IETF Logo Mail Archive

Re: [DNSOP] HTTPS SVCB no service available signal.

Joe Abley <jabley@hopcount.ca> Fri, 10 July 2020 01:53 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5EA43A0B6B for <dnsop@ietfa.amsl.com>; Thu, 9 Jul 2020 18:53:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uKHu_uOcr8yW for <dnsop@ietfa.amsl.com>; Thu, 9 Jul 2020 18:53:18 -0700 (PDT)
Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DEAE3A0B70 for <DNSOP@ietf.org>; Thu, 9 Jul 2020 18:53:18 -0700 (PDT)
Received: by mail-qt1-x82c.google.com with SMTP id 6so3320181qtt.0 for <DNSOP@ietf.org>; Thu, 09 Jul 2020 18:53:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=yLEaJGhLRD2sabWzMnzrFz+tDhJo5gZx93Ee/PDIFXI=; b=edNt1KugCV7bEdQJ/pflh4fl03K4WFR5qq7amfMhlJ8DLgtJQUK6ewdytE+j2qRuaz 96bO4RA6Jm6fgDSzLN5dO7zFnUkcCbCZFfKcusDX9wLD0TCk70pMYhvYIftA4vtwC/l1 0BLlG21yCmqKfcX5SkIb9HlkbhMBJfRg98/do=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=yLEaJGhLRD2sabWzMnzrFz+tDhJo5gZx93Ee/PDIFXI=; b=J8O4Hi7HOBXA5N+g1KQuEpzHNBjxAiH5Wf1skynUVbgfLfXlceuvxSEgj/bJ1nNRUe d8M2A55eEbKGqvAgoSPUagBnT1myCUyAiGSMSQiLUO/TIdTCrqAKWFkWja45J6ApZCpM fK4AtihUVjFhyzqYg3cBmOlpTInFn0QS9pGg6uFQ5P/7L+RtkC7Nkcj28+K36gxOObDO OIg2H1de/5nRNlh4w/xq+P4RoV8a4kWUunbJjeaFZb+pbP0ErSUUD9GVw6sQp57DYSaM X82khDM3uCK5vYbOfP6/Er+5+OPNYC4FCVXCNXEyK6e3UXkf1W9FHVGhHXuskY2Wk1JM RnFA==
X-Gm-Message-State: AOAM532SqLULx9HyXJRxe2cycPRsrpSb7Gl+4f7EZOt1k6t/lSlBGUwi K3tDkuGLDYYJp73rVc55OJ2vfQ==
X-Google-Smtp-Source: ABdhPJx54UZOiZrCuCP8nEHzzZA3dL0iQP1tSWduNgQkKlPMLk4YdjZjz3TG7vhO9vE7glsQWdrYZQ==
X-Received: by 2002:aed:2437:: with SMTP id r52mr72032976qtc.140.1594345997263; Thu, 09 Jul 2020 18:53:17 -0700 (PDT)
Received: from ?IPv6:2607:f2c0:e784:c7:8417:b1c1:98b5:7fdf? ([2607:f2c0:e784:c7:8417:b1c1:98b5:7fdf]) by smtp.gmail.com with ESMTPSA id l3sm5515826qtn.69.2020.07.09.18.53.15 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Jul 2020 18:53:16 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <AFC8B7F0-134B-43C7-A0E5-E18725C50F3E@isc.org>
Date: Thu, 09 Jul 2020 21:53:13 -0400
Cc: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, dnsop WG <DNSOP@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <C4CA557F-7095-4BC4-AF5D-E66A2328F14C@hopcount.ca>
References: <CAHbrMsByWLUGwe9+1QC5VjVXDsEUmC27uLmNiZjV9tjm8=fTMA@mail.gmail.com> <CAJhMdTMiQzJv299d=p13UdBzGp1QMdmg0+jBn22q-feaPfsVkw@mail.gmail.com> <AFC8B7F0-134B-43C7-A0E5-E18725C50F3E@isc.org>
To: Mark Andrews <marka@isc.org>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/i8iAbEKKSZklRwb97EqrpRJaESs>
Subject: Re: [DNSOP] HTTPS SVCB no service available signal.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2020 01:53:21 -0000

On 9 Jul 2020, at 18:48, Mark Andrews <marka@isc.org> wrote:

> On 10 Jul 2020, at 08:17, Joe Abley <jabley@hopcount.ca> wrote:
> 
>> On Jul 9, 2020, at 17:18, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> wrote:
>> 
>>> This seems like a reasonable idea to me.  We should be able to incorporate this for the next draft revision.
>> 
>> I guess I'll mention that when I suggested MNAME=. to indicate that a zone did not accept dynamic updates, the proposal was roundly shot down as a disgusting idea that would cause junk to be sent to root servers.
> 
> You attempted to CHANGE the purpose of MNAME from identifing the primary server to signalling that UPDATE is not supported.

By that logic, DNS UPDATE changed the original purpose of MNAME to be the target for a DNS UPDATE.

>  When you change the purpose of a field you have to consider the existing users of that field.

The only purpose of MNAME today that I am aware of is to identify the target for a DNS UPDATE. If you know of another way that the field is interpreted I'd be interested to hear it. Even without DNS UPDATE being a primary concern, there are many zones whose provisioning means that "primary master" has no real meaning; there's no reachable server that is more master or more primary than any other; the concept of a single, primary master server or service is a legacy that no longer applies to many high-use zones.

> Given that there is a registered SRV prefix for UPDATE (_dns-update._tcp) you already have a signal.

That is certainly an option for clients that use SRV lookups to identify targets for a DNS UPDATE. I'm not aware of any, but I believe your inference that they exist. I think it's fair to say that there are other clients that don't support that mechanism, though. It wasn't mentioned in RFC 2136.

>> I didn't agree with that reaction at the time. I remember noting established use of MX 0 . to indicate that a domain did not accept mail, and my suggested use with NOTIFY didn't seem very different.
> 
> Changing MX was also after the fact but “MX 0 .” didn’t have another use.

Sure it did; it had the meaning that the highest-priority host for delivering mail to is the empty string, which would have the effect of denying mail delivery since that empty string could not be used as a host name to derive an address. That's shockingly close to the intent of "MNAME = ." And by shockingly close I really mean it's the same.

I still think it'd be a service at this point to codify the use of an empty string in a field that is intended for use as a hostname to indicate that no host is available to do whatever the client was hoping to do. The only identified harm from such a definition, even after the fact, is the potential for a few client libraries that are unfamiliar with the concept of a hostname sending a few queries that will quickly be cached at multiple levels.

Making this assertion for all RDATA fields that might contain hostnames seems more beneficial than poking about in particular RRSet definitions, since it opens the door for efficient suppression of traffic in client libraries.

Having clients inadvertently send DNS UPDATEs to servers that are not prepared to accept the is at least an inefficiency; at worst it's a systematic leak of local topology information.


Joe

v2.23.0 | Report a Bug | By Email