[DNSOP] End-to-end _underscore arguments (was: Re: [art] Another look - draft-ietf-dnsop-attrleaf-05.txt)

Dave Crocker <dhc@dcrocker.net> Wed, 28 March 2018 15:29 UTC

Return-Path: <dhc@dcrocker.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BF53127444 for <dnsop@ietfa.amsl.com>; Wed, 28 Mar 2018 08:29:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dcrocker.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XBWCCBGBNxNR for <dnsop@ietfa.amsl.com>; Wed, 28 Mar 2018 08:29:57 -0700 (PDT)
Received: from simon.songbird.com (simon.songbird.com [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C542120047 for <dnsop@ietf.org>; Wed, 28 Mar 2018 08:29:57 -0700 (PDT)
Received: from [192.168.1.168] (76-218-8-128.lightspeed.sntcca.sbcglobal.net [76.218.8.128]) (authenticated bits=0) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id w2SFVNhk015794 (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for <dnsop@ietf.org>; Wed, 28 Mar 2018 08:31:23 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dcrocker.net; s=default; t=1522251083; bh=aS4EbVuDA4LTWo5sK4i7jMLEoexDiMsU2HYWyVuAZ3o=; h=From:Subject:References:Reply-To:To:Date:In-Reply-To:From; b=auvNTV8nLDGyjK6/2gzYYhauA24eyLDzWrrx8/Y633KH38x2F2t1sCUXWB71ip+dz LNtOjxd7oMcE8ICPOOqrimxb7pF4p5H7KhTAb32HkVDY9GUY4lpdOChriHlSc2b8Qs +6STygfou/+l2enCJhK/st8BqK7+G4nK5WmCly24=
From: Dave Crocker <dhc@dcrocker.net>
References: <f7b85bac-b050-5003-2df0-a48b1ef2f929@dcrocker.net> <A7711F58-5145-49E8-9158-B2F94D0EABBF@redbarn.org> <7c168dc1-2ea7-d47e-78b7-0380e5d0aa84@dcrocker.net> <alpine.OSX.2.21.1803211104210.9553@ary.local> <5244d327-f8ea-1590-c663-1d92e0b194c4@dcrocker.net> <5F44FA5B42805C52479DE491@PSB> <alpine.OSX.2.21.1803211507380.9666@dhcp-935d.meeting.ietf.org> <1DF1564CC2B88726B2B54CF4@PSB> <20180326171842.0eacbdc4@smaug.local.partim.de> <667675d4-0ff8-b236-eded-31f795b84af1@dcrocker.net> <20180326175609.497ffb10@smaug.local.partim.de> <348a61bf-fb46-1da8-2222-03d2a25db971@bbiw.net> <3945bb2c-baac-cf5e-ba15-3983f33fd592@bellis.me.uk> <68e68890-a4ba-0dbd-40d0-8bc704936beb@bbiw.net> <10f9a809-8e13-ab35-ca8a-3e340be71197@bellis.me.uk> <a7d34076-f094-bae2-db05-3da9dfc2c6ce@bbiw.net> <2f6a9412-be32-d5fa-fec0-2eede69ed3d7@bellis.me.uk> <f3ccc629-930f-2e45-9694-df16098c1fab@bbiw.net> <65ced29a-c413-946d-b1b3-a564ab04a35e@bellis.me.uk>
X-Priority: 2 (High)
Organization: Brandenburg InternetWorking
Reply-To: dcrocker@bbiw.net
To: dnsop <dnsop@ietf.org>
Message-ID: <de1a424d-d7e5-d326-44cc-a94ba199641f@dcrocker.net>
Date: Wed, 28 Mar 2018 08:29:51 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <65ced29a-c413-946d-b1b3-a564ab04a35e@bellis.me.uk>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/jOreY3UIkcLGwoeKHKyNweZuSeI>
Subject: [DNSOP] End-to-end _underscore arguments (was: Re: [art] Another look - draft-ietf-dnsop-attrleaf-05.txt)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2018 15:29:59 -0000

Folks,

(long note. couldn't make it shorter...)

