IETF Logo Mail Archive

Re: [DNSOP] new Resource record?

"Hosnieh Rafiee" <ietf@rozanak.com> Thu, 10 December 2015 20:57 UTC

Return-Path: <ietf@rozanak.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76DE81B2AFD for <dnsop@ietfa.amsl.com>; Thu, 10 Dec 2015 12:57:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G84PX8hba-Cm for <dnsop@ietfa.amsl.com>; Thu, 10 Dec 2015 12:57:10 -0800 (PST)
Received: from mail.rozanak.com (mail.rozanak.com [IPv6:2a01:238:42ad:1500:aa19:4238:e48f:61cf]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A202A1B2AF6 for <dnsop@ietf.org>; Thu, 10 Dec 2015 12:57:10 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by mail.rozanak.com (Postfix) with ESMTP id A011F25CA074; Thu, 10 Dec 2015 20:57:08 +0000 (UTC)
X-Virus-Scanned: amavisd-new at rozanak.com
Received: from mail.rozanak.com ([127.0.0.1]) by localhost (mail.iknowlaws.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8ZMNeO34G5nJ; Thu, 10 Dec 2015 21:56:35 +0100 (CET)
Received: from kopoli (p5B340D48.dip0.t-ipconnect.de [91.52.13.72]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.rozanak.com (Postfix) with ESMTPSA id F010925CA03E; Thu, 10 Dec 2015 21:56:34 +0100 (CET)
From: Hosnieh Rafiee <ietf@rozanak.com>
To: 'Edward Lewis' <edward.lewis@icann.org>
References: <005a01d132bf$b8d31a80$2a794f80$@rozanak.com> <BAF07397-13A0-4E46-AD61-8D5341FBE160@puck.nether.net> <D28EEA44.11EBA%edward.lewis@icann.org>
In-Reply-To: <D28EEA44.11EBA%edward.lewis@icann.org>
Date: Thu, 10 Dec 2015 21:56:26 +0100
Message-ID: <017401d1338d$3ceb8b90$b6c2a2b0$@rozanak.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQIcBJevjW3fUkks0ks22EN/+5YHPQHdFNL/ATJZcqCeFpOCsA==
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/Xr8-uh2tsTEkiO4a8ijwoiV2JcQ>
Cc: 'dnsop' <dnsop@ietf.org>
Subject: Re: [DNSOP] new Resource record?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2015 20:57:12 -0000

Hi Edward,
Thanks for your message.

> 
> On Dec 9, 2015, at 3:25 PM, Hosnieh Rafiee <ietf@rozanak.com> wrote:
> HR> I would like to suggest the following format (this is the rough version
> HR> and it is not exact but only giving you an idea that what is the
> HR> purpose) for a new resource record to store the reference information
> HR> of bounding of authentication and authorization where authentication
> HR> can be based on public keys or certificates.
> 
> First, read "Domain Name System (DNS) IANA Considerations", RFC 6895.
> (http://tools.ietf.org/html/rfc6895) That lays out the process of getting
> a new Resource Record assigned.

Ok

> Second, from the quick description, I don't quite understand what you want
> to solve.  Not complaining, but in preparing to ask for a new type, the
> use case might need to be clearer.

Authentication and authorization in multi-tenancy environment where it is based on certificates and TLS and not giving direct access to resource policy that belongs to the owner of infrastructure while at the same time giving flexibility to each tenant to delegate all or a part of its resources to third party.

> HR> Is DNSOP a right place for that? I asked DANE and they said it
> HR> is not in their charter.
> 
> I don't know what you asked the DANE WG.  But if it was to add a new DNS
> RR type, they certainly would not be the best place.  DNSOP WG doesn't
> make decisions on new types (see the RFC for that), but you might get
> useful advice on this list.

I actually asked in the mailinglist whether their charter is open to having the bounding of authentication and authorization there since the purpose would be also use DANE. But what I heard (in private message exchanges) that they do not want to recharter to consider this.
If I misunderstood, then perhaps the chair of DANE can speak out and correct me.

 
> 
> I don't understand it.  But don't reuse TXT or HINFO or anything just
> because it would seem convenient.  Consult the RFC for the process.

Ok you are the second person that you do not recommend to use TXT. I think also according to processes Ineed for DDNS, there need to be a bit more restriction. For quering I think it will address the needs but for processes during updating that , there need to be new processes defined which means it is better, as you and other suggested, to think about other RR.

I need to first take a look on the RFC you have submitted to see what I can do and how to introduce it. I think, I again bug the WG for more advise :)

 Thanks again,
Best,
Hosnieh

v2.23.0 | Report a Bug | By Email