Re: [DNSOP] I-D Action: draft-ietf-dnsop-delegation-only-00.txt

Paul Wouters <paul@nohats.ca> Wed, 06 May 2020 17:52 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A48153A0948 for <dnsop@ietfa.amsl.com>; Wed, 6 May 2020 10:52:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qjfkp2CGuEVu for <dnsop@ietfa.amsl.com>; Wed, 6 May 2020 10:52:00 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEEED3A0947 for <dnsop@ietf.org>; Wed, 6 May 2020 10:51:59 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 49HPL30RRGzF1d; Wed, 6 May 2020 19:51:55 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1588787515; bh=FdGCFVaPOOZsxBQMaIayFCqxlM/xSx0SrDV8pOYLBHM=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=LxjBlxp0c90FRWgdtteQZU0fIUh1kETXWAMS/oeztIOaTIRHPIx1OhoB7eyT+ssEi +QI4SmZ3fUEYF3TZw8+yB0m8muhoS3cAg7v+uwbmxh92sDPLjQKDbwG1saXvdNxMhG GH0btldqkJEIRhzrMmQlWmzOoFJwP1Ul3M6BxcOw=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id Tbw3SqFRjyUF; Wed, 6 May 2020 19:51:54 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 6 May 2020 19:51:54 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 083166029BA6; Wed, 6 May 2020 13:51:53 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 0493E66B7C; Wed, 6 May 2020 13:51:53 -0400 (EDT)
Date: Wed, 6 May 2020 13:51:52 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: Ray Bellis <ray@bellis.me.uk>
cc: IETF DNSOP WG <dnsop@ietf.org>
In-Reply-To: <b4b75f53-ad53-2c13-a0c4-f3f04db9f326@bellis.me.uk>
Message-ID: <alpine.LRH.2.21.2005061346510.20509@bofh.nohats.ca>
References: <158877603626.19950.8270190025944203627@ietfa.amsl.com> <b4b75f53-ad53-2c13-a0c4-f3f04db9f326@bellis.me.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8BIT
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/fa7fBKHuo87jiXKUO5XBUwyemmY>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-delegation-only-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 May 2020 17:52:02 -0000

On Wed, 6 May 2020, Ray Bellis wrote:

> §8 of the draft says:
>
>> Some TLDs have a requirement for certain Fully Qualified Domain Names
>> (FQDN) within their TLD, such as "whois.example" or "nic.example".
>> These usually appear as signed data of the TLD and not as a delegated
>> child zone.  These names would have to be converted to delegated
>> zones before enabling the DELEGATION_ONLY flag
>
> Requiring such records to become delegations may be impossible if the
> existing names (that might now become apex records) require a CNAME.

Why would this _require_ to be a CNAME ?

If whois.example. is now a CNAME to somewhere.something.example. then
you could setup a new zone for whois.example. You are saying the tools
cannot set the A/AAAA records of this new zone to point to the old
CNAME? Or you are afraid the "CNAME update procedure" cannot be
easilly ported to a "A/AAAA update procedure" ?

I would say that a TLD should probably be capable of handling this.

> Another non-delegation record also commonly found in TLDs is
> _nicname._tcp.<tld> SRV.

_underscore labels are excempted in the draft already, because it is
understand that these really always apply to the zone itself, and
are never valid delegations to other entities.

Paul