Re: [DNSOP] Robert Wilton's Discuss on draft-ietf-dnsop-iana-class-type-yang-03: (with DISCUSS and COMMENT)
Ladislav Lhotka <ladislav.lhotka@nic.cz> Thu, 10 June 2021 11:37 UTC
Return-Path: <ladislav.lhotka@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 571AF3A3EFC; Thu, 10 Jun 2021 04:37:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KDkSwF3JN1vP; Thu, 10 Jun 2021 04:37:01 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B236C3A3EF8; Thu, 10 Jun 2021 04:37:00 -0700 (PDT)
Received: from localhost (unknown [IPv6:2001:1488:fffe:6:a88f:7eff:fed2:45f8]) by mail.nic.cz (Postfix) with ESMTPSA id 1ED1D140AA1; Thu, 10 Jun 2021 13:36:57 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1623325017; bh=0fNYsSetjeKlElukv1rRdmXgTyhl93MdqhmsMFb+gwc=; h=From:To:Date; b=m/hQO2RTu4yhNRwMFrKvId/mAorMrtgop9U/3e2/Mk0L1vFxpMRa6HEYURc4c1nl3 RMfYAuazQjUA4K1LJHeEp5IvpTeSjR+SDsdt7YmWVvBoFVCZUcrrDmsGzHLNC8cqMI 4fDdYFJi2t6eAiia0oXXAzUxgv7J+06A3JOEO5ms=
From: Ladislav Lhotka <ladislav.lhotka@nic.cz>
To: "Rob Wilton (rwilton)" <rwilton@cisco.com>, The IESG <iesg@ietf.org>, Warren Kumari <warren@kumari.net>, "michelle.cotton@iana.org" <michelle.cotton@iana.org>
Cc: "draft-ietf-dnsop-iana-class-type-yang@ietf.org" <draft-ietf-dnsop-iana-class-type-yang@ietf.org>, "dnsop-chairs@ietf.org" <dnsop-chairs@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, "benno@NLnetLabs.nl" <benno@NLnetLabs.nl>
In-Reply-To: <DM4PR11MB54387F896D20E42837F0E577B5359@DM4PR11MB5438.namprd11.prod.outlook.com>
References: <162271898741.9722.1347203006737053876@ietfa.amsl.com> <b7d76095-e82d-4152-4a1e-865545e589a9@nic.cz> <DM4PR11MB54387F896D20E42837F0E577B5359@DM4PR11MB5438.namprd11.prod.outlook.com>
Date: Thu, 10 Jun 2021 13:36:56 +0200
Message-ID: <87y2biq7c7.fsf@nic.cz>
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: clamav-milter 0.102.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/eNf6xHQAmDg7srSC-IXi3OYltnw>
Subject: Re: [DNSOP] Robert Wilton's Discuss on draft-ietf-dnsop-iana-class-type-yang-03: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jun 2021 11:37:07 -0000
"Rob Wilton (rwilton)" <rwilton@cisco.com> writes: > Hi Lada, > > I've also copied Michelle on - since I think that it would be helpful for IANA to at least be aware of this discussion. > > Sorry for being slow to get back to you. I've expanded on my discuss comment below, but it may be helpful for you, Warren, I, possibly Michelle, to have a quick chat to see if we can resolve it. > > > >> -----Original Message----- >> From: Ladislav Lhotka <ladislav.lhotka@nic.cz> >> Sent: 03 June 2021 14:17 >> To: Rob Wilton (rwilton) <rwilton@cisco.com>; The IESG <iesg@ietf.org> >> Cc: draft-ietf-dnsop-iana-class-type-yang@ietf.org; dnsop-chairs@ietf.org; >> dnsop@ietf.org; benno@NLnetLabs.nl >> Subject: Re: Robert Wilton's Discuss on draft-ietf-dnsop-iana-class-type-yang- >> 03: (with DISCUSS and COMMENT) >> >> Hi Rob, >> >> On 03. 06. 21 13:16, Robert Wilton via Datatracker wrote: >> >> ... >> >> > ---------------------------------------------------------------------- >> > DISCUSS: >> > ---------------------------------------------------------------------- >> > >> > Hi, >> > >> > One issue that I think we should should discuss and resolve (sorry for the >> late >> > discuss ballot): >> > >> > In section 4, it states: >> > >> > "status": Include only if a class or type registration has been >> > deprecated or obsoleted. In both cases, use the value "obsolete" >> > as the argument of the "status" statement. >> > >> > I know that we have had some previous discussion on this on Netmod, but, >> if >> > draft-ietf-netmod-yang-module-versioning-02 gets standardized then it will >> > effectively evolve YANG's "status deprecated" into "must implement or >> > explicitly deviate" and YANG's "status obsolete" into "must not implement". >> It >> > wasn't clear to me that marking one of these fields as being deprecated in >> an >> > IANA registry would mean that existing implementations must stop using it >> if >> > they migrate to a new version of the generated YANG module. Hence, I >> think >> > that at this stage, it may be safer to map IANA "deprecated" into YANG's >> > "status deprecated"? >> > >> >> Yes, this was discussed repeatedly in NETMOD and DNSOP WGs. I think we >> currently have to use RFC 7950 for the status definitions, and so in YANG >> >> o "deprecated" indicates an obsolete definition, but it permits >> new/continued implementation in order to foster interoperability >> with older/existing implementations. >> >> This is incompatible with the meaning of "deprecated" in IANA >> registries, which is per