IETF Logo Mail Archive

[DNSOP] Re: Fwd: New Version Notification for draft-ietf-dnsop-zoneversion-10.txt

"Wessels, Duane" <dwessels@verisign.com> Tue, 23 July 2024 00:59 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BD85C1E0D69 for <dnsop@ietfa.amsl.com>; Mon, 22 Jul 2024 17:59:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.407
X-Spam-Level:
X-Spam-Status: No, score=-4.407 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vlhgMJiLWlbB for <dnsop@ietfa.amsl.com>; Mon, 22 Jul 2024 17:59:02 -0700 (PDT)
Received: from mail2.verisign.com (mail2.verisign.com [72.13.63.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 654B0C1DA2E4 for <dnsop@ietf.org>; Mon, 22 Jul 2024 17:59:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=8894; q=dns/txt; s=VRSN; t=1721696342; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=rRqNfhS3bjLNSP7023qnemoY4HhxgE8a+3uhfSVh0jA=; b=Co0lxKIjGMKfIb/gEzRYXqTeKgrh+VXCzLfVK/kNRIjumaYFejcrkOfv 88dG0e3vzPiXIvBxc95FXfOgsMLP2pCUjL6/pknY+147y7lluI2b84c4M +o4WcQtgI1vjB0zOSSSrScx1KQ8Qx8eHCHhl8kmSh3BE36VKR5BkO4Ed3 zwFK1jadebwbns0a6aEzoaYgMtBozLA+jRQI5B6FgYmqC67u3NA+slhsc M8SKjgveZ6s38tiF/pVD6RXWw8TzfEeR1nHZHWeWVZ7+vfx7/7/E5wtmF tZ78Lk4bQTVAuxL5hzzumQouMKFkErH0bUEXGB39/6sHASS7+Y3sAa1s6 g==;
X-CSE-ConnectionGUID: c3pyxmXBSaSc+TMhB9EUsA==
X-CSE-MsgGUID: 8N/0wJgmRaOaxPx4X3liTA==
X-ThreatScanner-Verdict: Negative
IronPort-Data: A9a23:Nxsalq4CU/VRqhabSmXzswxRtFfAchMFZxGqfqrLsTDasI4Tp2RHj j5GCjjCY6DUfSKuKJpxdc7vohRX/dOXm+bXenIv8HBoQjRS9tGt6b+xcBf7NS3OfsGbFh9pv 5wXYdXOdsw5EyHWqk/zaeDt9iV3jf/ZTLGhBL+fY3F/Glc9QX0o1UlqwbBji9Y4i4DlW2th1 fv7u9XbOVSsxz9zNCUM6KmY91Z0vfv0sS8FpFFWidVj5TcywFFJVspOTU3IE1P4XpVMTKn9Q O3Y1Pe1/2zY9Bo3FpWulbOj2KSgq4O6AeT1sZYqZpWKggRevn51lb44Nb8bYlxPzTmIkNF6x c9R85e3TF8EffVGcCxMUwVEC3M5NqRN9aWBOmm6uNGPzwvNdH6rxu1tDQY6PIIZ8ettHWoU7 vwRMj0BdRWCgu+9yfSwUPU07vjPV/IHQL7zwFk4i2mxMN4mXYzbWPeNosBHw3E8h89PFvvEe 4wSbj8oRyz7O7emkapUUDjXNwfAupWESNEvlb7vjfZxuwDu5AxtzKD2Yp2SZcOVA8lUkUeTq 3jauW/+B1YALNXa1DPdmk5A/dQj6h4XIqpOUuXQy9ZqnEGL3T5UTwIJSh23oPa4gUOkR5RUL ElT4DIn6LU7rGbDcjWGZPHPnZL+lkJaA7JtLtAHBCGxJov8vFvHXGYJHmUcY4V75cFrHGZwj QbSk9riX2w34bCbQyjBr+fFpj6MYiVEdmVqiQ3o7+cmy4K6/Nxs1EKnovJLSvPdYgjdQGmoq 9yyhHFjwehV1IhTivjTEWnv21qEvoLOQhM++jLZV2ek6hIRTIO+buRE03CChRp7BNjfFgjpU EQswZDEsLhRV8vVz0Rhfc1WdF2Xz6fdWNHjqQM3d3UR32zF02Kue4lW/AZ/KC9BWu4YeSXka VPkoghY4pleJhOCNcebtKroVqzGZYC5fTjUfqi8guhmO/CdRyfelM1aXnN86ki2+KQaufpmZ crEK5bE4UEyUsyLxBLuLwsU+eFzmnBmnQs/T7ijp/is+eL2iHJ41d7pmbZBBww0xPrsnenbz zpQH8DR0wRPVd3UWSDs+s0vCFAgfFUGHrmj/qS7dsbbSuZnMEsbLabu554RI9Ujga9SjP+O9 337RFVDzhz0gnivxQeiMyglMey0G88i9jRnbUTAPn7xs5QnSYqw4bwEep8sVacq7u14zPFyC fICfq1sB9wUEWSWoWpAPPERqqQyUlPzmiCBOhCsRzEvR448d1fN++PNK16HGC4mS3DfWdEFi 7GmzQTDaZsOWwokC9zZANq3xFP0sX4Gn/o3AmPVZ4AVYEXt+49qbSf2i5cfO9oUIB7OxRObz A3QBg0XzdQhuKc/6t+QmqaJv9/wVvBgBAxfHnKe57HwPzPcpyy925RGFu2PeFgxSV/JxUlrX s0Np9mUDRHNtA8iX1ZUe1qz8Z8D2g==
IronPort-HdrOrdr: A9a23:6lzbg67GXj9UgY8AcgPXwBXXdLJyesId70hD6qkXc20xTiX4rb HNoB1173/JYVoqNk3I+uruBEDoexq1yXcf2/hzAV7NZmjbkVrtAo1k4ZDr3jHsXwbvn9Qw6Y 5QN4xzEsf5A1Q/r8rriTPTL/8QhP2K6rqhi+ub9WpqVg0CUcxdxh10ERmWCXd7QwR6BZ40fa D22vZ6
X-Talos-CUID: 9a23:zJsZW2ErCHVNnYEnqmJsr1YFCsUVWEbU93yTH2q4IzdEdaa8HAo=
X-Talos-MUID: 9a23:ulYFPw2AT+PYRdCP/aASPafmnTUjs4LpUF8vnpA8su6NJRRgZwfGiDWLa9py
X-IronPort-AV: E=Sophos;i="6.09,229,1716249600"; d="p7s'346?scan'346,208,346";a="33892659"
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.37; Mon, 22 Jul 2024 20:59:01 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) by BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) with mapi id 15.01.2507.037; Mon, 22 Jul 2024 20:59:00 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: dnsop <dnsop@ietf.org>, Philip Homburg <pch-dnsop-5@u-1.phicoh.com>
Thread-Topic: [EXTERNAL] [DNSOP] Re: Fwd: New Version Notification for draft-ietf-dnsop-zoneversion-10.txt
Thread-Index: AQHa2SSoxJwNfNkQx0iIIdtNbZp0lLH83wqAgAArNICABr18AA==
Date: Tue, 23 Jul 2024 00:59:00 +0000
Message-ID: <3699974C-5ACF-4514-83BA-7971004DF4E1@verisign.com>
References: <172047613820.448901.257008321714722865@dt-datatracker-5f88556585-j5r2h> <ABA9F522-FCF4-40CB-817D-B230E09BB23F@verisign.com> <m1sTdpf-0000LYC@stereo.hq.phicoh.net> <FD3C1248-2EC5-4599-8278-066255DEC16B@verisign.com> <m1sUROo-0000MXC@stereo.hq.phicoh.net> <5e7247cb-0a02-4f17-b5f7-848ea412d71c@isc.org> <fb2f9efc-29a4-427d-b11d-f81771262f63@time-travellers.org> <002ccad2-7477-4b7e-b976-2f6cb425b6bd@isc.org>
In-Reply-To: <002ccad2-7477-4b7e-b976-2f6cb425b6bd@isc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3774.600.62)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_0B1697AF-F6FB-4912-981B-A1E300EBAC03"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
Message-ID-Hash: VPDAXJS3R3SFBLZT4O55EAIGJPGQGDW5
X-Message-ID-Hash: VPDAXJS3R3SFBLZT4O55EAIGJPGQGDW5
X-MailFrom: dwessels@verisign.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Fwd: New Version Notification for draft-ietf-dnsop-zoneversion-10.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/aUf0lN_GqnPKRnkJaA7vX5GRTHk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>


