Re: [DNSOP] draft-ietf-dnsop-refuse-any: points from 神明達哉
神明達哉 <jinmei@wide.ad.jp> Tue, 01 August 2017 18:53 UTC
Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0989F1322AF for <dnsop@ietfa.amsl.com>; Tue, 1 Aug 2017 11:53:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NKYitai43Wr0 for <dnsop@ietfa.amsl.com>; Tue, 1 Aug 2017 11:53:34 -0700 (PDT)
Received: from mail-qk0-x236.google.com (mail-qk0-x236.google.com [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 821B81322A1 for <dnsop@ietf.org>; Tue, 1 Aug 2017 11:53:34 -0700 (PDT)
Received: by mail-qk0-x236.google.com with SMTP id x191so14458929qka.5 for <dnsop@ietf.org>; Tue, 01 Aug 2017 11:53:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=3+CPQr56zyyMKLAUAUhQO/OIFTbBAe2WrsNf2qT2imA=; b=J08uPlFE22wCnUz728Z4QNktygnJuuHiBg1ub2smZC21RuJG7YYJ5pWI+5jpk0nTwU Pcv6l9E3UO0htSw2YAu4dFSJsmsB4z/QztI0KZJUX6jBWvIoe++1UnrKt17xK94Z3sz3 iN2sSD573zqWJkhLA+TcT51wB2vVOq9dEzl1zP1Uuu0+aQnD8hcsnbcwhZmoQcXqf1n0 bw6dtRKehgUXerp6uT0jA+Z4K9+2R4aEoY5HujhCWlOdAdu0hFoqtkzQ1aMh1ddwA30c jUM1UB4JM6dF/kslS7fbSOF29zX52OI3BeAMeUZyvRMRwRzuXnkcNXONBUNwV1ZKk1Uc qxnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=3+CPQr56zyyMKLAUAUhQO/OIFTbBAe2WrsNf2qT2imA=; b=k83svOX8kUZsmcMHzReYiJhZFSg5yjPDx/n2ltQglCfGqSMy1x89wIegRndcnqHrWt QQ9zrUz+bkLhCC1zOA+k1vSe9ZRFvXAYWzG3mW0q2hi5JVL5YFf16n+ua8B1ZcAurTMy jdhxAhQJog0ZMPzL/uDrT5zjRiXs9anMhSS5pDNJoQdm92bY642fm7ValZSEuvOx5GCf +6B4CS99Y9pBS+fL2+6iAnAGDE36CNdzff391bzXiLD+ZkUIhxJ3XWG/zCK7ESwVIcjd qQJ7uzeD4yllpwxvg2R01HHYpE7wP2ffekSGZcgmbBLhXBQoEG0Xuhd4UUqwYXGHt5Ae evjw==
X-Gm-Message-State: AIVw1125ZSe14AWmGnka6u3ZDm5kXEz+mVcUvX9193H0dcghpQV2Mt9D nqcWx3F2Szky1K6FE/TGNwlcnO2QDw==
X-Received: by 10.55.40.194 with SMTP id o63mr25325284qko.310.1501613613393; Tue, 01 Aug 2017 11:53:33 -0700 (PDT)
MIME-Version: 1.0
Sender: jinmei.tatuya@gmail.com
Received: by 10.237.60.60 with HTTP; Tue, 1 Aug 2017 11:53:33 -0700 (PDT)
In-Reply-To: <08EEC562-8BD2-4485-9D7D-73665CF94EC5@hopcount.ca>
References: <08EEC562-8BD2-4485-9D7D-73665CF94EC5@hopcount.ca>
From: 神明達哉 <jinmei@wide.ad.jp>
Date: Tue, 01 Aug 2017 11:53:33 -0700
X-Google-Sender-Auth: S-rnxWPuCsvRrAAdp3DSPFts49g
Message-ID: <CAJE_bqc1pQWfa-E68Vquou9RJRTaGGwerNNDrKF=TuxvPSkhTA@mail.gmail.com>
To: Joe Abley <jabley@hopcount.ca>
Cc: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Vnvn1hesC8Zgicw81p1v_uXRhmw>
Subject: Re: [DNSOP] draft-ietf-dnsop-refuse-any: points from 神明達哉
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Aug 2017 18:53:37 -0000
Hi, sorry for the delayed response. At Tue, 25 Jul 2017 16:53:12 -0400, Joe Abley <jabley@hopcount.ca> wrote: > https://mailarchive.ietf.org/arch/msg/dnsop/zy86pvg139PaKFXo-BO6SPUfh3k > > > I've reviewed the 04 version. I still do not think it's ready to move > > forward as it still abuses HINFO. I understand some other people > > don't care about this point, and some others may even love the idea > > (those who are using it right now). But I've also seen yet some other > > people have the same concern, so it shouldn't be only me. I don't > > think we have a clear consensus on this point yet. > > The draft at present doesn't require an implementer to abuse HINFO; > it provides options to avoid doing so whilst still meeting the > described objectives of the proposal. Since abusing HINFO is not > mandatory, I presume you are objecting to the proposal sanctioning > such shenanigans at all. (If I understand the subtle nuance of this text:-) I think your understanding is correct. > > If I have that right (please correct me if I'm wrong) I don't think > I am the right person to make the call, being just a lowly document > scribe. If this remains a concern for you, I suggest that we defer > that question to our chairs and ask them to gauge consensus. My own Agreed - I think we have to agree to disagree here and I think neither of us can convince the other. It should better be left to the wg