Re: [DNSOP] New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt

Ondřej Surý <ondrej@isc.org> Mon, 26 March 2018 14:45 UTC

Return-Path: <ondrej@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E0EC12420B for <dnsop@ietfa.amsl.com>; Mon, 26 Mar 2018 07:45:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SkUAZ9JJ6wXS for <dnsop@ietfa.amsl.com>; Mon, 26 Mar 2018 07:45:35 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A337D12762F for <dnsop@ietf.org>; Mon, 26 Mar 2018 07:45:31 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 639DA3AB062; Mon, 26 Mar 2018 14:45:31 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 3CF2516006B; Mon, 26 Mar 2018 14:45:31 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 29CD1160066; Mon, 26 Mar 2018 14:45:31 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id oAFqUI0inYfA; Mon, 26 Mar 2018 14:45:31 +0000 (UTC)
Received: from [10.10.0.193] (40.20.broadband5.iol.cz [88.100.20.40]) by zmx1.isc.org (Postfix) with ESMTPSA id 3E861160043; Mon, 26 Mar 2018 14:45:30 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: =?utf-8?B?T25kxZllaiBTdXLDvQ==?= <ondrej@isc.org>
In-Reply-To: <552cfda4-572b-7c88-b5b8-0cda5c49e2fd@casadevall.pro>
Date: Mon, 26 Mar 2018 16:45:27 +0200
Cc: dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <1A73E73B-B3DC-46A9-90EC-9FFF6210E524@isc.org>
References: <002DCABB-24CE-42FA-8DA6-2A458E5F89A1@isc.org> <5AB53F8B.9070504@redbarn.org> <7CF21F70-9419-4D6A-B555-FC229F90E8A9@isc.org> <5AB546CB.3030408@redbarn.org> <CCAE4014-67F8-4E73-A893-AA06B83E880B@isc.org> <20180324124958.GA29255@puck.nether.net> <CAJhMdTPRn=mUQ6xh_HFdFLBk109b_M2+saS86KFxsttb8_oVvw@mail.gmail.com> <20180325080558.GA18671@isc.org> <066C83F5-5E1C-4DF8-8D45-A7E9F3A44673@vpnc.org> <DCE31CFA-534E-451F-B743-E022F62C7516@isc.org> <20180326124544.GA32080@isc.org> <552cfda4-572b-7c88-b5b8-0cda5c49e2fd@casadevall.pro>
To: Michael Casadevall <michael@casadevall.pro>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Wa0DmoOQzCvG3S6nCRchKjN2Srs>
Subject: Re: [DNSOP] New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Mar 2018 14:45:43 -0000

Michael,

while I generally agree with your “let’s write a I-D on how to deprecate old RR Types in general”, I would like to keep this document focused on MB, MG, MR, MINFO.

I’ll kick out WKS into a separate document, and add MAILB, MAILA, MD and MF in.

I would appreciate that in this discussion, instead of saying “RR Types” we should talk about specific RR Types we want to remove from DNS. Saying “removing RR Types” is scary. Saying “removing MB RR Type” is less scary as most people even don’t remember what it was used for.

