Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00.txt
Andrew Sullivan <ajs@anvilwalrusden.com> Tue, 18 July 2017 18:02 UTC
Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33769131B66 for <dnsop@ietfa.amsl.com>; Tue, 18 Jul 2017 11:02:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=yitter.info header.b=NMm1kR2w; dkim=pass (1024-bit key) header.d=yitter.info header.b=fF/WZuy7
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rxJn_YCn_zRY for <dnsop@ietfa.amsl.com>; Tue, 18 Jul 2017 11:02:06 -0700 (PDT)
Received: from mx4.yitter.info (mx4.yitter.info [159.203.56.111]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 595A3131A66 for <dnsop@ietf.org>; Tue, 18 Jul 2017 11:02:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mx4.yitter.info (Postfix) with ESMTP id 8E24DBD996 for <dnsop@ietf.org>; Tue, 18 Jul 2017 18:01:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1500400895; bh=ioWRzELjJ9npbQvU3ZtLVkWNxPLvyLwHvW8aZOGWpHM=; h=Date:From:To:Subject:References:In-Reply-To:From; b=NMm1kR2w9vLqEItKZiZhQ+CYhjUffrLxYZOwwCTwJhk44E3+cJh42JGbfIT3pxwof iW6XMKlOMwjNWB1VX9i0S/L1gysloGgNeuXQoH0wxd1Bg2czxPT7dzmvpKt33oFDqV +WGuqq8SqTZFJbGuGdIBIXMeaA783p0ppna4WjAQ=
X-Virus-Scanned: Debian amavisd-new at crankycanuck.ca
Received: from mx4.yitter.info ([127.0.0.1]) by localhost (mx4.yitter.info [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9R8OJ9hKzGtE for <dnsop@ietf.org>; Tue, 18 Jul 2017 18:01:34 +0000 (UTC)
Date: Tue, 18 Jul 2017 14:01:29 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1500400894; bh=ioWRzELjJ9npbQvU3ZtLVkWNxPLvyLwHvW8aZOGWpHM=; h=Date:From:To:Subject:References:In-Reply-To:From; b=fF/WZuy7KoyaDk1V/3xAi4GY94DQNm0Ykv33+oDgPF2mP4Pqg/lxgO6BPTG00Ve4F r4ps27Lrirc86o8xI/nDIJfuJmg4nMoUgFli7N9J6OTafQEAmQSm4JJI7peiyIVlnk ADnae3uo6ndS1BoJIHNBGfD/tYEBaNi+rCUINaD8=
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnsop@ietf.org
Message-ID: <20170718180128.omffg7ce5kbhoqjr@mx4.yitter.info>
References: <149592096439.3966.11385984990945858242@ietfa.amsl.com> <0edbf3f2-e575-3b34-d3f2-f1424f29f6e4@nlnetlabs.nl> <alpine.DEB.2.11.1707181622300.27210@grey.csi.cam.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.DEB.2.11.1707181622300.27210@grey.csi.cam.ac.uk>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/iwi6iLOPxxN2aoUInSKhkSy2l-w>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Jul 2017 18:02:08 -0000
Hi, On Tue, Jul 18, 2017 at 05:09:00PM +0100, Tony Finch wrote: > In my view an authoritative server which does online signing and on-demand > record synthesis is a master server. You can make all your public > authoritative servers into masters if you like, but it must not be > required. > > If (like me) you have a more traditional setup then ANAME is an > instruction to the master server about zone maintenance, saying that it > needs to periodically update the sibling A and AAAA records, similar to > periodic re-signing, or as if some script were periodically `nsupdate`ing > the records. The secondary servers can continue to work the same as they > do now, but they'll work better if they know about some helpful additional > section rules for ANAME. I think I (at least mostly) agree. One possible way to sort out these bits of potential confusion is to break the problem up into conceptual parts, so that one can see the way that they work together. One part is, "How do you give this instruction to the master server(s)?" It covers representation in the master file format, what a master is supposed to do on input, how to refresh the data, and so on. A second part is, "How do you give this instruction to a slave?". This covers transferring zones, the trade-offs in handing the slaves the ANAME vs the "resolved" records, refresh timers and so on. DNSSEC considerations at least are split between these, which suggests to me that these topics could be covered by one document in two parts; but these are nevertheless separate and separable functional questions. A third part has to do with downstream resolvers and caches and so on. This is really a separate problem: how to handle ANAME-aware vs ANAME-unaware systems, the consequences of an ANAME-unaware cache ending up with an ANAME in the cache, the effects of having an A and not AAAA in cache, &c &c. A fourth part, which might be yet a separate problem or might be the same document, is what this all looks like from a stub and what happens when there are chains of forwarders and caches and so on with a mix of ANAME-awareness and -obliviousness. I still think that in addition a clear description of why this is hard would be helpful. The troublesome thing about Stupid DNS Tricks is that they're always >80% there, and all the really hard parts are in that last <20%, and the difficulties in those <20% cases are manifold and completely unexpected when you think in the abstract cases. The people who worked through all the gnarly problems of caches and the interaction with DNSSEC already went through this once (I came in at the tail end and mercifully missed most of that), but we're about to revisit those problems for a different set of questions. I think we need to understand why this is more complicated than it looks, and I think any future implementer will need a clear guide to that also. ### WARNING: IETF ADMINISTRATIVE WRANGLING AHEAD ### Since there's been talk about an interim, it strikes me that the current issue is the sort of specific topic that deserves one. But I also wonder whether this isn't bumping up pretty hard against the DNSOP charter, and whether this mightn't be a case where we put together a tightly focussed statement of work that gets chartered as a WG, with a plan never to meet (or to meet only as "part of" a DNSOP meeting or something like that), if only to avoid pain and misery when the documents describing all this go to IETF LC. I am not interested even a little bit in making more administrative overhead, but I'm very much interested in avoiding a "this is off charter" discussion during IETF LC should we get there. Best regards, A -- Andrew Sullivan ajs@anvilwalrusden.com
- [DNSOP] I-D Action: draft-ietf-dnsop-aname-00.txt internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00… Willem Toorop
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00… Andrew Sullivan
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00… Andrew Sullivan
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00… Willem Toorop
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00… Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00… Tony Finch
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00… Wessels, Duane