decision. > personal views of pragmatism vs. elegance shouldn't enter into it; > this is a working group document. > > To be hopefully a bit more productive, I have a specific counter > > proposal: remove the mandatory text about the use of HINFO, e.g., > > > > - remove this bullet from section 4 > > 2. A DNS responder can return a synthesised HINFO resource record. > > See Section 6 for discussion of the use of HINFO. > > - remove ', in which case...' from Section 4.2 > > If there is no CNAME present at the owner name matching the QNAME, > > the resource record returned in the response MAY instead be > > synthesised, in which case a single HINFO resource record SHOULD be > > returned. > > > > In fact, in terms of externally observable behavior, synthesizing > > HINFO is just one form of "selecting one RRset of the QNAME"; the > > HINFO is added and immediately removed at the time of answering the > > ANY query, so in that sense we don't have to bother to mention it with > > normative keywords. > > This text suggests that my interpretation above is wrong, and what > you are objecting to is just the way that the HINFO approach is > described. I think the specification is more clear if we spell out > the whole synth-HINFO approach in its entirety and don't try to > subsume it into the "return a subset of { RRSets that there } u { > RRSets that we just synthesised }". (As I said above) I believe you interpreted my objection correctly. This suggestion was an attempt of compromise, assuming people already (ab)using HINFO want to continue their practice. [...] > I am not sure I understand the benefit of not including it, given > that it is observable behaviour for a large number of domains today > (even if that is so due to the volume of domains hosted at a single > operator). I think we do better service to operators and > implementors by describing what is implemented. As you point out, > Cloudflare's implementation may be less general-purpose than BIND9 > or NSD, and that might be a reason for the implementation choices to > be different. Cloudflare is unlikely to be the last non-general > implementation, however, so perhaps the mechanism most appropriate > there will be relevant to others. I agree that being silent for existing deployment may not be ideal. If we (wg) can reach a consensus that the HINFO-based approach is an abuse, however, we can think of other way to address it. For example, we could mention it and clarify that it should be considered an abuse, should be discouraged, and newer implementations should use other approaches. My suggestion was just based on the anticipation that we can probably not reach this kind of consensus (especially about the discouragement). > > I've also noticed a couple of other points I raised in my previous > > review ( > > https://www.ietf.org/mail-archive/web/dnsop/current/msg18746.html > > ) > > were not yet addressed. These are (section numbers are for 03): > > > > - Section 3 > > > > 1. A DNS responder can choose to select one or subset of RRSets at > > the QNAME. > > > > 'one or subset of RRSets' sounds a bit awkward to me > > I agree. Perhaps "One or more of the RRSets at a QNAME". "... or a subset" seems wrong, actually; since some vestigial fragment of a set theory lecture in the depths of my pre-history is telling me that the empty set is always a valid subset. > > > - Section 4 > > > > A DNS responder which receives an ANY query MAY decline to provide a > > conventional response, or MAY instead send a response with a single > > RRSet in the answer section. > > > > "a single RRSet" doesn't seem to be fully consistent of "one or > > subset of RRSets" stated in the preceding section (see the previous > > bullet). > > Agreed. That should be made consistent. Regarding these two, we've already discussed this on ML and I thought we had some consensus. I'd suggest you to look into the archive. -- JINMEI, Tatuya