Re: [DNSOP] Minimum viable ANAME
Paul Wouters <paul@nohats.ca> Wed, 19 September 2018 16:38 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 137F1130E17 for <dnsop@ietfa.amsl.com>; Wed, 19 Sep 2018 09:38:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ks3Kj3AJ-kh7 for <dnsop@ietfa.amsl.com>; Wed, 19 Sep 2018 09:38:15 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 083F5130E12 for <dnsop@ietf.org>; Wed, 19 Sep 2018 09:38:15 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 42Flsc2JRXzF13 for <dnsop@ietf.org>; Wed, 19 Sep 2018 18:38:12 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1537375092; bh=lT5+1XIEjcP7C6C80O1aBw35J+k63e+WdskESMkjabk=; h=Date:From:To:Subject:In-Reply-To:References; b=lZ37+Aw0x4DxBymqqB/cs8rGUz4cBEGRI1DyT1exqXalZ7lh0AxVv3S6MtQCy2wH9 nyph9uw+/YTVdZFXEd9vi3eYYktWAyMTBiiXmY2oxXfk6gZxWsroua5LYLDWXAbjf6 ycudm+Ouuco64VKAITydPIedbc0Meto2s7Qfih2k=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id JcfOB0LgfzVs for <dnsop@ietf.org>; Wed, 19 Sep 2018 18:38:10 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <dnsop@ietf.org>; Wed, 19 Sep 2018 18:38:09 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id EAA415602C5; Wed, 19 Sep 2018 12:38:08 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca EAA415602C5
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id E0232424DCCA for <dnsop@ietf.org>; Wed, 19 Sep 2018 12:38:08 -0400 (EDT)
Date: Wed, 19 Sep 2018 12:38:08 -0400
From: Paul Wouters <paul@nohats.ca>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <5BA26022.5070202@redbarn.org>
Message-ID: <alpine.LRH.2.21.1809191220150.32564@bofh.nohats.ca>
References: <alpine.DEB.2.20.1809191455190.3596@grey.csi.cam.ac.uk> <CAOZSDgCGx73HhtkuQL8WQAhAxGv57h53c+R9xG=Es2sCejYDhw@mail.gmail.com> <alpine.DEB.2.20.1809191519260.3596@grey.csi.cam.ac.uk> <5BA26022.5070202@redbarn.org>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/baR3_7DXp8t2_psC7l9sPUGukMQ>
Subject: Re: [DNSOP] Minimum viable ANAME
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Sep 2018 16:38:18 -0000
On Wed, 19 Sep 2018, Paul Vixie wrote: > Tony Finch wrote: >> Anthony Eden<anthony.eden=40dnsimple.com@dmarc.ietf.org> wrote: >> >>> FWIW, there's still always >>> https://datatracker.ietf.org/doc/draft-dnsop-eden-alias-rr-type/ >> >> I get the impression that a lot of the objection to the current ANAME >> draft is that it specifies that auth servers do ANAME target lookups and >> record substitution; your draft says the same thing. I think those >> objections are reasonable, but I don't think the problem lookups are >> particularly important (or even helpful). > > +1. 4. Security Considerations To function properly with DNSSEC-aware resolvers, authoritative name servers MUST sign the materialized records produced by the ALIAS resolution. Implementors MAY either materialize A and AAAA records offline and sign the resulting records at that time, or sign the resulting materialized records at request time. This is not a proper Security Consideration section. Please see https://tools.ietf.org/html/rfc3552 What is described here is a fundamental flaw in this proposal. That fact is even more clear by the MAY in that section, which basically says "you can address this security issue or not, whatever" A mechanism could be designed that is more generally usable. Forcing a authoritative servers to do DNS lookups is asking for trouble. Some deployments combine auth+recursive and such a server now needs a working resolv.conf, and one that cannot point to itself. Clearly this is going to break stuff. We have known for decades that combining authoritative plus recursive was a bad idea, yet here it is again glueing these two parts together so the auth server needs resolving code. The place to do anything is on the resolver, the authoritative server should just serve blobs. Synthesizing (here called "materialising" ?) records is awful. It does not work with offline DNSSEC signers, and if we want to solve this properly, we can do so easilly with a solution that does not have this limitation. The design goals of a solution in this space should be: - Fully supports DNSSEC - Does not require AUTH server changes other then supporting a new RRTYPE presentation / wire format and/or serving a new RRTYPE as Additional Data. - All optimization work is done on the resolver. If this includes 'rewriting' A/AAAA records, DNSSEC proofs MUST be included for stub clients doing validation. for example, why not serve an ALIAS record as additional data to A/AAAA queries? Then resolvers that dont support this are as bad of as now. Resolvers supporting this, will pick up the ALIAS, resolve it, put those A/AAAA records in cache, and serve any clients asking for these A/AAAA with the A/AAAA, ALIAS and target A/AAAA records. Paul
- [DNSOP] Minimum viable ANAME Tony Finch
- Re: [DNSOP] Minimum viable ANAME Anthony Eden
- Re: [DNSOP] Minimum viable ANAME Tony Finch
- Re: [DNSOP] Minimum viable ANAME Paul Vixie
- Re: [DNSOP] Minimum viable ANAME Paul Wouters
- Re: [DNSOP] Minimum viable ANAME Tony Finch
- Re: [DNSOP] Minimum viable ANAME John Levine
- Re: [DNSOP] Minimum viable ANAME Tony Finch
- Re: [DNSOP] Minimum viable ANAME Paul Wouters
- Re: [DNSOP] Minimum viable ANAME Mukund Sivaraman
- Re: [DNSOP] Minimum viable ANAME Tony Finch
- Re: [DNSOP] Minimum viable ANAME Tony Finch
- Re: [DNSOP] Minimum viable ANAME 神明達哉
- Re: [DNSOP] Minimum viable ANAME Tony Finch
- Re: [DNSOP] Minimum viable ANAME Dan York
- Re: [DNSOP] Minimum viable ANAME Matthew Pounsett
- Re: [DNSOP] Minimum viable ANAME 神明達哉
- Re: [DNSOP] Minimum viable ANAME JW
- Re: [DNSOP] Minimum viable ANAME Ray Bellis
- Re: [DNSOP] Minimum viable ANAME Havard Eidnes
- Re: [DNSOP] Minimum viable ANAME Tony Finch
- Re: [DNSOP] Minimum viable ANAME Havard Eidnes
- Re: [DNSOP] Minimum viable ANAME Tim Wicinski
- Re: [DNSOP] Minimum viable ANAME Tony Finch
- Re: [DNSOP] Minimum viable ANAME Havard Eidnes
- Re: [DNSOP] Minimum viable ANAME Ray Bellis
- Re: [DNSOP] Minimum viable ANAME Erik Nygren
- Re: [DNSOP] Minimum viable ANAME Paul Vixie
- Re: [DNSOP] Minimum viable ANAME Ray Bellis
- Re: [DNSOP] Minimum viable ANAME Ray Bellis
- Re: [DNSOP] Minimum viable ANAME Paul Vixie
- Re: [DNSOP] Minimum viable ANAME Mark Andrews
- Re: [DNSOP] Minimum viable ANAME Paul Vixie
- Re: [DNSOP] Minimum viable ANAME Mark Andrews
- Re: [DNSOP] Minimum viable ANAME Brian Dickson
- Re: [DNSOP] Minimum viable ANAME Ray Bellis
- Re: [DNSOP] Minimum viable ANAME Tim Wicinski
- Re: [DNSOP] Minimum viable ANAME Paul Vixie
- Re: [DNSOP] Minimum viable ANAME Ben Schwartz
- Re: [DNSOP] Minimum viable ANAME Matthijs Mekking
- Re: [DNSOP] Minimum viable ANAME Ray Bellis
- Re: [DNSOP] Minimum viable ANAME Tim Wicinski
- Re: [DNSOP] Minimum viable ANAME Ray Bellis
- Re: [DNSOP] Minimum viable ANAME Matthijs Mekking
- Re: [DNSOP] Minimum viable ANAME Ray Bellis
- Re: [DNSOP] Minimum viable ANAME Matthijs Mekking
- Re: [DNSOP] Minimum viable ANAME Mark Andrews
- Re: [DNSOP] Minimum viable ANAME Mark Andrews
- Re: [DNSOP] Minimum viable ANAME Ben Schwartz
- Re: [DNSOP] Minimum viable ANAME Mark Andrews
- [DNSOP] ALTSRV Masataka Ohta
- Re: [DNSOP] Minimum viable ANAME Ben Schwartz
- Re: [DNSOP] Minimum viable ANAME Mark Andrews
- Re: [DNSOP] Minimum viable ANAME Olli Vanhoja
- Re: [DNSOP] Minimum viable ANAME tjw ietf
- Re: [DNSOP] Minimum viable ANAME Dan York
- Re: [DNSOP] Minimum viable ANAME Tony Finch
- Re: [DNSOP] Minimum viable ANAME Matthijs Mekking
- Re: [DNSOP] Minimum viable ANAME Matthijs Mekking
- Re: [DNSOP] Minimum viable ANAME Matthijs Mekking
- Re: [DNSOP] Minimum viable ANAME Tony Finch
- Re: [DNSOP] Minimum viable ANAME Tony Finch
- Re: [DNSOP] Minimum viable ANAME Brian Dickson
- Re: [DNSOP] Minimum viable ANAME Matthijs Mekking
- Re: [DNSOP] Minimum viable ANAME Vladimír Čunát
- Re: [DNSOP] Minimum viable ANAME Olli Vanhoja
- Re: [DNSOP] Minimum viable ANAME Vladimír Čunát
- Re: [DNSOP] Minimum viable ANAME Brian Dickson
- Re: [DNSOP] Minimum viable ANAME Olli Vanhoja
- Re: [DNSOP] Minimum viable ANAME Brian Dickson
- Re: [DNSOP] Minimum viable ANAME Olli Vanhoja
- Re: [DNSOP] Minimum viable ANAME Tony Finch
- Re: [DNSOP] Minimum viable ANAME Dan York
- Re: [DNSOP] Minimum viable ANAME Benno Overeinder