Re: [DNSOP] on engineering cost/benefits
Lanlan Pan <abbypan@gmail.com> Tue, 15 August 2017 09:28 UTC
Return-Path: <abbypan@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C8561204DA for <dnsop@ietfa.amsl.com>; Tue, 15 Aug 2017 02:28:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hq_mqdG8KBCR for <dnsop@ietfa.amsl.com>; Tue, 15 Aug 2017 02:28:03 -0700 (PDT)
Received: from mail-wm0-x22a.google.com (mail-wm0-x22a.google.com [IPv6:2a00:1450:400c:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 110AE13203D for <dnsop@ietf.org>; Tue, 15 Aug 2017 02:28:03 -0700 (PDT)
Received: by mail-wm0-x22a.google.com with SMTP id t201so5016487wmt.1 for <dnsop@ietf.org>; Tue, 15 Aug 2017 02:28:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=7Nwvmpk7r3mMD7WT5mOJMhJ6F1YmIgQYaU5qL3lqrI8=; b=fgEeO7/jtPcLhZQn2XPea8Lt3uZS1otfVW+CLzOlOAA+i3DRJodlcnoqC+BK/BmWLI pYCxv0y9YG3CuDzp2RF/O3/SoCwy1YdDtDdYPPB+flk9ERQEwxT0uuQ5HVMXJrkaJof+ HNjjCUhj9Vcn8nzlHwPpTEZf8FKzGk+C5kZQ9MoSpT9Ll+lWuSbXullU405zWNGREEDe U6J/Z7digLpxd9zlgmMYULfdB9U8V7JyB8A+Tf0x2yHWxG/M7QEUEF87drxcjKP7WpKf COCiEGs8Y9U4qlsSQdQ8jbWixTwOzROmJFYgRq5VnK1MN7/Od7mPftEt6GogolUct3QJ TGJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=7Nwvmpk7r3mMD7WT5mOJMhJ6F1YmIgQYaU5qL3lqrI8=; b=Unf5EuGInVHwFzO+tpDmGxOxqd9CNsW7hpg5i/DAJMsdWXNV/Y9VUU+KM5Uuk4+Jx6 OBnWYg69Vy0mQqG+RV0Budi7EY7QnwJ5XxHJYtc0Kjglpwe0HiKUhVoq/s0Dcjktl2AB 8VayLbxAb030JE24PAIY4QKZV/Xc5JWhjim0qdWr7sdsUB1YrUj5ttjwvjrU0wYV6zF8 Tznwjx5buIYM5oqLZFpAJ/36hLN9MPkNAWKs7yBNfofDuS4yRRsVnfdqoV0F7t3BPuxh XNVsmk7ValAtW1K38A5i0IngeA30xcFVwQnDVuLUBbrDQ3ggSPVAItiitoc+p7YRUN46 nHHA==
X-Gm-Message-State: AHYfb5gTdydNNMYjbwhHeqkc4J+vJAmbNoV0kLePxii8/8hHtkYgqn2b TVFwwe+M/bWhA1QFe86uQHrY1eTgVw6U
X-Received: by 10.80.215.7 with SMTP id t7mr26354153edi.19.1502789281604; Tue, 15 Aug 2017 02:28:01 -0700 (PDT)
MIME-Version: 1.0
References: <5992329C.9050408@redbarn.org>
In-Reply-To: <5992329C.9050408@redbarn.org>
From: Lanlan Pan <abbypan@gmail.com>
Date: Tue, 15 Aug 2017 09:27:50 +0000
Message-ID: <CANLjSvXetkR1qsDLUFNKTez7TQDjDMpJ3tNb5VocW5NPhHk2NA@mail.gmail.com>
To: Paul Vixie <paul@redbarn.org>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="f403045dbe944d69070556c765db"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/lzNK1tVdmIC1FpPfnJ86wvri1lo>
Subject: Re: [DNSOP] on engineering cost/benefits
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Aug 2017 09:28:07 -0000
The complexity is the real world, No Silver Bullet. It is the fact, there is always more than one way to do it, not only for subdomain wildcard cache, or IPv4/IPv6 migration. Take virtual network tunneling for example, we have VN-Tag, VXLAN, NVGRE, ... Give the choice to operators, time is the best witness, like IP surpassed ATM. Actually, SWILD can work with DNSSEC, reduce validation cost by avoiding NSEC range calculation. Repeat my option: I believe that DNSSEC deployment is decided by rising the dns security need, not by an additional subdomain wildcard feature. If SWILD will reduce DNSSEC deployment as you say, what about RPZ break DNSSEC validation in the same measure principle ? RPZ seem not to cause DNSSEC to be more ubiquitous. Paul Vixie <paul@redbarn.org>于2017年8月15日周二 上午7:30写道: > I realize that for the Perl language, "there is always more than one way > to do it". That was a design choice, and the results are now part of > Perl's reputation as a "swiss-army chainsaw" perfectly suitable for the > creation of unmaintainable programs. > > Generally, we do not provide more than one way to accomplish something, > because it imposes costs on operators and implementers and especially on > QA/test teams, who must support all such methods, for competitive or > coverage reasons. Distributed system complexity is a function of message > types and their options and permutations and combinations, and state > variables and their options and permutations and combinations. More > complexity is almost always going to add more cost than benefit, and > every argument about adding new states, variables, or messages has to > begin with the engineering economics: what are the costs & benefits? > > For example if it's possible to express the nonexistence of a wildcard > in two ways, each publisher of DNS information will have to decide > whether to support only one and if so which one, or both ways. Every > implementer of a DNS client library or a DNS-aware application will also > have to choose. If some choose method A and others choose method B than > the functionality will not be effectively present. If everyone chooses > to support both then there was no advantage to the second way. > > In terms of cost/benefit, someone who wanted to provide a new way to > support signalling of non-wildcard should be comparing the effort of > standardizing, implementing and deploying a second way, vs. pushing for > broader deployment of the existing way. One could either come to the > IETF, and to the authors of PowerDNS, BIND, NSD, Unbound, and companies > like Nominum, Microsoft, and so on, asking "could you please support > this second way to do something your systems already know how to do?", > or one could approach one's own I.T. department and the I.T. departments > of our customers, suppliers, and partners, and say, "could you please > support this existing standard by changing your operational practice to > include DNSSEC signing and validation?" > > In the first case, it's all new work, which adds complexity for all > operators and all implementers, and may have the effect of reducing > DNSSEC deployment if some number of operators cared only about this > feature (which we'll call SWILD) and have no other reason to deploy > DNSSEC. This concern is heightened because the DNSSEC specification is > crap, and there's been unending concern as to whether its costs are > greater than its benefits. DNSSEC rests on knife-edge, ready to fall. > > In the second case, it's mostly just turning stuff on that's already > defined, already implemented, and is an option in virtually all current > generation DNS software. We would not be adding new test cases for > QA/test teams. And importantly, we would be adding new effort to the > task of causing DNSSEC to be more ubiquitous. > > This kind of engineering economics tradeoff should be obvious. I > apologize to anyone who is about to ask me why I appear to be trying to > teach my grandmother how to chew cheese. Consider this a PSA for > newcomers for whom shiny objects are an unalloyed good, and aren't seen > in the context of costs and benefits and effects and side effects. > > -- > P Vixie > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > -- 致礼 Best Regards 潘蓝兰 Pan Lanlan
- [DNSOP] on engineering cost/benefits Paul Vixie
- Re: [DNSOP] on engineering cost/benefits Lanlan Pan
- Re: [DNSOP] on engineering cost/benefits Paul Vixie