Re: [DNSOP] [internet-drafts@ietf.org: New Version Notification for draft-edmonds-dnsop-capabilities-00.txt]
Robert Edmonds <edmonds@mycre.ws> Mon, 03 July 2017 17:57 UTC
Return-Path: <edmonds@mycre.ws>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F0AA1296CF for <dnsop@ietfa.amsl.com>; Mon, 3 Jul 2017 10:57:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZXAfLyCmdNFY for <dnsop@ietfa.amsl.com>; Mon, 3 Jul 2017 10:57:05 -0700 (PDT)
Received: from mycre.ws (mycre.ws [45.33.102.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D26BF120227 for <dnsop@ietf.org>; Mon, 3 Jul 2017 10:57:05 -0700 (PDT)
Received: by chase.mycre.ws (Postfix, from userid 1000) id 4C7B812C10FC; Mon, 3 Jul 2017 13:57:05 -0400 (EDT)
Date: Mon, 03 Jul 2017 13:57:05 -0400
From: Robert Edmonds <edmonds@mycre.ws>
To: Mark Andrews <marka@isc.org>
Cc: dnsop@ietf.org
Message-ID: <20170703175705.cysvvn54xgq52kp7@mycre.ws>
References: <20170702213334.dm5olfbvkpbxdq3m@mycre.ws> <20170703035355.DA71A7D6C89D@rock.dv.isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20170703035355.DA71A7D6C89D@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/XZEzQmnIJasDE1dakrTfuIG9GaY>
Subject: Re: [DNSOP] [internet-drafts@ietf.org: New Version Notification for draft-edmonds-dnsop-capabilities-00.txt]
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jul 2017 17:57:07 -0000
Mark Andrews wrote: > There are three things that made it hard to deploy new features. > > 1) Firewall vendor shipping firewalls with ridiculously strict rules > with zero evidence that they are needed. > > 2) Misimplementation of STD 13 and RFC 2671 by nameserver vendors. > > 3) Unknown EDNS option behaviour was not well defined by RFC 2671, > this is addressed in RFC 6891. > > 1 and 2 made it impossible to do a clean update from RFC 2671 to > RFC 6891 which tightened the unknown EDNS option behaviour. Proper > implementation of RFC 2671 would have allowed the EDNS version 1 > to be used to signal that RFC 6891 unknown option behaviour is > required. I'm more that willing to strip out any opinionated text in the draft about what makes it hard to deploy new DNS features. I agree that there is a lot of bad code out there, but my primary use case is for greenfield deployments where both client and server side have new code, and there is a need to detect the other side's capabilities. If you have old or bad code running in the client, server, or middlebox, you just don't get to use the new features. > I don't see how adding a capabilities option will help here when > the primary problem is bad code. There are cases where all you need is a feature flag, and in some cases, the ability to remember an advertised feature for subsequent queries. Currently there are 16 reserved bits between the DNS and EDNS headers that require standards action to use. The small number of bits available and the difficulty required to obtain one (the last allocation was over 10 years ago) means that an EDNS0 option is a more likely path for a feature flag, but that path wastes a minimum of 5 octets. There's a limited amount of space available in a UDP DNS query packet, maybe around ~200 octets for a query with a maximum length QNAME and a plausible set of EDNS0 options. The "DNS Features" capability in my proposal provides space for 256 feature bits at a cost of up to 32 octets. If we make that space a FCFS registry (and provide a handful of "Reserved for Local/Experimental Use" bits) it becomes easier to experiment with new features (using a new bit in an existing EDNS0 option is easier than implementing an entirely new EDNS0 option). -- Robert Edmonds
- [DNSOP] [internet-drafts@ietf.org: New Version No… Robert Edmonds
- Re: [DNSOP] [internet-drafts@ietf.org: New Versio… Mark Andrews
- Re: [DNSOP] [internet-drafts@ietf.org: New Versio… Paul Hoffman
- Re: [DNSOP] [internet-drafts@ietf.org: New Versio… Robert Edmonds