Re: [DNSOP] new Resource record?

"Patrik Fältström " <paf@frobbit.se> Thu, 10 December 2015 08:46 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA48A1A870A for <dnsop@ietfa.amsl.com>; Thu, 10 Dec 2015 00:46:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.961
X-Spam-Level:
X-Spam-Status: No, score=-1.961 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gkYq8PAnHFkw for <dnsop@ietfa.amsl.com>; Thu, 10 Dec 2015 00:46:46 -0800 (PST)
Received: from mail.frobbit.se (mail.frobbit.se [85.30.129.185]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6482E1A86FB for <DNSOP@ietf.org>; Thu, 10 Dec 2015 00:46:46 -0800 (PST)
Received: from [77.72.227.183] (dyn-fg142.sth.netnod.se [77.72.226.142]) by mail.frobbit.se (Postfix) with ESMTPSA id 65271204E4; Thu, 10 Dec 2015 09:46:44 +0100 (CET)
From: Patrik Fältström <paf@frobbit.se>
To: Hosnieh Rafiee <ietf@rozanak.com>
Date: Thu, 10 Dec 2015 09:46:43 +0100
Message-ID: <4CB3C15F-9FC8-43C6-A975-72D550E6253A@frobbit.se>
In-Reply-To: <005a01d132bf$b8d31a80$2a794f80$@rozanak.com>
References: <005a01d132bf$b8d31a80$2a794f80$@rozanak.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_79CBEDE3-41B1-4DD4-8644-FD94EEF8E05B_="; micalg="pgp-sha1"; protocol="application/pgp-signature"
X-Mailer: MailMate (1.9.3r5187)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/VpA0ZhsZtODznAEg0bcQTbh94kc>
Cc: DNSOP@ietf.org
Subject: Re: [DNSOP] new Resource record?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2015 08:46:48 -0000

On 9 Dec 2015, at 21:25, Hosnieh Rafiee wrote:

> I would like to suggest the following format (this is the rough version and it is not exact but only giving you an idea that what is the purpose) for a new resource record to store the reference information of bounding of authentication and authorization where authentication can be based on public keys or certificates.
> This means each reference no represents an actual policy template in other security system or other services. This means if a certificates bound to more than one references, then more than one of this section is added to RDATA section of the DNS query. This also should be updatable by the DDNS protocol.
> BTW, I skipped the header and other parts of RR and this part is only the RDATA section.
>
> -----------------------
> |flag| reference no   |
> -----------------------
> | some human readable |
> |       text          |
> -----------------------
>
> The processes are also simple, when a node query the certificates, DNS server also includes this RR if it exists on the DNS server so that when the querier retrieves this information, it can query other services for the given value to authorize the other host on the network.

A few things:

1. Do not use TXT RR. We have already too much use of TXT, and you should define a new RRType

2. There are multiple reasons why you should not use TXT record or even the structure of the TXT RR, most notably the length of the "some human readable text" portion. I suggest you have, just like in the URI RRType, the length of the "some human readable text" be set by the length of the RR as a whole minus the flag, reference no, header etc. That way the length can be longer than what you otherwise can (in a TXT for example). You also do not end up having trouble defining how to handle multiple strings in the RR, like you have if you try to stuff things into a TXT.

3. Think about (as you did in a later message) the owner as well as the RData. The right prefix might be key to the usage pattern.

   Patrik