Re: [DNSOP] More work for DNSOP :-)

Paul Wouters <paul@nohats.ca> Sat, 07 March 2015 00:37 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DED401A7018 for <dnsop@ietfa.amsl.com>; Fri, 6 Mar 2015 16:37:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MC9FvD4idRpT for <dnsop@ietfa.amsl.com>; Fri, 6 Mar 2015 16:37:08 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C7A51A700F for <dnsop@ietf.org>; Fri, 6 Mar 2015 16:37:08 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3kzRhy18zrzCf9; Sat, 7 Mar 2015 01:37:06 +0100 (CET)
Authentication-Results: mx.nohats.ca; dkim=pass reason="1024-bit key; unprotected key" header.d=nohats.ca header.i=@nohats.ca header.b=mZ34m8nc; dkim-adsp=pass
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id GqsW5-v_7hOr; Sat, 7 Mar 2015 01:37:05 +0100 (CET)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Sat, 7 Mar 2015 01:37:05 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 821F4803E0; Fri, 6 Mar 2015 19:37:03 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1425688623; bh=EfxehwBmFQiRMUqKdgK1zhoiEcfvw7u488j6U+nApWE=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=mZ34m8ncpnA6jW2KFLWm2GXRHRjLMm5tYmlFbluLnZcTzuD103I8aN0mDoyCfMneO 9BYocgNgb9eVM1GJ7oe73kLQshkvWtV5f2hyCQq7i2VvmRPp9mF5WAzsCFu57pdfto We/KTMV/3N1j/YMpYlIQkVjTollgmrUicBPxQQRQ=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id t270b262020645; Fri, 6 Mar 2015 19:37:02 -0500
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Fri, 6 Mar 2015 19:37:02 -0500 (EST)
From: Paul Wouters <paul@nohats.ca>
To: Paul Vixie <paul@redbarn.org>
In-Reply-To: <54FA1E0D.3000700@redbarn.org>
Message-ID: <alpine.LFD.2.10.1503061930040.6603@bofh.nohats.ca>
References: <20150306145217.GA8959@nic.fr> <54F9C29E.9040408@jive.com> <54F9F90D.1020806@redbarn.org> <54F9FCD3.7010204@jive.com> <54F9FDFA.2030405@redbarn.org> <F25411A6-2CBD-4A76-949C-6E236FA87863@isoc.org> <20150306205920.GA17567@isc.org> <alpine.LFD.2.10.1503061609090.17414@bofh.nohats.ca> <54FA1E0D.3000700@redbarn.org>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/iEGknSEVtdrxBDlMuh1sElQXLO0>
Cc: Evan Hunt <each@isc.org>, "dnsop@ietf.org" <dnsop@ietf.org>
Subject: Re: [DNSOP] More work for DNSOP :-)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Mar 2015 00:37:11 -0000

On Fri, 6 Mar 2015, Paul Vixie wrote:

> Paul Wouters wrote:
>       On Fri, 6 Mar 2015, Evan Hunt wrote:
>
>             (As an aside: I've often wondered why the DNS doesn't have *more* meta-query
>             types, less extensive than ANY, such as a single type covering A and AAAA.
> 
> 
> nothing prevents a server from answering A with AAAA as additional data, or answering AAAA with A as
> additional data. there can be no delegation point between rrtypes at a single node, so poisoning isn't to
> be feared. the RRSIGs for additional data can be included just as when A/AAAA additional data is included
> with MX, SRV, or NS.
> 
> i'd like to see this done. it would not require an internet-draft, or if one existed, it would be an FYI
> nor STD.

At the time, I was more thinking of an EDNS option with a nsec3-style
bitmap to specify which RRTYPE's you are interested in. Those would
have to include the proof that something does not exist. It gets
trickier if you want to support asking for "IPSECKEY and TLSA record for
www.nohats.ca" and map that to the proper _443._tcp.www.nohats.ca. for
TLSA and its NSEC3 records.

People were pretty fast to say "just send multiple queries at once". And
that is kind of true, and exactly what is now done with A / AAAA. But it
would be better to get one query reply so you can make an informed
decision instead of either waiting for the 2nd query or doing v4 when
you could have done v6 if you had waited on the second query reply.

The problem with specifying this without a new EDNS option is that you
don't know the differenec between old software or a missing A/AAAA
record - you just know it was not in the reply. So software will still
use two queries. It's fixable, but the migration path will take years
while we don't have a good dns library to do this work in that everyone
will then use.

Paul