Re: [DNSOP] new DNS classes

Mark Andrews <> Sun, 09 July 2017 01:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9E0CF128D40; Sat, 8 Jul 2017 18:59:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, PP_MIME_FAKE_ASCII_TEXT=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uzvzUil72M9a; Sat, 8 Jul 2017 18:58:58 -0700 (PDT)
Received: from ( [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DDF1F127F0E; Sat, 8 Jul 2017 18:58:58 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E2F883493C9; Sun, 9 Jul 2017 01:58:55 +0000 (UTC)
Received: from (localhost []) by (Postfix) with ESMTPS id A293416003D; Sun, 9 Jul 2017 01:58:55 +0000 (UTC)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 879EC160053; Sun, 9 Jul 2017 01:58:55 +0000 (UTC)
Received: from ([]) by localhost ( []) (amavisd-new, port 10026) with ESMTP id l7L6bkdQS1fJ; Sun, 9 Jul 2017 01:58:55 +0000 (UTC)
Received: from ( []) by (Postfix) with ESMTPSA id 14DF116003D; Sun, 9 Jul 2017 01:58:55 +0000 (UTC)
Received: from (localhost [IPv6:::1]) by (Postfix) with ESMTP id E5C877E07ADA; Sun, 9 Jul 2017 11:58:51 +1000 (AEST)
To: Pete Resnick <>
Cc: Nico Williams <>, John C Klensin <>, dnsop <>, Phillip Hallam-Baker <>, Paul Vixie <>, IETF <>
From: Mark Andrews <>
References: <> <> <> <> <> <> <> <> <> <562EC659F89FA92A09CAC4DB@PSB> <20170706153955.GB3393@localhost> <> <> <> <>
In-reply-to: Your message of "Sat, 08 Jul 2017 11:05:01 -0500." <>
Date: Sun, 09 Jul 2017 11:58:51 +1000
Message-Id: <>
Archived-At: <>
Subject: Re: [DNSOP] new DNS classes
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 09 Jul 2017 01:59:00 -0000

In message <>om>, Pete Resnic
k writes:
> On 7 Jul 2017, at 19:18, Mark Andrews wrote:
> > In message <>om>, 
> > Pete Resnick writes:
> >>
> >> On 6 Jul 2017, at 16:52, Mark Andrews wrote:
> >>
> >>> Or you could stop trying to reinforce the myth that new RR types
> >>> are hard to deploy.  They really aren't.  They actually get used
> >>> all the time.
> >>
> >> I'm running the latest version of MacOS Server. I can't get a new RR
> >> type into the UI. Even if I use the command line "dnsconfig" tool, I
> >> can't add a record of a type it doesn't know about; I only get A, 
> >> AAAA,
> >> CNAME, NS, MX, PTR, SRV, and TXT. Yes, I could go hacking around in 
> >> the
> >> BIND configs that underly their implementation. And at that point I 
> >> say,
> >> "New RR types are hard to deploy; not a myth." Telling me I can use a
> >> different operating system or not use a validating UI is not a
> >> reasonable response.
> >
> > Well use nsupdate.  That also ships with the Mac.
> Of course doing that likely means I'll have records that don't show up 
> in the server UI. Not entirely thrilling. And I could accomplish exactly 
> the same thing by directly editing the BIND config files, so I'm not 
> sure what that gains me in terms of "not hard to deploy".

Given Macs can register their own addresses in the DNS using UPDATE
I doubt that the strawman you are attempting to raise here happens
and if it does log a bug with Apple.  Log a bug with Apple that the
tool doesn't support all known types and that it doesn't support
unknown types.

> >> The fact is the DNS doesn't provide a way for implementations to
> >> dynamically update the RR types to provide sensible UI; it's left as 
> >> an
> >> exercise for each individual implementer. (Yes, I know about
> >> draft-levine-dnsextlang; it doesn't seem to have gotten anywhere.) 
> >> You
> >> can't much complain about the difficulty of deployment when the
> >> community won't provide the tools to make deployment easier.
> >
> > Well BIND is designed to allow new types to be added easily.  It
> > may require recompiling rather than updating a text file but it is
> > not beyond people to do because we see people doing just that.
> ¬(∃𝑥𝐶(𝑥) → ∀𝑥𝐶(𝑥))
> Just because you you see some people recompiling does not mean that all 
> (or most, or a significant number) can. Set that aside, it is nowhere 
> near reasonable for knowing how to recompile a piece of code to be 
> required in order for me to add a new RR type. Set that aside, this is 
> the epitome of "hard to deploy": Some implementations can't do it at 
> all, some implementations you have to go hacking around in hidden config 
> files, and some implementations you have to recompile the binary to get 
> a reasonable UI experience.
> This is the problem with DNS being considered a system service rather 
> than a user application. It's got both aspects. Until the user 
> experience for configuring the DNS with a new RR type does not require 
> the skills of someone able to recompile code, it is absolutely going to 
> be the case that new RR types are hard to deploy, and calling it a myth 
> is not helpful.

We supply user applications to manipulate the DNS.  Those tools are
capable of updating yet to be defined types.  Putting a front end
on those tools that takes the new type someone dreams up is easy.

We also supply C libraries that can do the same thing.  No one needs
to wait to use a new type.

There are python and perl tools available that can also send update

If you just want the new records to be a blob of text a shell script
like this will convert the record to unknown format suitable to be
used by nsupdate.

% sh junk
hello world
\# 11 68656C6C6F20776F726C64
% cat junk
read record
hex=`printf "%s" "$record" | hexdump -ve '/1 "%02X"'`
length=`printf "%s" "$hex" | wc -c`
length=`expr $length / 2`
echo '\#' $length $hex

You can create all DNS records similarly.  Building them up
field by field.

One can do something similar in any scripting language.

So no it isn't hard to use a new type.  You just need to stop waiting
for the stupid DNS hoster to do it for you and organise to do it

> pr
> -- 
> Pete Resnick <>
> Qualcomm Technologies, Inc. - +1 (858)651-4478
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: