Re: [DNSOP] DNS versioning, was The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"

"John R Levine" <johnl@taugh.com> Thu, 20 July 2017 14:31 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F174A131B05 for <dnsop@ietfa.amsl.com>; Thu, 20 Jul 2017 07:31:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=BnZU+Bsk; dkim=pass (1536-bit key) header.d=taugh.com header.b=WOZVioGH
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id camd7Pa2EYTQ for <dnsop@ietfa.amsl.com>; Thu, 20 Jul 2017 07:31:49 -0700 (PDT)
Received: from miucha.iecc.com (www.iecc.com [IPv6:2001:470:1f07:1126::4945:4343]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 357D2131BA0 for <dnsop@ietf.org>; Thu, 20 Jul 2017 07:31:49 -0700 (PDT)
Received: (qmail 30933 invoked from network); 20 Jul 2017 14:31:48 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=78d3.5970bed4.k1707; bh=o+Dz/7sU5FT5uxFy3pJmnKUlbC46ViVDTSaiRx2bmJo=; b=BnZU+BskSTGD+TY/xbB7tlL1CCDejSBQ5Prjvmo8+D7CKJO+v6GQwfXQNJLP/vqkzv6JjSFEabRlfIW9myDW5kJY70tknOyVTXy92cREPA2GVQ6MJthbKgQTYb3ju8aosk9brK9cM+RAEgyWzQ7Skn83ntzaPXLWeCdgLXxv6hvKN7Spp3GCg9eBmOhlJuP+STiYm0uQF5CzTpTLu8mlEEI0jjZtJjEf/Y+Dspw6S5+oZL36U38sRPEwn56RSxo9
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=78d3.5970bed4.k1707; bh=o+Dz/7sU5FT5uxFy3pJmnKUlbC46ViVDTSaiRx2bmJo=; b=WOZVioGHDCH09zzxN4Z0JDL3zGrGen0/6IA46QxDbWoIi/7L05ZVFzPk8kYANkyMpkc/N3fxXtiQBL9+YvKauivjOrp1nLljs9vp5u0o7/3d7QuhBf11I3XzMMAg/8aS+AnUtLZIRU0UDQ92m7LZlqzUo8aOO2ACwufMSSPPJkus6bYzLPrggUtWz0YIx38pOvsI9n9xXJea4gMwHBX3E9Ylmcy6q6qBR7YmYbUCuLunZaxqBmpWCfkdoa79DVZv
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 20 Jul 2017 14:31:47 -0000
Date: 20 Jul 2017 16:31:45 +0200
Message-ID: <alpine.OSX.2.21.1707201624560.5111@dhcp-9d40.meeting.ietf.org>
From: "John R Levine" <johnl@taugh.com>
To: "Tony Finch" <dot@dotat.at>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
In-Reply-To: <alpine.DEB.2.11.1707201432160.4413@grey.csi.cam.ac.uk>
References: <alpine.LRH.2.20.1707190347390.10419@ns0.nohats.ca> <20170719215749.2241.qmail@ary.lan> <A05B583C828C614EBAD1DA920D92866BD081E78B@PODCWMBXEX501.ctl.intranet> <alpine.OSX.2.21.1707200928290.4118@dhcp-8e4c.meeting.ietf.org> <alpine.DEB.2.11.1707201432160.4413@grey.csi.cam.ac.uk>
User-Agent: Alpine 2.21 (OSX 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/fsYSLf605NetY9swDHLfIvCwsrQ>
Subject: Re: [DNSOP] DNS versioning, was The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 14:31:51 -0000

On Thu, 20 Jul 2017, Tony Finch wrote:
> John R Levine <johnl@taugh.com> wrote:
>>
>> BULK absolutely requires online DNSSEC signing,
>
> This basically means that BULK is a master-only feature, which implies 
> that there's no need for BULK to work across zone transfers, which 
> implies the need to standardize it for interop is almost nonexistent.

I can't speak for the draft's authors, but in previous correspondence I've 
gotten the impression that they believe that slaves that serve BULK can 
stay in sync via AXFR and IXFR.  Perhaps they can clarify how this is 
supposed to work.

I could sort of imagine a DNAME like scheme where the server returns the 
signed BULK and the generated record and the RRSIGs and NSECs to show that 
the name for which it was generated doesn't exist, so the cache that 
receives it can unscramble the mess, but wow, would that ever be a poster 
child for why this needs DNS versioning.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly