Re: [DNSOP] call for adoption: draft-vandergaast-dnsop-edns-client-subnet
"Livingood, Jason" <Jason_Livingood@cable.comcast.com> Fri, 13 February 2015 01:09 UTC
Return-Path: <Jason_Livingood@cable.comcast.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF8971A026C for <dnsop@ietfa.amsl.com>; Thu, 12 Feb 2015 17:09:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.125
X-Spam-Level: **
X-Spam-Status: No, score=2.125 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_EQ_MODEMCABLE=0.768, HOST_EQ_MODEMCABLE=1.368, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QvhLywtsY7rt for <dnsop@ietfa.amsl.com>; Thu, 12 Feb 2015 17:09:15 -0800 (PST)
Received: from pacdcmhout01.cable.comcast.com (PACDCMHOUT01.cable.comcast.com [68.87.31.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 819E31A03A3 for <dnsop@ietf.org>; Thu, 12 Feb 2015 17:09:15 -0800 (PST)
X-AuditID: 44571fa7-f79426d000004fa7-17-54dd4ebaf0d9
Received: from pacdcexhub05.cable.comcast.com (pacdcexhub05.cable.comcast.com [24.40.56.122]) by pacdcmhout01.cable.comcast.com (SMTP Gateway) with SMTP id 94.86.20391.ABE4DD45; Thu, 12 Feb 2015 20:09:14 -0500 (EST)
Received: from PACDCEXMB06.cable.comcast.com ([169.254.8.73]) by pacdcexhub05.cable.comcast.com ([fe80::3d40:bdea:7266:7f5a%18]) with mapi id 14.03.0181.006; Thu, 12 Feb 2015 20:09:14 -0500
From: "Livingood, Jason" <Jason_Livingood@cable.comcast.com>
To: Marcus Grando <marcus@sbh.eng.br>, "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [DNSOP] call for adoption: draft-vandergaast-dnsop-edns-client-subnet
Thread-Index: AQHQRymuj1mGNmy8eEWwglhHMDWhtQ==
Date: Fri, 13 Feb 2015 01:09:00 +0000
Message-ID: <D1036F10.F807B%jason_livingood@cable.comcast.com>
References: <CAEyu5L8HnazCEgLR34U9MbgHky3N-QDqhVy59HU0Z3BKpbbqsg@mail.gmail.com>
In-Reply-To: <CAEyu5L8HnazCEgLR34U9MbgHky3N-QDqhVy59HU0Z3BKpbbqsg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.7.141117
x-originating-ip: [24.40.1.149]
Content-Type: multipart/alternative; boundary="_000_D1036F10F807Bjasonlivingoodcablecomcastcom_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrKIsWRmVeSWpSXmKPExsUioWFRpbvL726IQfMnJYu7by6zWPx508ri wOSxZMlPJo8jB3qZApiiuGxSUnMyy1KL9O0SuDLWrG1hKThrVfH2zxH2BsYHBl2MnBwSAiYS syY9ZYewxSQu3FvP1sXIxSEkcJNR4vD9NkYI5yCjRM/ufjaQKjYBG4np244yg9giAh4Sz/8e A+sWFgiROP36CVADB1A8VOLDsRSIEj2Jg9sPgbWyCKhKTO2YDWbzCthJXN7xC8wWEgiQWDPz DROIzSkQKPGj4yUjiM0IdND3U2vA4swC4hK3nsxngjhUQGLJnvPMELaoxMvH/1hBbFGgXSuv N7FBxOUlpj/rhOpNkng4+SQzxF5BiZMzn7BMYBSdhWTsLCRls5CUQcR1JBbs/sQGYWtLLFv4 mhnGPnPgMVSvg8Smf09YkdUsYORYxShXkJickpybkV9aYmCol5yYlJOql5yfm5xYXAKiNzEC I9MlXH75DsZ7L5wOMQpwMCrx8Jbb3Q0RYk0sK67MPcQowcGsJMK7BSTEm5JYWZValB9fVJqT WnyIUZqDRUmc96rJjhAhgfTEktTs1NSC1CKYLBMHp1QDY8cL8Q0Wosdm7tnpHSVq/Pv0bhOF 6n0ev1+bbNh3P7VLTVp9xvkvR7utd7Ub/iu4wG7kX7taOlNlie+DiI49xxZUd/HYJa0Qa1oX cfDO7lsBgiXqoo+6bsb+vNxwRzun1HByjK9mHcN7nRen3l5cNS289U2pw6cp52u29LNu6Jrc k9Ac+mCChRJLcUaioRZzUXEiAEG6xhfIAgAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/TxWFPaaE7OBChawZrFgv8Kl5154>
Subject: Re: [DNSOP] call for adoption: draft-vandergaast-dnsop-edns-client-subnet
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Feb 2015 01:09:18 -0000
Fair point. IMO whitelisting is a common tactic used early on in deployment of new stuff to help manage deployment risk. It was also used in early IPv6 days where query access to AAAA RRs was whitelisted (see http://tools.ietf.org/html/rfc6589). I suspect it would be similar here; that the need for and use of whitelisting fades as deployment levels increase. - Jason On 2/13/15, 12:44 AM, "Marcus Grando" <marcus@sbh.eng.br<mailto:marcus@sbh.eng.br>> wrote: The question about whitelist is the problem. I think it need to be addressed on this doc. There's some approaches, like Google does, doing low rate ECS query: