to augment the current
7706 with some export of statistics in a way that is compatible with the
operator of the particular root operator's own statistics gathering, so
this information is not lost, but merely gathered differently than would be
the case without the local instance. (Anonymizing the data etc. if
required/desired.)
By feeding the data to the root operators, it would potentially be feasible
for said operator to include it in DITL data sets.
Brian
On Tue, Jul 23, 2019 at 6:19 PM Paul Vixie <paul@redbarn.org> wrote:
> at the one-hour DNSOP meeting in montreal on monday evening, the authors
> of
> RFC 7706 described some of the use case questions they were hoping to
> answer
> in their -bis document, and one of them hit squarely on a topic i spoke
> about
> frequently between 2005 and 2015. i've attached a copy of the 2015
> proposal,
> which was reviewed by warren kumari and then presented in a non-IETF
> meeting
> on these topics, organized by warren and i, in hong kong.
>
> i was opposed to RFC 7706 as written, but there is no permanent record of
> my
> reasoning since RFC documents don't include a "dissenting views" section,
> so
> let me briefly recapitulate here.
>
> first, all complexity comes at a cost. the new code and configuration
> needed
> to support "mirror zones" will be a life long source of bugs and
> vulnerabilities, because that's true of every new feature. the desired
> benefit
> should be weighed against this cost. "by running one on the loopback"
> fails
> this important test, mostly because it only applies to the root zone.
>
> second, RDNS name servers who wanted to support this feature, which all
> must,
> due to the competitive nature of the open source infrastructure community,
> have to add features very much like authority DNS. we have been moving
> away
> from the so-called "hybrid server" model for three decades now, and this
> was a
> move in precisely the wrong direction.
>
> third, access patterns of root zone data are an important input to
> internet
> governance, and the 7706 proposal included no recommendations by which
> access
> patterns could still be globally shared in any way -- and for reasons of
> scale, they will not be participating in Day In The Life exercises.
>
> in summary, RFC 7706 solves the wrong problem, in the wrong way, with an
> inverted cost:benefit model compared to similar conceptions with similar
> implementation costs.
>
> those who hang around where i do have heard me explain that what DNS needs
> is
> a lease model for all metadata, with secure revocation. any delegation
> data
> including NS, glue, and DNSSEC chains, must be held by an RDNS until it
> changes, and every authority must be able to signal such changes. you can
> think of this as like a micro-secondary server at the RRset level, plus
> NOTIFY. no network partition should keep an RDNS from returning all
> information which is still available ("on this side of the partition")
> needed
> to reach services and assets which are still available ("on this side of
> the
> partition"), and DNS got that wrong by externalizing dependencies.
>
> however, that is not the subject of the attached 2015-era "hong kong"
> proposal. at DNSOP monday night, a use case that was mentioned for
> 7706-bis is
> where the local copy of the root zone not be necessarily co-served by an
> RDNS.
> that is a much smaller problem than "leasing for all metadata in case of a
> network partition", and is squarely addressed by the modest proposal below.
>
> one world, one internet, one namespace.
>
> --
> Paul_______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
- [DNSOP] some 2015-era thoughts about RFC 7706 -bis Paul Vixie
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Brian Dickson
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Tony Finch
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Evan Hunt
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Paul Vixie
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Vladimír Čunát
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Shumon Huque
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Evan Hunt