> On Jul 18, 2024, at 11:03 AM, Petr Špaček <pspacek@isc.org> wrote:
> 
> Caution: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. 
> On 18. 07. 24 17:28, Shane Kerr wrote:
>> Petr,
>> On 18/07/2024 17.09, Petr Špaček wrote:
>>> I'm one of the guys who implemented a server which ignored SOA serial semantics on purpose - because its distributed multi-master backend offered only eventual consistency.
>>> 
>>> Of course it had to expose _some_ value for SOA serial, but the fake serial did not have the properties promised in RFC 1034, and there is no way to make it so.
>>> 
>>> I believe some PowerDNS installations suffer from the same problem.
>>> 
>>> With this experience in mind I support Philip's proposal to add instruction for authors of such servers. It does not hurt anyone and it's a good reminder for authors of weird software.
>>> 
>>> If there's trouble with defining "meaningful" then we can try this alternative wording:
>>> ----
>>> If a DNS zone's SOA Serial number does not conform to RFC 1034 semantics then the SOA-SERIAL ZONEVERSION option SHOULD NOT be returned in a reply.
>>> ----
>> The draft has this lovely TYPE field, which defines a single option:
>> The first and only ZONEVERSION option TYPE defined in this document is a zone's serial number as found in the Start of Authority (SOA) RR.
>> There are also private use ZONEVERSION TYPE reserved, so I think your suggestion is correct for ZONEVERSION TYPE SOA-SERIAL. Anyone who wants to return a value that is meaningful in some other way can use one of the private use values.
> 
> Indeed that's exactly what I meant!
> 
> To provide a practical example, BIND with a LDAP-backed (e.g. "bind-dyndb-ldap") could return syncCookie [1] which identifies content of the backing LDAP database, but SHOULD NOT return SOA serial because that value is likely inconsistent across "replicas" as they call individual servers.
> 

Thanks everyone for the input on this thread started by Philip.  We’ve added this new text to the document to be published in the next revision:

4.  The SOA-SERIAL ZONEVERSION Type

   ...

   As mentioned previously, some DNS zones may use alternative
   distribution and synchronization mechanisms not based on the SOA
   Serial number and the Serial field may not be relevant with respect
   to the versioning of zone content.  In those cases a name server
   SHOULD NOT include a ZONEVERSION option with type SOA-SERIAL in a
   reply.


DW

v2.35.0 | Report a Bug | By Email | System Status