This has been an unusually challenging journey.  None of the recent 
comments in support of a 'simplifying' view for this registry resonated. 
  Quite the opposite. In effect, it seemed to me as if RR type would be 
a lookup key, which frankly sounds a bit nuts.  OK in theoretical terms, 
perhaps, but problematic in practical terms, especially since -- given 
my understanding of what people were saying -- the use of the RR 
apparently would need to come into the lookup process just below the 
first underscore name...

On the other hand, when a variety of serious, knowledgeable folk support 
a view, there's an obligation to put serious effort into finding their 
f'ing pony...



It finally occurred to me that the current draft already has language 
that hints at the essential point that is probably what is actually 
being made, although it wasn't put there for that purpose or with that 
intended meaning:

     A given name defines a specific, constrained context for one or
     more RR records, in which use of such records MUST conform to the
     defined constraints.  Within this scope, other resource records that
     are not specified MAY be used.

The second sentence is the one with the larger meaning than I'd 
intended.  But the first one sets the larger point, though again, I 
wasn't seeing it.



One purpose of a registry to is prevent or resolve contention between 
publishers, for whatever is being listed.  The other is so that 
producers and consumers can rendezvous. The current draft's approach to 
doing the underscore work has focused on regulating domain name labels 
because, well, that's where the underscore is and it's been the obvious 
place where there has been no coordination.  The draft has been driven 
by a classic view of registration for a domain name.  Domain name 
registries concern possible contention between different organizations 
or people wanting a name.  So obviously that's what an underscore 
registry should worry about...



The essential point that I was missing was that the domain name is /not/ 
the contention to worry about, or at least, not much.  It's still 
essential that producers and consumers use the same rules for 
formulating the names, but that's about documentation and not 
contention.  The potential contention is in use of the RRs under a given 
name. (That is, after all, the point of the first sentence, quoted 
above.)  Having two different uses of the same RR in the same leaf is 
explicitly problematic.

So in end-to-end terms, the issue is the RR and not the path (name) to 
it.  As long as there is no contention in the production or use of a 
given RR appearing in a given leaf, then it doesn't matter if there are 
other actors using the same DNS node names (path) to get to their 
/other/ RRs.

Stated that way, this seems to me pretty obvious, but I really hadn't 
been seeing it.

The 'this' is:

      The DNS Global Underscore Registry MUST have entries that are 
unique with respect to the combination of the listed resource record and 
the listed, global underscore node name (RR, _Node Name).


Alas, seeing this doesn't resolve all the issues....

While (typeA, _label1) does not collide with (typeA, _label2), it 
obviously does collide with some other specification's use of (typeA, 
_label1).  Since permitting multiple services to use the same RR type is 
the explicit goal, we need procedures that ensure that these independent 
generators don't generate the same global underscore name.

The classic, boring approach to the underscore naming registry that I 
was taking fixes this problem, by ensuring there is only one controller 
of a given leaf, even with the simplest name registration FCFS approach.

The alternative being proposed does not accomplish this in an obvious 
way, since the requirement for uniqueness does not hinge on a single 
table entry value.

I think the best way to handle that issue is to make the global 
underscore registry subject to expert review, with very careful 
consensus language directing the expert on what to look for/ensure.



So...

1. Please comment on the above

2. I've submitted a new draft version based on this highly revised view

3. Besides changes to reflect the above, it also eliminates concern for 
any lower-level underscore usage:  uniqueness is only in terms of the RR 
and the global (first) underscore node name use. This is a simplifying 
point that could be argued, to have uniqueness depend on the full 
sequence of underscore lables, but I think it does not impose a 
significant burden.

3. The Expert Review is only for this registry entry.  Any other issues 
with the document specifying that entry would be outside of the scope of 
this review, but might be covered by some other process, such as the 
existing DNS RR review requirement.

4. I've punted on the details for the URI RR, given some complexities in 
RFC 6117.  If anyone wants to suggest specific text for this, it would 
be greatly appreciated.

5. There is still a second document needed, to fix the various documents 
that specify global underscore names, so that these documents are 
updated to cite the registry. Once things settle down for this main 
draft, I'll work on that one.



Thoughts?


d/

ps. Another round of hearty thanks to Ray Bellis for his offlist 
interactions with me on this, though of course he gets none of the blame 
for my getting any of this wrong...

-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net