Re: [DNSOP] discussion for draft-woodworth-bulk-rr-00.txt

Olafur Gudmundsson <> Sun, 08 November 2015 17:20 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 761321A8AE0 for <>; Sun, 8 Nov 2015 09:20:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cGjUqwRwxHFc for <>; Sun, 8 Nov 2015 09:20:47 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A42231A8ADD for <>; Sun, 8 Nov 2015 09:20:45 -0800 (PST)
Received: from (localhost.localdomain []) by (SMTP Server) with ESMTP id D9171180246; Sun, 8 Nov 2015 12:20:44 -0500 (EST)
Received: by (Authenticated sender: with ESMTPSA id 40244180228; Sun, 8 Nov 2015 12:20:43 -0500 (EST)
Received: from [] ([UNAVAILABLE]. []) (using TLSv1 with cipher DHE-RSA-AES256-SHA) by (trex/5.5.4); Sun, 08 Nov 2015 12:20:44 -0500
Content-Type: multipart/alternative; boundary="Apple-Mail=_22D36EF5-4911-4620-AF23-8B9DE6CFD3F7"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Olafur Gudmundsson <>
In-Reply-To: <A05B583C828C614EBAD1DA920D92866BA5DF069D@PODCWMBXEX501.ctl.intranet>
Date: Sun, 08 Nov 2015 12:20:42 -0500
Message-Id: <>
References: <A05B583C828C614EBAD1DA920D92866BA5DF065B@PODCWMBXEX501.ctl.intranet> <> <A05B583C828C614EBAD1DA920D92866BA5DF069D@PODCWMBXEX501.ctl.intranet>
To: "Woodworth, John R" <>
X-Mailer: Apple Mail (2.2104)
Archived-At: <>
Cc: Edward Lewis <>, dnsop <>
Subject: Re: [DNSOP] discussion for draft-woodworth-bulk-rr-00.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 08 Nov 2015 17:20:49 -0000

> On Nov 2, 2015, at 12:28 AM, Woodworth, John R <> wrote:
> See inline comments:
>> -----Original Message-----
>> From: Edward Lewis [ <>]
>> Subject: Re: [DNSOP] discussion for draft-woodworth-bulk-rr-00.txt
>> Process wise, you should seek to have this on the experimental track.  It
>> has potential but is far from a sure thing.
> Edward, Thank you very much for your time.  I will need to research more in
> regard to the experimental track, thank you.  Any more advice you could
> offer here would be great.

This is a quite interesting proposal, too early to tell what track the document should be on,
for now Standards track is fine. 

>> The idea of being able to send formulas for generating responses,
>> particularly for address records, reverse map and CNAME is a latent need
>> in the DNS hosting industry.  These types are special in that way, so it's
>> no surprise they are singled out.
>> I'll admit that I read and scanned portions to get an idea of what is
>> discussed.  I do like that you have the section 7.1, addressing DNSSEC.


>> One "red flag" to me is the idea of hidden wildcards.  One of the design
>> principles of DNSSEC is that it exposes the "thinking" process of the
>> server to the requestor.  That alone isn't a dead end - hidden records and
>> on-the-fly signing would "work" (but as you note not all name server
>> implementations have the ability to sign on-the-fly).
> Good point.  Our reasoning behind this was to avoid undue discrimination.
> Many providers, especially in the context of "anti-spam" make seemingly
> arbitrary decisions to block or disable huge batches of addresses based
> on coin-toss accuracy.  I've personally seen the simple changing of "dyn"
> to "static" in a hostname make all the difference and wanted to entirely
> avoid this set of circumstances where possible.  By hiding the fact the
> records are part of a pattern (i.e. hiding a "BULK" RR request with the
> same owner) the generated records are no longer susceptible to this form
> of discrimination.  Since one of our primary motivations was in essence to
> provide $GENERATES which could AXFR there is a zero externally-identifiable
> change to $GENERATEd records (i.e. no change to operational support).

I understand you want the way to minimize the zone transfers, and not expose to the world
your auto generate rules. IMHO this limits your operational to 3 options  
a) no DNSSEC 
b) on-line signing DNSSEC 
c) delegate to zones that are either a) or b) 

The option of modifying resolvers is likely to hinder the deployment of the proposal as the community that your
are trying to trick are <rant suppressed> . 

One way is that your document can be simplified is by dropping any attempt to support off-line signed zones. 
I do not see this as operational complication as in most cases BULK records will be interpreted by servers that are under a
single administrative control. 

> This, of course, is negated where pre-signed DNSSEC records are used and
> supplemental "NPN" records are required.  In this case, hiding the wildcards
> would prove moot for this purpose.  However, the NPN record provides a
> level of transparency for DNSSEC's "thinking" process while also offering
> some additional protection against would-be attackers probing DNS for a
> zone's internal organizational structure a la NSEC.
>> Cutting to the chase, there are various elements here that could work
>> together.  But also combinations that wouldn't work so well.  Simply put,
>> this is complicated.  For reasons I'll not include here, complicating the
>> protocol isn't leading in the right direction.
> Before continuing let me state your opinion is greatly respected and
> appreciated and my enthusiasm should not be taken as disrespect toward you
> or your comments in any way.
> While I wholeheartedly agree this adds a fair amount of complexity to the
> authoritative side of the equation, disregarding DNSSEC the burden on the
> recursive side is unaffected.  Where DNSSEC is required and on-the-fly is
> available, the recursive side is just as unaffected.  Where DNSSEC is
> required and on-the-fly is unavailable, we feel this complication is
> unavoidable.

A big compliment to you for thinking about how to support DNSSEC 
IMHO on-line signing is the only realistic way forward, as the there is little  
motivation by resolvers operators that you want mostly to affect to run
modern stuff. 

> When placed into a similar context as DNSSEC and the complexity of
> recursively chained cryptographic validation the added complexity supporting
> these records would add is relatively trivial.
This is not a question of complexity, it is about inertia.

> Best regards,
> John