Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt
Matthew Pounsett <matt@conundrum.com> Sat, 12 August 2017 16:31 UTC
Return-Path: <matt@conundrum.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1E1D13240D for <dnsop@ietfa.amsl.com>; Sat, 12 Aug 2017 09:31:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=conundrum-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0WLoX12XX1hT for <dnsop@ietfa.amsl.com>; Sat, 12 Aug 2017 09:31:07 -0700 (PDT)
Received: from mail-vk0-x233.google.com (mail-vk0-x233.google.com [IPv6:2607:f8b0:400c:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0AEC1323AB for <dnsop@ietf.org>; Sat, 12 Aug 2017 09:31:06 -0700 (PDT)
Received: by mail-vk0-x233.google.com with SMTP id j189so21798683vka.0 for <dnsop@ietf.org>; Sat, 12 Aug 2017 09:31:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=conundrum-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=6fFWV/b2iWcRSAOT32KpfuEw7EmL0Wk81vhuwg51AKY=; b=F11YhPYdZolFNQFm+dajMcLzg6c8hQ9aIkMgbECWiIhTpInsh9UtzPGT8Iwj2zGc+z VAfhrqYZ2INFCJeqAsJc2U6x/06irgf52xK/dwAclLoq196/ed6BDQ2qk80YpwXGRSHU e9QbKLt2C6KCIWA6aqKaFHC7iC/f/C4l8P3YjwdApTFIuFHCGQtiUj9ZAoD91tqFQrfS +XPM0yqNgBH2CvgboY3JL/EgttoNzEBqi7rhuqE3q71aSEwYKYDccjkREHRaN/YYCN+3 or/rtQbPFp7T8p/ZIkBXZdVlOASCbdvDKbAnufPLULrlXFc5FyKOG93IJoLva3HmfyBF VlWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=6fFWV/b2iWcRSAOT32KpfuEw7EmL0Wk81vhuwg51AKY=; b=R54U1l4h5heDFlEW1R8FcXINenQ5aKLgGNhffeqrhktqPgztSv+5T8ZVXKZa8FSvk2 O56h4qYiAOyeCJMYb4KqB6eotxldW2axGOzEye6ZQpLVATE/GGnDFkm2/2kTuYH4asOa i+n8wKC/lFVVzg9RMmY3id1M3XDko65YU2wXaewHb8d41KwUjKaREv7vutTWZ7qfPOIc fQWgrGqd/Z78P/ZD51bO2WlnPSG2X6E+Kyp4nWHONbwr6bVdxi7ai5oSBpwhpGEIeu+3 Cb8DlDXAnJV9kpMXb//qRTSgRz9kLeNCDpLOnALES/ickiWiByFn7mpp+h5dCMVUamAL orgQ==
X-Gm-Message-State: AHYfb5iVO2ITnlFLuDIHoKHKIgbD8kIRfa6VtBE0crpwy+YnQRSe049T RtvQgZAz9Im1tIEhnT22dw7905XNxLxY
X-Received: by 10.31.65.151 with SMTP id o145mr11086750vka.208.1502555465172; Sat, 12 Aug 2017 09:31:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.84.74 with HTTP; Sat, 12 Aug 2017 09:31:04 -0700 (PDT)
In-Reply-To: <CANLjSvWOzaJcVL64BhNFKnTUEgfq06TQtoy=ZNJ_JafvPU1aSA@mail.gmail.com>
References: <149908054910.760.8140876567010458934.idtracker@ietfa.amsl.com> <CANLjSvU23OPMM=cETxBiV7j8UhMzMd426VuivxAtboMAB0=7jw@mail.gmail.com> <alpine.DEB.2.11.1707031317070.21595@grey.csi.cam.ac.uk> <CANLjSvXE4q9PSEc4txKM4OPKXVpT38N_PC2-fDHmihpk29ahcw@mail.gmail.com> <1197245d-6b9a-3c3b-82a0-dc6a1cc3de58@nic.cz> <CANLjSvVe99q4vtTW0TRopmQ0s9hC8HdMze5B6COs8Y_3unir5w@mail.gmail.com> <CAAiTEH8ntOerB6MGKMS2xcCK3TL9n4fyLq6F+bpUY6oTUpWN8w@mail.gmail.com> <CANLjSvWOzaJcVL64BhNFKnTUEgfq06TQtoy=ZNJ_JafvPU1aSA@mail.gmail.com>
From: Matthew Pounsett <matt@conundrum.com>
Date: Sat, 12 Aug 2017 12:31:04 -0400
Message-ID: <CAAiTEH_3d3_DJoeB-7iQTP-3QVCArU9p=U9YAxntiOp2Vh_1=g@mail.gmail.com>
To: Lanlan Pan <abbypan@gmail.com>
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, Petr Špaček <petr.spacek@nic.cz>, dnsop <dnsop@ietf.org>, Vladimír Čunát <vladimir.cunat@nic.cz>
Content-Type: multipart/alternative; boundary="001a114da76ac1ddde055690f4b5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/cIOYIZ9Tf6Uf9pYjNhnStsejd20>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Aug 2017 16:31:10 -0000
