Re: [DNSOP] Why no more meta-queries? (Was: More work for DNSOP :-)

Shumon Huque <shuque@gmail.com> Mon, 09 March 2015 17:17 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1ECE91A90A4 for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2015 10:17:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_54=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vbpnmEBsQMY5 for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2015 10:17:36 -0700 (PDT)
Received: from mail-qc0-x22c.google.com (mail-qc0-x22c.google.com [IPv6:2607:f8b0:400d:c01::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C9131A90AB for <dnsop@ietf.org>; Mon, 9 Mar 2015 10:17:12 -0700 (PDT)
Received: by qcvp6 with SMTP id p6so24596886qcv.1 for <dnsop@ietf.org>; Mon, 09 Mar 2015 10:17:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=hlEUOxvsxCSRQUcEt1kiwKmFrMHwXIve/Dpy2dqoMog=; b=JcYUSQbpzaRg4ph6k8LK2DT5lPTgOqviVuQIFuluwOv4QF6g/AGe54x7LWVM0Rw7TJ QlK7QzyUU+iuKXGUztFnVcozZvP5GTw3U6Rn7pIkaq4nlkpeI4yo1ftsEBglv1XYJlaV K2t0ZdnVUG0J/wKNM80PSxBcUs/tPXz3eLsrz1B2K5z5EJ7JlqciCiSJrUEXhKdsVELR 7o787AbPVRdOOGKYN5mjVjgz/Vu4ruRm6gTWrgXMHyQqAQ3meJHdNyO7LB9PHZKOPbCc qg3R5f1BZUMYv6yyrh115pxByWsT/PqPmdKKANo27E+15Db2DLUS54fMSZHwc2ipSOUd QfqA==
MIME-Version: 1.0
X-Received: by 10.55.21.66 with SMTP id f63mr28130215qkh.102.1425921431735; Mon, 09 Mar 2015 10:17:11 -0700 (PDT)
Received: by 10.140.94.105 with HTTP; Mon, 9 Mar 2015 10:17:10 -0700 (PDT)
In-Reply-To: <C1F43BD2-126F-4C1D-B084-A4B3A1F98ECD@nominet.org.uk>
References: <20150306145217.GA8959@nic.fr> <54F9C29E.9040408@jive.com> <54F9F90D.1020806@redbarn.org> <54F9FCD3.7010204@jive.com> <54F9FDFA.2030405@redbarn.org> <F25411A6-2CBD-4A76-949C-6E236FA87863@isoc.org> <20150306205920.GA17567@isc.org> <20150309142844.GA11602@nic.fr> <C1F43BD2-126F-4C1D-B084-A4B3A1F98ECD@nominet.org.uk>
Date: Mon, 9 Mar 2015 13:17:10 -0400
Message-ID: <CAHPuVdUyQWnRkvRhukHyCzZspUbj9iREyXSLmXTwmOy1m8DBTQ@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
To: Ray Bellis <Ray.Bellis@nominet.org.uk>
Content-Type: multipart/alternative; boundary=001a1147ecd86a94a30510de341c
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/YJAz7sg71SWoXHgk7emLZ0oPhPM>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Why no more meta-queries? (Was: More work for DNSOP :-)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: shuque@gmail.com
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2015 17:17:38 -0000

On Mon, Mar 9, 2015 at 12:05 PM, Ray Bellis <Ray.Bellis@nominet.org.uk>
wrote:

>
> > On 9 Mar 2015, at 14:28, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
> >
> > On Fri, Mar 06, 2015 at 08:59:20PM +0000,
> > Evan Hunt <each@isc.org> wrote
> > a message of 28 lines which said:
> >
> >> (As an aside: I've often wondered why the DNS doesn't have *more*
> >> meta-query types, less extensive than ANY, such as a single type
> >> covering A and AAAA.
> >
> > Probably for the same reason that makes QTYPE=ANY queries very
> > difficult to understand for the beginner and counter-intuitive:
> > because it is hard to specify the semantics. Imagine there is an ADDR
> > meta-query covering A and AAAA. You send QTYPE=ADDR and you get only A
> > record(s). Can you be *sure* (and can you validate with DNSSEC) that
> > there was no AAAA? Think of the various cases, RD=0, RD=1, caches,
> > forwarders, etc.
>
> I wrote this a few years ago:
>
> http://tools.ietf.org/html/draft-bellis-dnsext-multi-qtypes-01
>
> The primary stumbling block was the possibility (given DNSSEC) for
> multiple different RCODEs for the different QTYPEs being requested.
>
> I couldn't think of any failure modes in the non-DNSSEC case, but with
> signed data it's theoretically possible to have valid signatures for the
> owner name on one QTYPE and invalid signatures on another.
>
> Ray
>

Interesting idea. I think it's worth discussing these kinds of proposals in
more depth. To account for the multiple distinct response codes case, one
possibility is to carry an extended "response code array" in an EDNS
option. Clients already have to sometimes parse EDNS to get extended
response codes today, so we have one foot in that direction already. And
this could also support the more general case of multiple distinct query
names (not just multiple query types for the same name). There might be a
usecase for this in some application communities (like web browser vendors)
that are highly resistant to performing additional DNS queries for
additional latency reasons (eg. execute in one query: A/AAAA +
corresponding TLSA record which sits at a different qname).

PS. regarding Paul Vixie's recent suggestion of adding an AAAA or A record
set in the additional section for a corresponding A or AAAA query, I just
learned today that Unbound already does this. Not sure if there are any DNS
client APIs that can successfully make use of this info yet.

Shumon Huque.