IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-woodworth-bulk-rr-07.txt

Mikael Abrahamsson <swmike@swm.pp.se> Thu, 01 February 2018 08:03 UTC

Return-Path: <swmike@swm.pp.se>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 974891315CA for <dnsop@ietfa.amsl.com>; Thu, 1 Feb 2018 00:03:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level:
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=swm.pp.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EACrXS23Ipw5 for <dnsop@ietfa.amsl.com>; Thu, 1 Feb 2018 00:03:54 -0800 (PST)
Received: from uplift.swm.pp.se (ipv6.swm.pp.se [IPv6:2a00:801::f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEE7C131578 for <dnsop@ietf.org>; Thu, 1 Feb 2018 00:03:52 -0800 (PST)
Received: by uplift.swm.pp.se (Postfix, from userid 501) id 34D86B1; Thu, 1 Feb 2018 09:03:50 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=swm.pp.se; s=mail; t=1517472230; bh=hUF9kbmWKvCclSYunlm6/oXJjLD86U/i1o5C8gd4rhE=; h=Date:From:To:cc:Subject:In-Reply-To:References:From; b=KxiaHpqs6TpIgRgijLnUFFHz4AvoOkyDv+0vuzmxCd7TG0OkoQClGyiWmUVDBiEyw 3/uJmNaSjBgPIDa7waVzzhhuaLBkjl4iiMt3qfKn3ylyIAbaHu2kuRua9t13DeJ5A8 F/YWPieDs4zfa10wokcyNg9k/y+0jeujKWtnX0jY=
Received: from localhost (localhost [127.0.0.1]) by uplift.swm.pp.se (Postfix) with ESMTP id 1BEA5B0; Thu, 1 Feb 2018 09:03:50 +0100 (CET)
Date: Thu, 01 Feb 2018 09:03:50 +0100
From: Mikael Abrahamsson <swmike@swm.pp.se>
To: JW <jw@pcthink.com>
cc: dnsop@ietf.org
In-Reply-To: <201711190950.vAJ9oDKN011534@atl4mhob07.registeredsite.com>
Message-ID: <alpine.DEB.2.20.1802010838110.8884@uplift.swm.pp.se>
References: <201711190950.vAJ9oDKN011534@atl4mhob07.registeredsite.com>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
Organization: People's Front Against WWW
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/dz2BGC70zm2y-A_i0Yh61321NvU>
Subject: Re: [DNSOP] I-D Action: draft-woodworth-bulk-rr-07.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Feb 2018 08:03:57 -0000

On Sun, 19 Nov 2017, JW wrote:

> Hello,
> This draft was released a couple weeks ago and includes what we feel are some very noteworthy changes.
> Please take another look when you have time, as always we look forward to and welcome any questions/ comments.
> I am disappointed I was unable to join the group in Singapore but am optimistic I'll be able to meet again in London.

Hi, I am brought here because of the notification of this in v6ops.

I am supportive of the general idea of having these kinds of bulk records 
standardized. I read the draft, and if I understand correctly it currently 
proposes to not have DNSSEC support without on-the-fly signing.

I am extremely opposed to introducing new features into DNS that doesn't 
support DNSSEC. Going from not supporting DNSSEC to supporting DNSSEC on 
your device/server/whatever should never mean you lose features. So if 
anything new is proposed that doesn't support DNSSEC (at least on the 
server side), then we need to have a "let's deprecate DNSSEC" discussion 
at the same time. If the consensus is that we shouldn't deprecate DNSSEC, 
then whatever feature is proposed that doesn't support DNSSEC needs to go 
back to the drawing table.

With that in mind, I'd rather have this feature be a new RR type that 
would involve not generating records on the fly at all, but instead sign 
this RR type using regular DNSSEC, and then the resolver needs to be 
updated in order to actually use/understand this new RR type. I know this 
(probably) brings in another world of hurt as now (I guess) the resolver 
needs to fake PTR entries towards internal APIs that don't support these 
bulk RRs?

Anyhow, suggesting this without support for offline signed zone files is a 
no-go for me (unless that of course is deprecated and we're saying DNSSEC 
now is all about on-the-fly signing, then that discussion of course 
changes).

-- 
Mikael Abrahamsson    email: swmike@swm.pp.se

v2.23.0 | Report a Bug | By Email