[DNSOP] Re: Introducing Relative Label for DNS

Mark Andrews <marka@isc.org> Fri, 26 July 2024 21:46 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F229C180B53 for <dnsop@ietfa.amsl.com>; Fri, 26 Jul 2024 14:46:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.407
X-Spam-Level:
X-Spam-Status: No, score=-4.407 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="a1gnIfBb"; dkim=pass (1024-bit key) header.d=isc.org header.b="NNow01Op"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cf0OIYMFZ9zo for <dnsop@ietfa.amsl.com>; Fri, 26 Jul 2024 14:46:49 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1217AC169403 for <dnsop@ietf.org>; Fri, 26 Jul 2024 14:46:48 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.2.31]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id B772F3AB27C; Fri, 26 Jul 2024 21:46:48 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org B772F3AB27C
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.31
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1722030408; cv=none; b=deyiJapxcf+0Cx/T1phUfYXKqrXxha89GRMUM/QDJ8G1Kl9AJW3o7hocURQ0fFsKo7fgHf8AZUYVWLOgoh1PGJr/N5JJinr36cJIbhr0t5AaRMNmizZuxwuawmEnYYId9+DfIuPm61tIbMgNAKebYiR0iNuC1O90C5iTTkpNBU0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1722030408; c=relaxed/relaxed; bh=YqUBbRhTGQbard0DjQTN/cHODYbpT+IqfWarDSy/G0k=; h=DKIM-Signature:DKIM-Signature:Mime-Version:Subject:From:Date: Message-Id:To; b=JRv48KXqZT9oZP/OQTMtJCcsim4dGETu1Qn2wkjpmJ9WBUBZLtQ1aqWL6w4u9HQ3IuEvYCeHH/+PdNI7us+iV5dwZC/wXka3QLo9AlYneRkoH5k2vkYzi8ACmsVoI/cXOeH2a1MSS7J/KkNtBkGXqCiMPGVZng0plEHBtyvrAag=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org B772F3AB27C
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1722030408; bh=Mqw5h15p5Z8gKY8E5E7BEu8pRwzNs/FhxULGwzchMrs=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=a1gnIfBb2/frq4fRaj80264SIXP8BAA7NNheAxCpAWH4BGLxO0bx0r2EY3t3OO8md zp8BC0p3YlkOCJ5tAi91jynn0odL9HGaoYY5ppwGw6ynSG9iy7ba/ewTOjE6sPTdrE OYnAbXrqU1Y3ezaGuitaYHdfYnXyTVnJAA0ms7V8=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id B35C7E6E872; Fri, 26 Jul 2024 21:46:48 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 78204E6E876; Fri, 26 Jul 2024 21:46:48 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 78204E6E876
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1722030408; bh=YqUBbRhTGQbard0DjQTN/cHODYbpT+IqfWarDSy/G0k=; h=Mime-Version:From:Date:Message-Id:To; b=NNow01OpfWBIJNYKTrPN4CSjZAK+1qABLF81Sw2tlPzlt6JnEHG1zIilarSSjR9Hs hxS/TYDXSC3cdu7nosjS4sGhHI3tgXW4F+5NHO2ze4KRUEPPQugPf8Yt8sgdsiMhxa tlYRPCIROwlMS+QiwRe6O5DHi8MnN91H6X3J/F/U=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavis, port 10026) with ESMTP id ntwfiDxX2slV; Fri, 26 Jul 2024 21:46:48 +0000 (UTC)
Received: from smtpclient.apple (dhcp-9643.meeting.ietf.org [31.133.150.67]) by zimbrang.isc.org (Postfix) with ESMTPSA id 5244CE6E872; Fri, 26 Jul 2024 21:46:48 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6.1.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <6098004d16486aec62112a2bb47ea3e6@yocto.com>
Date: Fri, 26 Jul 2024 14:46:46 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <2D8B8914-F0DF-41F8-9308-84DA5B996C35@isc.org>
References: <32cb827b0875605f8fbf47ccae1d4a9c@yocto.com> <820cf87253842916310c789e92e71129@yocto.com> <6098004d16486aec62112a2bb47ea3e6@yocto.com>
To: Ben van Hartingsveldt <ben.vanhartingsveldt=40yocto.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3731.700.6.1.1)
Message-ID-Hash: Z4YGXKUML6GNLNHIXFOYYMJQ7AFKSXHM
X-Message-ID-Hash: Z4YGXKUML6GNLNHIXFOYYMJQ7AFKSXHM
X-MailFrom: marka@isc.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Introducing Relative Label for DNS
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/jLXmAOINGQwHaMbyaIdmnARMV_s>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

This is not needed.  Additionally when answers are returned the zone is not known.
This is true of both stub resolvers and non validating recursive resolvers.

