Re: [DNSOP] [internet-drafts@ietf.org: New Version Notification for draft-edmonds-dnsop-capabilities-00.txt]

Robert Edmonds <edmonds@mycre.ws> Mon, 03 July 2017 17:57 UTC

Return-Path: <edmonds@mycre.ws>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F0AA1296CF for <dnsop@ietfa.amsl.com>; Mon, 3 Jul 2017 10:57:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZXAfLyCmdNFY for <dnsop@ietfa.amsl.com>; Mon, 3 Jul 2017 10:57:05 -0700 (PDT)
Received: from mycre.ws (mycre.ws [45.33.102.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D26BF120227 for <dnsop@ietf.org>; Mon, 3 Jul 2017 10:57:05 -0700 (PDT)
Received: by chase.mycre.ws (Postfix, from userid 1000) id 4C7B812C10FC; Mon, 3 Jul 2017 13:57:05 -0400 (EDT)
Date: Mon, 3 Jul 2017 13:57:05 -0400
From: Robert Edmonds <edmonds@mycre.ws>
To: Mark Andrews <marka@isc.org>
Cc: dnsop@ietf.org
Message-ID: <20170703175705.cysvvn54xgq52kp7@mycre.ws>
References: <20170702213334.dm5olfbvkpbxdq3m@mycre.ws> <20170703035355.DA71A7D6C89D@rock.dv.isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20170703035355.DA71A7D6C89D@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/XZEzQmnIJasDE1dakrTfuIG9GaY>
Subject: Re: [DNSOP] [internet-drafts@ietf.org: New Version Notification for draft-edmonds-dnsop-capabilities-00.txt]
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jul 2017 17:57:07 -0000

Mark Andrews wrote:
> There are three things that made it hard to deploy new features.
> 
> 1) Firewall vendor shipping firewalls with ridiculously strict rules
>    with zero evidence that they are needed.
> 
> 2) Misimplementation of STD 13 and RFC 2671 by nameserver vendors.
> 
> 3) Unknown EDNS option behaviour was not well defined by RFC 2671,
>    this is addressed in RFC 6891.
> 
> 1 and 2 made it impossible to do a clean update from RFC 2671 to
> RFC 6891 which tightened the unknown EDNS option behaviour.  Proper
> implementation of RFC 2671 would have allowed the EDNS version 1
> to be used to signal that RFC 6891 unknown option behaviour is
> required.

I'm more that willing to strip out any opinionated text in the draft
about what makes it hard to deploy new DNS features.

I agree that there is a lot of bad code out there, but my primary use
case is for greenfield deployments where both client and server side
have new code, and there is a need to detect the other side's
capabilities.

If you have old or bad code running in the client, server, or middlebox,
you just don't get to use the new features.

> I don't see how adding a capabilities option will help here when
> the primary problem is bad code.

There are cases where all you need is a feature flag, and in some cases,
the ability to remember an advertised feature for subsequent queries.

Currently there are 16 reserved bits between the DNS and EDNS headers
that require standards action to use. The small number of bits available
and the difficulty required to obtain one (the last allocation was over
10 years ago) means that an EDNS0 option is a more likely path for a
feature flag, but that path wastes a minimum of 5 octets. There's a
limited amount of space available in a UDP DNS query packet, maybe
around ~200 octets for a query with a maximum length QNAME and a
plausible set of EDNS0 options.

The "DNS Features" capability in my proposal provides space for 256
feature bits at a cost of up to 32 octets. If we make that space a FCFS
registry (and provide a handful of "Reserved for Local/Experimental Use"
bits) it becomes easier to experiment with new features (using a new bit
in an existing EDNS0 option is easier than implementing an entirely new
EDNS0 option).

-- 
Robert Edmonds