https://groups.google.com/forum/#!topic/public-dns-announce/67oxFjSLeUM Or something not so traditional like TXT record on domain record or hostname based like "ns1.ECS.domain.tld". It's not an clean way, but can optimize latency and can address problems like keep approved domains in memory or save on disk. It's almost impossible to authoritative guys, guess each one resolver that support ECS. It's need to be automatically. The other side of this problem is about resources of DNS resolver. If more domains enable ECS, it can increase exponentially memory usage keeping approved list and cache itself. With this, the minimum netmask will be extremly important. I don't know if it's a good idea fix the limit of how many different answers one authoritative can emit. This can be a problem. It's clear for everyone that it's much more easier to implement this on authoritative side than resolver side, so it need to be clear and easy for both sides. Best regards On 12Feb15, George Michaelson allegedly wrote: > > we've got two agencies who do DNS, and probably have > 20% worldwide > eyeball share in DNS (I don't know, thats a guesstimate) now doing > edns0_client_subnet albiet with whitelist, so its a permit-list, but its > functionally 'there' Whitelists are my biggest bugbear actually. All my other comments are nice-to-haves. I hear that Google now adaptively whitelist which is a nice strategy but I'd really like to see the whitelist approach deprecated as much as possible. (And yes, I understand MarkA's stats that show some small percentage of auth queries will break). I've been in other conversations lately where it was all about how do we get "pick some larger resolver" to whitelist us? We all know that doesn't scale. So interest appears to be growing. > Its probably already more widely deployed than IPv6... On the auth side I think you're right. It's the client side that's the missing link. But this is a classic alignment-of-interest problem. The relatively small number of auths who care implement, but there is little incentive on the resolver side. Mark. -- Marcus Grando
- [DNSOP] call for adoption: draft-vandergaast-dnso… Suzanne Woolf
- Re: [DNSOP] call for adoption: draft-vandergaast-… Warren Kumari
- Re: [DNSOP] call for adoption: draft-vandergaast-… Paul Hoffman
- Re: [DNSOP] call for adoption: draft-vandergaast-… Paul Ebersman
- Re: [DNSOP] call for adoption: draft-vandergaast-… David C Lawrence
- Re: [DNSOP] call for adoption: draft-vandergaast-… Paul Wouters
- Re: [DNSOP] call for adoption: draft-vandergaast-… Allison Mankin
- Re: [DNSOP] call for adoption: draft-vandergaast-… Suzanne Woolf
- Re: [DNSOP] call for adoption: draft-vandergaast-… Warren Kumari
- Re: [DNSOP] call for adoption: draft-vandergaast-… Mark Delany
- Re: [DNSOP] call for adoption: draft-vandergaast-… Mark Delany
- Re: [DNSOP] call for adoption: draft-vandergaast-… George Michaelson
- Re: [DNSOP] call for adoption: draft-vandergaast-… Mark Delany
- Re: [DNSOP] call for adoption: draft-vandergaast-… Marcus Grando
- Re: [DNSOP] call for adoption: draft-vandergaast-… Livingood, Jason
- Re: [DNSOP] call for adoption: draft-vandergaast-… Livingood, Jason
- Re: [DNSOP] call for adoption: draft-vandergaast-… Livingood, Jason
- Re: [DNSOP] call for adoption: draft-vandergaast-… jewforice .
- Re: [DNSOP] call for adoption: draft-vandergaast-… Peter DeVries
- Re: [DNSOP] call for adoption: draft-vandergaast-… Marcus Grando
- Re: [DNSOP] call for adoption: draft-vandergaast-… Livingood, Jason
- Re: [DNSOP] call for adoption: draft-vandergaast-… Suzanne Woolf
- Re: [DNSOP] call for adoption: draft-vandergaast-… Paul Hoffman
- Re: [DNSOP] call for adoption: draft-vandergaast-… Mark Delany
- Re: [DNSOP] call for adoption: draft-vandergaast-… Warren Kumari