RFC 8126: "use is not recommended". > > I don't think that there is a perfect answer here, and I think that for the > moment we are looking for the least bad option. > > The YANG and IANA definitions of deprecated are obviously different, > but it isn't clear to me how different they actual are from those definitions. > > E.g., in neither case do they indicate why they are going away (e.g., > because they are no longer used, or there is a better way, or there is a > security issue). > > I would also argue that "use is not recommended" applies to the YANG > "deprecated" as well, and generally matches what I understand what deprecated means. One strong case that was mentioned in DNSOP discussions was a compromised crypto algorithm. It will be marked as deprecated in IANA registries, and it is highly undesirable to "foster interoperability" by using it. In fact, this I-D started with mapping IANA deprecated/obsolete to the same term in YANG (which is what RFC 7224 does), but we were forced to change it due to the above objection. > > But ultimately there are two choices here: > > (1) Map both IANA deprecated and obsolete to YANG obsolete as your draft > proposes. If the text in draft-ietf-netmod-yang-module-versioning-02 gets > standardized then this means that there will be no way to indicate a DNS > class type that shouldn't be used anymore and is going away. Either it is > "current" and can/should be implemented, or it is "obsolete" and it cannot be > used once the server pulls in the new revision of the types YANG file. I.e., > there isn't even a mechanism to deviate it to indicate that it is still supported, > there is no possible transition window. Maybe the RFC can then be updated to reflect this evolution? In our view, mapping both terms to "obsolete" in YANG is currently the safest option. > > (2) Map IANA deprecated -> YANG deprecated. IANA obsolete -> YANG > obsolete. With vanilla RFC 7950, the server may or may not > implement the deprecated value, and it can use a deviation to be > explicit. If draft-ietf-netmod-yang-module-versioning-02 gets > standardized: The server is expected to implement it or use a You probably mean "The server is expected NOT to implement it or ...", right? > deviation. I.e., there is still a mechanism to allow a server to > implement if they need to, but equally they can also choose not to > implement it. > > I'm still of the opinion that (2) is the least bad option out of the two above. Our YANG module probably doesn't have anything as critical as crypto algorithms, so it might work. I am a bit worried about the reaction of DNSOP WG though: it will open another round of discussion, and some people might fiercely oppose this change. This seemingly simple I-D was started already almost 3 years ago. :-/ > > A third possibility, a variant of (2), would be to map IANA deprecated to YANG > deprecated, but also update the type description to indicate that "Per the > IANA [XXX] definition of 'deprecated', use is not recommended. New > implementation should not use it; existing implementations should phase > out support for it." This would be possible, too, but my concern about further delays still applies, so I would prefer to avoid any changes. Pragmatically, I don't think that a DNS CLASS or RR TYPE will ever become deprecated (obsolete is OK), so it might be a non-issue anyway. Cheers, Lada > > > >> >> I agree that this discrepancy should be solved in a new version of YANG, >> possibly along the lines of draft-ietf-netmod-yang-module-versioning-02, >> but we can't wait for that with this draft. > > Agreed. I'm not suggesting that we wait. > > Regards, > Rob > > >> >> > >> > ---------------------------------------------------------------------- >> > COMMENT: >> > ---------------------------------------------------------------------- >> > >> > Hi, >> > >> > Thanks for this document. I think that documenting this fields in YANG is a >> good thing. >> > >> > One minor nit: >> > >> > In an couple of places you have used 'analogically' but perhaps meant >> 'analogously' instead? >> >> Yes, I will change all occurrences. >> >> Thanks, Lada >> >> > >> > Thanks, >> > Rob >> > >> > >> > >> >> -- >> Ladislav Lhotka >> Head, CZ.NIC Labs >> PGP Key ID: 0xB8F92B08A9F76C67 -- Ladislav Lhotka Head, CZ.NIC Labs PGP Key ID: 0xB8F92B08A9F76C67
- [DNSOP] Robert Wilton's Discuss on draft-ietf-dns… Robert Wilton via Datatracker
- Re: [DNSOP] Robert Wilton's Discuss on draft-ietf… Ladislav Lhotka
- Re: [DNSOP] Robert Wilton's Discuss on draft-ietf… Rob Wilton (rwilton)
- Re: [DNSOP] Robert Wilton's Discuss on draft-ietf… Ladislav Lhotka