Re: [DNSOP] Do we need new draft that recommends number limits ?
John R Levine <johnl@taugh.com> Tue, 12 March 2024 23:19 UTC
Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A287C14F600 for <dnsop@ietfa.amsl.com>; Tue, 12 Mar 2024 16:19:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.408
X-Spam-Level:
X-Spam-Status: No, score=-4.408 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="qg9o4B2I"; dkim=pass (2048-bit key) header.d=taugh.com header.b="mtmYXOlP"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CxYLToOtO0wv for <dnsop@ietfa.amsl.com>; Tue, 12 Mar 2024 16:19:48 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0FBEC14F5F4 for <dnsop@ietf.org>; Tue, 12 Mar 2024 16:19:47 -0700 (PDT)
Received: (qmail 96078 invoked from network); 12 Mar 2024 23:19:45 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=1774965f0e311.k2403; bh=p9t2ImKmyYwEcWebfi5PMzPPRN+qgQGx6jJ44tHy7Wc=; b=qg9o4B2I9N5SqJx999XbC1icbBQF+FrDIdkfUII8aTSP309LEgnLq+yrHbG8RKrg9xDTjW35K/y/Fq9HwdggBQ2isCJ1D2w64leSHuOJ2GHMCxRNzqfIhUfVkX22GQF8mpVRpq8A1mwMzwP497Hs0K8JfJf+CAqz0/t2FbVuq94lPzIgKBe8jc3+MPBtAlS9ivAyM/pQqQvLudDP46sQnUgz/Cuw+8TVU6LTqVBFMyr8BEeBctToOI05m8R74A42JeaMyVe5UFvK2bEFULIjsanfdBelVzOP1cWVwVathX3IGReUUTlFG4uOoQiRIh9w+lV8MZGa5ewQXFb2Txi74w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=1774965f0e311.k2403; bh=p9t2ImKmyYwEcWebfi5PMzPPRN+qgQGx6jJ44tHy7Wc=; b=mtmYXOlPsgC5fJNS1+ftVE7I6gExniZWhJqI4ztOXQcjv++ZcgEFRfq1pFGsU3mYDVMpu6aiLoSQTzf/Zaam3akv+je64RepWftS7Scv4ooxLbV/OFmd0d/KiCNWy4GUbW85KGaA5WyKdSuOA8F3Oz5+tWrblROHNQtgV7MEMviPUG6tV4YkLvvtbh2B54m59e+fMjIsPFU9r07gntN5sVT9WnLZ7UI4+WVqY2KE+UvrDesCVZZ60+Q2QSjeS0Qr5J8+CeRrknErdeOernnUeQR905PLrfXPuXSHLdyecpxQ/Sb5r8LTNneDgtfHC0JY76Tt9TjAa25mcLT/pgLY+Q==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 12 Mar 2024 23:19:45 -0000
Received: by ary.qy (Postfix, from userid 501) id BD6D9853C590; Tue, 12 Mar 2024 19:19:44 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id 272A3853C572; Tue, 12 Mar 2024 19:19:44 -0400 (EDT)
Date: Tue, 12 Mar 2024 19:19:44 -0400
Message-ID: <6433bd20-deca-a2b7-ac76-9fc19da9dd12@taugh.com>
From: John R Levine <johnl@taugh.com>
To: Mark Andrews <marka@isc.org>
Cc: dnsop@ietf.org
X-X-Sender: johnl@ary.qy
In-Reply-To: <0247583E-EB0C-4703-B07C-E85E46649F4A@isc.org>
References: <20240312164614.36BF88504657@ary.qy> <0247583E-EB0C-4703-B07C-E85E46649F4A@isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/nuT7A1bcOOK6uhh3L_n5mXRsqjU>
Subject: Re: [DNSOP] Do we need new draft that recommends number limits ?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2024 23:19:53 -0000
On Wed, 13 Mar 2024, Mark Andrews wrote: >> The obvious example is CNAME chains. In 1034/1035 the only use >> contemplated for CNAME was temporary forwarding when a host name >> changed, and for that use, chained CNAMEs made no sense. Now they >> delegate authority to different points of control in many different >> ways. For applications like CDNs, you need two or three link CNAME >> chains and nobody appears to find that a problem. > > Actually it is a problem. It results in lots of additional lookups. > That in turn results in amplification bug reports being reported from > universities looking for the latest way to abuse the DNS to launch > DoS attacks. And it is not 3 CNAMEs, you are looking at 5+ CNAMEs > today. Whatever it is, it's a lot more than one, and we've been able to deal with it. I agree with you that a lot of CNAME applications could better be done another way (someone pointed out that Cloudflare does CDNs with no CNAMEs at all) but at this point the costs of forcing people to use fewer CNAMEs are unlikely to be worth the pain. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly
- [DNSOP] Do we need new draft that recommends numb… Kazunori Fujiwara
- Re: [DNSOP] Do we need new draft that recommends … Paul Vixie
- Re: [DNSOP] Do we need new draft that recommends … John Levine
- Re: [DNSOP] Do we need new draft that recommends … Mark Andrews
- Re: [DNSOP] Do we need new draft that recommends … Mark Delany
- Re: [DNSOP] Do we need new draft that recommends … John R Levine
- Re: [DNSOP] [Ext] Do we need new draft that recom… Edward Lewis