On 12 August 2017 at 04:29, Lanlan Pan <abbypan@gmail.com> wrote: > Hi Matthew & Paul, > > Good question, :-) > > SWILD is a feature just for recusive cache optimization, only dealing with > the wildcard subdomain issue (with no nodes below). > DNSSEC + NSEC aggressive is security feature, with cryptographic contents > such as KSK/ZSK/NSEC/NSEC3/NSEC5/... > > My assumption is: *we can give recursive server an alternative solution > for wildcard subdomain cache issue, not need to depend on DNSSEC.* > Authoritative server just simply add one SWILD RR, not much deploy cost. > Recursive server can add SWILD support if it has an interest in wildcard > subdomain cache optimization, it is OPT-IN. > I confess it was a rhetorical question. All of the major implementations already support DNSSEC. 8198 doesn't have an implementation status section, but there's every reason to think the major implementations will have support within a version of two. A quick survey of a few issues databases shows that at least Knot is already working on it. That is a significant head start; SWILD support without DNSSEC support can't happen in any significant way, and SWILD support without support for 8198 doesn't seem likely. As for operator adoption, the incentives are all wrong for this to actually get used. Recursive operators already have a very low operational bar to turn on DNSSEC and get the same benefit to their cache. In both cases (SWILD and DNSSEC) they rely on the authoritative operator opting in before that benefit can be realized. Authoritative operators may choose to use DNSSEC because it will secure their zone, and if recursive operators also have 8198-capable name servers then the workload for both authoritative and recursive is reduced for all terminal names. With SWILD, there is no direct benefit to the authoritative operator, as far as I can see. Given that the only benefit to using SWILD is to the recursive operator, what is the motivation for the authoritative operator to add complexity to their deployment by adopting it? Traditional wildcards work fine for them. To make the adoption problem worse, it appears as if SWILD is more limited in its use than traditional wildcards. For example, I don't see how you could occlude an SWILD record with a more-specific domain name, as you can with traditional wildcards. Here's a common scenario based on the example from the draft: @ 86400 IN SWILD _ _ 3600 IN CNAME map.bar.net. * 600 IN CNAME _ dev 600 IN CNAME map.dev.bar.net. How does SWILD behave when a client queries for dev? According to the draft, the authoritative server would return the SWILD record at the apex. An SWILD-aware recursive server seems like it would ignore the CNAME returned for dev and instead use the CNAME for _, which is not what the operator intended. > > *I don't expect implementers would adopt SWILD 100% before adopting > DNSSEC+NSEC aggressive. Just give an alternative choice, implementers can > decide adopting or not, before or after, we won't pre-select for them.* > Even if both Authoritative server and Recursive server support DNSSEC+NSEC > aggressive, when will they configure default dns query with dnssec ? (for > NSEC agreesive cached deduced wildcard) > We already know that a year ago 26% of all end users were behind some sort of validating resolver, a number which continues to climb as more ISPs turn on validation, and more users switch to things like Google Public DNS <https://labs.apnic.net/presentations/store/2016-06-27-dnssec.pdf>. This isn't an ideal deployment status so long after DNSSEC was standardized, but it's a long way ahead of SWILD. You'll need to have a very compelling argument for me to believe that SWILD is both more useful than DNSSEC and more likely to be deployed at any kind of scale that would make a difference. I just don't see it. Add to that Paul's point that we would very much like to encourage DNSSEC adoption, I don't see why we'd add support for an alternative technology that accomplishes a subset of its features.