As for your MX example one could use existing DNS compression mechanisms on the
wire and when storing the record if desired by using an offset into the owner name
of the record.  For unknown record types one would also have to record the original
case of the owner name and this is also desirable to known types.  None of this
however requires a RFC to do.  This is not worth it for saving a few bytes in a
DNS message.

e.g. storage

MX
	
	<07>example<03>com<00>  0<02>mx<c000><13-bits-of-upper-case-flags>

some other now defined type that the server knows

        <07>example<03>com<00>  <start-of-rdata><09>example01<c000><13-bits-of-upper-case-flags><rest-of-rdata>

We do something similar in BIND for case preservation of owner names.  The
data is all in lower case and we restore the upper case before doing case
sensitive DNS name compression on the answer.

As for using the new label in UPDATE you would need to know that the server
supports the label type.  Remember for types that it knows about it will be
decoding the name to prevent garbage being inserted.

Mark

> On 26 Jul 2024, at 02:07, Ben van Hartingsveldt <ben.vanhartingsveldt=40yocto.com@dmarc.ietf.org> wrote:
> 
> Dear all,
> 
> Today, I released a new version of the draft: https://datatracker.ietf.org/doc/html/draft-yocto-dns-relative-label-02. I replaced the term "record" with "resource record", updated the reference to the EDNS RFC, and added an Acknowledgements section.
> 
> @Peter Thomassen: Is it possible to make some list with all interop problems for this draft? With such list, I can look for ways to address them; or that I conclude to reframe the draft to be for confined systems only.
> 
> Ben
> 
> Ben van Hartingsveldt schreef op 2024-07-23 08:56:
>> Dear all,
>> Today, I released a new version of the draft: https://datatracker.ietf.org/doc/html/draft-yocto-dns-relative-label-01. I tried to clarify things a little bit more, added some examples and fixed some references.
>> Ben
>> Ben van Hartingsveldt schreef op 2024-07-21 18:50:
>>> Dear all,
>>> In the recent years I started working on my own coded DNS server, because I was done with the synchronization between BIND and DirectAdmin that broke all the time. It resulted in a Java server that is running on 4 IPs for some years now. Because of this, I had to read many RFCs to have it pass tests like Zonemaster, DNSViz, IntoDNS, etc. While reading and implementing things, I also came across some shortcomings of DNS. On advice of someone at SIDN, I will share my draft that I published today. It solves one of the shortcomings that DNS has in its core: relative domain names.
>>> I'm talking about https://datatracker.ietf.org/doc/html/draft-yocto-dns-relative-label-00. This draft is meant to solve the problem that we cannot use relative domain names in the DNS system, specificly in DNS UPDATE and in binary zone files. This also means that this draft is not meant for use with the QUERY opcode (except for possibly AXFR and IXFR). Let me explain those two usecases.
>>> 1) DNS UPDATE: In DNS UPDATE it is possible to update the zone using DNS itself. This can be used in routers when dynamic DNS is wanted, but also in other situations. Imagine wanting to add an MX record. Using a webinterface, you are likely able to chooses one of the following four options:
>>> - mail IN MX 10 mx
>>> - mail IN MX 10 mx.example.com.
>>> - mail.example.com. IN MX 10 mx
>>> - mail.example.com. IN MX 10 mx.example.com.
>>> However, using DNS UPDATE you are only able to add the record with fourth format; both record name and FQDN field have to be absolute. This means that when I return to the webinterface, I will likely see absolute domain names, even when I use relative domain names in my other records. My draft wants to give the client more control over when to use relative and when to use absolute domain names by adding a new label type.
>>> 2) Binary Zone Files: Since BIND 9, it is possible to save zones in a binary format. This is possible to enable/disable using `masterfile-format`. It is possible to convert the textual format to binary and vice versa. However, when converting to binary, the zone file will loose the knowledge of knowing which domain names where absolute and which where relative. This means that converting the zone back from binary to text will likely give you a zone with only absolute domain names. As with DNS UPDATE, this is a shortcoming of the wire format used by DNS.
>>> That is why I wrote this draft. Like BIND, my own DNS system also uses binary zone storage and in the future I'm planning to implement DNS UPDATE too. I also believe my draft is not yet perfect. I'm not a native English speaker and maybe just format to mention something important. That is why I want you to give your honest opinion on this topic. Do you agree with the problem? Does DNS need such label? Did I make a typo? Etc.
>>> Please let me know.
>>> Thanks in advance
>>> Ben van Hartingsveldt
>>> _______________________________________________
>>> DNSOP mailing list -- dnsop@ietf.org
>>> To unsubscribe send an email to dnsop-leave@ietf.org
>> _______________________________________________
>> DNSOP mailing list -- dnsop@ietf.org
>> To unsubscribe send an email to dnsop-leave@ietf.org
> 
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org