[dnsop] abstract of split-view-03
Edward Lewis <Ed.Lewis@neustar.biz> Thu, 24 August 2006 15:17 UTC
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GGGxz-0003yI-4L for dnsop-archive@lists.ietf.org; Thu, 24 Aug 2006 11:17:59 -0400
Received: from mailapps.uoregon.edu ([128.223.142.45]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GGGxw-0008Ae-Lg for dnsop-archive@lists.ietf.org; Thu, 24 Aug 2006 11:17:59 -0400
Received: from mailapps.uoregon.edu (localhost [127.0.0.1]) by mailapps.uoregon.edu (8.13.7/8.13.7) with ESMTP id k7OEeWTm021104; Thu, 24 Aug 2006 07:40:32 -0700
Received: (from majordom@localhost) by mailapps.uoregon.edu (8.13.7/8.13.7/Submit) id k7OEeWmZ021102; Thu, 24 Aug 2006 07:40:32 -0700
Received: from ogud.com (ns.ogud.com [66.92.146.160]) by mailapps.uoregon.edu (8.13.7/8.13.7) with ESMTP id k7OEeVSH021097 for <dnsop@lists.uoregon.edu>; Thu, 24 Aug 2006 07:40:32 -0700
Received: from [192.168.1.101] (ns.ogud.com [66.92.146.160]) by ogud.com (8.13.1/8.13.1) with ESMTP id k7OEeMcf070467; Thu, 24 Aug 2006 10:40:23 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Mime-Version: 1.0
Message-Id: <a06230903c1136387b98f@[192.168.1.101]>
In-Reply-To: <684EB56E-5FB6-4C20-8040-1384E7F6F165@tislabs.com>
References: <E1GG0qQ-0004OC-5H@megatron.ietf.org> <684EB56E-5FB6-4C20-8040-1384E7F6F165@tislabs.com>
Date: Thu, 24 Aug 2006 10:40:21 -0400
To: Suresh Krishnaswamy <suresh@tislabs.com>
From: Edward Lewis <Ed.Lewis@neustar.biz>
Subject: [dnsop] abstract of split-view-03
Cc: IETF DNSOP WG <dnsop@lists.uoregon.edu>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.56 on 66.92.146.160
X-Virus-Scanned: ClamAV 0.88.4/1722/Thu Aug 24 03:29:40 2006 on mailapps
X-Virus-Status: Clean
Sender: owner-dnsop@lists.uoregon.edu
Precedence: bulk
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c0bedb65cce30976f0bf60a0a39edea4
Referring to: http://www.ietf.org/internet-drafts/draft-krishnaswamy-dnsop-dnssec-split-view-03.txt # Abstract # # The security extensions to the Domain Name System (DNSSEC) allow for # integrity protection, whereby it is possible to make a determination # of the verity of data returned from the Domain Name System in # response to a query. Current operation of the Domain Name System # also allows for the creation of multiple views of data, where the # answer returned in response to a query is dependent on the origin of # the query. Data integrity and the ability to return possibly # conflicting values as in split-views may be construed to be mutually # conflicting goals; but this apparent dichotomy is resolvable in # practice through careful configuration. This document provides # recommendations for configuring a manageable split-view DNSSEC # environment in a representative enterprise network. (This is just a comment on the abstract.) View- (I am not sure if that concept is still just a BINDism or is about to become a DNSism) based results are not just based on the origin of the query, they can also be based on the key signing the query (e.g., TSIG). The more general point is that the response to a query can be based on more data related to the query than just the QNAME, QTYPE, and QCLASS contained in the question section. There should also be a distinction between the concept of views (as the BINDism) and other answer synthesis approaches. For example, answers may be synthesized based on server load or geographical location of the query source IP address. Synthesis of this type is not part of the draft. It will be important to highlight that "out of scope" boundary lest there be arguments over whether any recommendation, etc., in this document will impact answer synthesis. So, my recommendation is that the abstract states that this document defines "split-views", both in term and in concept, principally to distinguish the practice from answer synthesis. Once there is an understanding of what it is, the reason that DNSSEC seems to be at odds with it will appear to have merit. Looking at the solutions we will see that DNSSEC is not at odds with the concept of "split-views." (Because DNSSEC allows data to be traced back to the administrator, and it is the administration that is making the split. All is cool.) My prediction is that the outcome of this document will be a new feature in DNS implementations (not the protocol) that will allow one view of a zone to be unsigned while another is. Or differently signed, etc. BTW, I am neutral on split-view as the name of the practice. I've heard split-DNS, split-namespace, split-brain, etc., over the years. The final document ought to cover these colloquialisms if they are found to be in the archives (so as not to confuse future generations). -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-571-434-5468 NeuStar Soccer/Futbol. IPv6. Both have lots of 1's and 0's and have a hard time catching on in North America. . dnsop resources:_____________________________________________________ web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
- [dnsop] draft-krishnaswamy-dnsop-dnssec-split-vie… Suresh Krishnaswamy
- [dnsop] abstract of split-view-03 Edward Lewis
- Re: [dnsop] draft-krishnaswamy-dnsop-dnssec-split… Andrew Sullivan
- [dnsop] Chapter 1 of split-view-03 Edward Lewis
- Re: [dnsop] Chapter 1 of split-view-03 Suresh Krishnaswamy
- Re: [dnsop] Chapter 1 of split-view-03 Edward Lewis