- [DNSOP] Fwd: New Version Notification for draft-p… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Tony Finch
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Petr Špaček
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Matthew Pounsett
- Re: [DNSOP] New Version Notification for draft-pa… Paul Hoffman
- Re: [DNSOP] Fwd: New Version Notification for dra… Richard Gibson
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Matthew Pounsett
- Re: [DNSOP] Fwd: New Version Notification for dra… Dave Crocker
- Re: [DNSOP] New Version Notification for draft-pa… Peter van Dijk
- Re: [DNSOP] New Version Notification for draft-pa… Matthew Pounsett
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Mark Andrews
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Mark Andrews
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Vernon Schryver
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Vernon Schryver
- Re: [DNSOP] Fwd: New Version Notification for dra… Ted Lemon
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Mukund Sivaraman
- Re: [DNSOP] Fwd: New Version Notification for dra… Mikael Abrahamsson
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Mukund Sivaraman
- Re: [DNSOP] Fwd: New Version Notification for dra… Mukund Sivaraman
- Re: [DNSOP] Fwd: New Version Notification for dra… Mikael Abrahamsson
- Re: [DNSOP] Fwd: New Version Notification for dra… Mukund Sivaraman
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Mark Andrews
- Re: [DNSOP] Fwd: New Version Notification for dra… Davey Song
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] New Version Notification for draft-pa… Ralf Weber
- Re: [DNSOP] New Version Notification for draft-pa… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Davey Song
- Re: [DNSOP] Fwd: New Version Notification for dra… Mikael Abrahamsson
- Re: [DNSOP] Fwd: New Version Notification for dra… Ted Lemon
- Re: [DNSOP] Fwd: New Version Notification for dra… Vernon Schryver
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Vernon Schryver
- Re: [DNSOP] fragile dnssec, was Fwd: New Version John Levine
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Vernon Schryver
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Mark Andrews
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Petr Špaček
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Matthew Pounsett
- Re: [DNSOP] fragile dnssec, was Fwd: New Version John R Levine
- Re: [DNSOP] New Version Notification for draft-pa… Ted Lemon
- Re: [DNSOP] fragile dnssec, was Fwd: New Version John R Levine
- Re: [DNSOP] New Version Notification for draft-pa… Ralf Weber
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Mark Andrews
- Re: [DNSOP] fragile dnssec, was Fwd: New Version John R Levine
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Mark Andrews
- Re: [DNSOP] updating fragile dnssec, was Fwd: New… John R Levine
- Re: [DNSOP] updating fragile dnssec, was Fwd: New… Patrik Fältström
- Re: [DNSOP] New Version Notification for draft-pa… Lanlan Pan
- Re: [DNSOP] New Version Notification for draft-pa… Lanlan Pan
- Re: [DNSOP] New Version Notification for draft-pa… Ted Lemon
- Re: [DNSOP] fragile dnssec, was Fwd: New Version John Levine
- Re: [DNSOP] New Version Notification for draft-pa… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-pa… Lanlan Pan
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Petr Špaček
- Re: [DNSOP] fragile dnssec, was Fwd: New Version A. Schulze