Cheers,
--
Ondřej Surý
ondrej@isc.org

> On 26 Mar 2018, at 16:22, Michael Casadevall <michael@casadevall.pro>; wrote:
> 
> 
> 
> On 03/26/2018 08:45 AM, Evan Hunt wrote:
>> On Mon, Mar 26, 2018 at 02:09:14PM +0200, Ondřej Surý wrote:
>>> That’s one of the goals of the document - saying: “it’s ok to not
>>> implement those RR Types, and it’s ok to break if you receive them"
>> 
>> We need to state clearly what is meant by "ok to break".
>> 
> 
> I think to be more specifically, the end goal should be the ability to
> treat obsolete record types as RFC 3597 and remove special casing for
> them. That way, new resolvers simply have to implement 3597 and not
> worry about associated edge cases with the obsolete types.
> 
>> I described my preferred approach as an implementer upthread. Let me
>> state it again more formally and let people knock it down:
>> 
>> 0. types will be flagged as obsolete/deprecated in the IANA registry,
>>   and the following guidance is given to DNS implementors in the handling
>>   of obsolete/deprecated RR types:
>> 
>> 1. auth servers SHOULD log a warning when loading zones that contain
>>   obsolete/deprecated rrtypes.
>> 
>> 2. responders SHOULD NOT compress rdata when rendering obsolete/deprecated
>>   type records to wire format.
>> 
> 
> The problem here is that right up until the point the camel declares
> these RRtypes dead, the specification specifically allows them to be
> compressed.
> 
> Specifically quoting RFC 3597 here:
>   To avoid such corruption, servers MUST NOT compress domain names
>   embedded in the RDATA of types that are class-specific or not well-
>   known.  This requirement was stated in [RFC1123] without defining the
>   term "well-known"; it is hereby specified that only the RR types
>   defined in [RFC1035] are to be considered "well-known".
> 
> By definition, the types are in RFC1035; they're well known and thus
> compressible. One DNS server may serve a given record uncompressed,
> while the next one down the pipe compresses it depending on it's
> implementation.
> 
> This came up earlier in the thread, but PowerDNS has an open bug about
> this and the MB type due to BIND sending the record compressed, and
> PowerDNS not recognizing it: https://github.com/PowerDNS/pdns/issues/5687
> 
>> 3. queriers which receive obsolete/deprecated type records MAY interpret
>>   them as unknown type records (rfc 3597), and MUST NOT interfere with
>>   their transmission.
>> 
>>   3a. note that the choice to parse obsolete/deprecated MAY be contingent
>>       on whether the rdata is compressed: an obsolete type record MAY be
>>       parsed as a known type if its rdata is uncompressed, but as an
>>       unknown type otherwise.
>>> 4. validators and signers SHOULD treat rdata for obsolete/deprecated types
>>   as opaque with respect to canonical RR ordering and deduplication
>> 
> 
> 
> On the whole, I'm in favor of removing cruft from the specs wherever
> possible, but I'm starting to question if decommissioning RRtypes
> qualifies as low hanging fruit.
> 
> If we actually want to decommission these RRtypes, and building off your
> starting point, I think the reasonable course of action needs to be this:
> 
> 1. Authoritative servers SHOULD warn when loading zones with obsolete
> record types
> 
> 2. Resolvers MUST never send obsolete RRtypes in a compressed format.
> 
> 3. Signers MUST treat rdata as opaque
> 
> 4. Obsolete RRtypes MUST never be treated as a known-type with respect
> to the wire protocol
> 
> 5. Resolvers MAY support legacy compression for received data for
> backward compatibility if desired, but SHOULD warn if such information
> is received. Compressed records MUST never be re-transmitted.
> 
> 6. Validators MAY attempt to to use legacy RR ordering and
> de-duplication should validation. If legacy validation is required, the
> validator SHOULD warn that it was needed to validate the RRSIGs.
> 
> In effect, we're basically saying, these RRtypes are now RFC 3597, with
> the caveat that it's OK to try and use them as legacy says but it's not
> required.
> 
> By specifically allowing resolvers to understand compressed records, but
> never send them, it allows for the case that there may be people using
> these RRtypes, but sets the standard going forward to treat them as RFC
> 3597. The special case of allowing compressed versions to be accepted
> allows for backwards compatibility and notifying where things still need
> to be updated.
> 
> Then it's essentially a matter of writing a new RFC that describes how
> to handle sun-setting a RRtype, and what RRtypes have been put out to
> pasture formally. Everyone can understand uncompressed RRtypes, and by
> forcing decompression, and those who want to use these for legacy
> RRtypes can.
> 
> New resolvers don't need to worry about it, and as resolvers get
> upgraded, the special case in 5 goes away. For the small handful of
> people actually using these types, life continues as long as their
> resolver maintains legacy receiving support. New resolvers can just
> treat them as RFC 3597.
> 
> Plus we now have a procedure if we want to obsolete any other RRtypes.
> 
> Michael
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop