Re: [DNSOP] New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt
Mukund Sivaraman <muks@isc.org> Sat, 24 March 2018 21:55 UTC
Return-Path: <muks@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74050126DC2 for <dnsop@ietfa.amsl.com>; Sat, 24 Mar 2018 14:55:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PMnQTuIViRi2 for <dnsop@ietfa.amsl.com>; Sat, 24 Mar 2018 14:55:56 -0700 (PDT)
Received: from mail.banu.com (mail.banu.com [46.4.129.225]) by ietfa.amsl.com (Postfix) with ESMTP id EADF0120721 for <dnsop@ietf.org>; Sat, 24 Mar 2018 14:55:55 -0700 (PDT)
Received: from jurassic (unknown [14.194.233.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.banu.com (Postfix) with ESMTPSA id D0DA932C0ABD; Sat, 24 Mar 2018 21:55:51 +0000 (UTC)
Date: Sun, 25 Mar 2018 03:25:45 +0530
From: Mukund Sivaraman <muks@isc.org>
To: Ondřej Surý <ondrej@isc.org>
Cc: Jim Reid <jim@rfc1035.com>, dnsop WG <dnsop@ietf.org>, "jabley@hopcount.ca" <jabley@hopcount.ca>
Message-ID: <20180324215545.GA20482@jurassic>
References: <CA+nkc8BfMKRUHuW+3EzOCeZHfmu1jeOgfVcszTbTYh9k2VTBcA@mail.gmail.com> <002DCABB-24CE-42FA-8DA6-2A458E5F89A1@isc.org> <5AB53F8B.9070504@redbarn.org> <7CF21F70-9419-4D6A-B555-FC229F90E8A9@isc.org> <5AB546CB.3030408@redbarn.org> <CCAE4014-67F8-4E73-A893-AA06B83E880B@isc.org> <20180324124958.GA29255@puck.nether.net> <CAJhMdTPRn=mUQ6xh_HFdFLBk109b_M2+saS86KFxsttb8_oVvw@mail.gmail.com> <4B5F0AAC-76CE-4A88-900D-2CA99993A9B6@rfc1035.com> <DBC4885A-941F-492B-8C19-45BB76E2D131@isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <DBC4885A-941F-492B-8C19-45BB76E2D131@isc.org>
User-Agent: Mutt/1.9.2 (2017-12-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/rS2_zwsQ896HyP3Dn3ONnyiHDpo>
Subject: Re: [DNSOP] New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Mar 2018 21:55:57 -0000
Hi Ondrej On Sat, Mar 24, 2018 at 09:20:06PM +0100, Ondřej Surý wrote: > > It might be a different story if one of those zombie RRtypes required additional processing. None spring to mind though. > > But (most of) those I picked actually *DO*: In the case of RR types, "additional processing" means type specific behaviors that do not usually apply to other types. For example, CNAME has additional processing. The following processing is common to 1035 types. > a) compression is allowed, so compliant and non-compliant servers can’t speak together, because non-compliant will just store junk in the RDATA when received from compliant server; > b) the RDATA needs to be understood and lowercased for canonical form when DNSSEC signing; again you need to *implement* this in DNSSEC Validator as it would cause validation failures if you don't > > And all this extra work must be done for RR Types that are unused in current protocols. The implementation for these M* types isn’t just wire<->human readable translation. These types can go in any future 1035 bis draft, in support of what you're asking because they are obsolete. But as it stands, RR types (except additional processing) are typically implemented in software as an RDATA interface with type specific implementations. Removing these types will mean rm -f'ing some implementation files/classes, which certainly reduces the quantity of code but does not affect complexity of the nameserver as other types require similar common RDATA processing anyway. In this regard, other commenters are right in observing that it doesn't affect complexity significantly. Any proposal that has a draft written can get an RRTYPE assignment approved and these appear from time to time - it doesn't affect complexity unless there's additional processing. Some things to think about for DNS complexity: * Obsoleting CLIENT-SUBNET.. as mentioned on a BIND ticket, CLIENT-SUBNET flies in the face of where DNS is headed (towards more privacy). If every user used the resolver on their own network, there'd be no need for this facility. It's only when forwarders and caches (that are arguably anti-privacy) from outside the network come into play, that CLIENT-SUBNET becomes necessary. We as DNS community should push towards validating resolvers closer to devices. This is even without discussing CLIENT-SUBNET's design issues, for which alone it can go. There is a LOT unwritten in CLIENT-SUBNET RFC. * TSIG extras: In TCP continuation (multiple DNS messages such as during AXFR), TSIG allows some intermediate messages to be sent unsigned without TSIG RR, and a following TSIG RR to cover all such intermediate messages. There is no need for such a thing in today's world. BIND and Knot do not generate such TSIG signed continuations with gaps (though BIND can parse them), whereas NSD does generate them. It is just an extra variant to save little space that adds implementation complexity. * TSIG extra extra: TSIG allows truncated MACs which just is ugly. Some DNS messages may overflow the PMTU or the client-specified EDNS UDP buffer size if the full MAC is specified vs. the truncated MAC but this is such a corner case with little benefit compared to complexity of handling this facility, checking truncated limits, etc. And extra BADTRUNC rcode, etc. * Revising the DNS message format would be a no-no, but there're redundancies there (repeating owner names [even if they can be compressed], class, type, TTL, possibility of TTL mismatch among RRs of a set, etc.). RR class is extra complexity for the most case on the internet. RRs can be out of order of sets.. it is ugly to parse. DNS message processing/rendering is inefficient due to the redundancies. * Name compression (aggressively done) is inefficient and takes up a significant portion of runtime, and there has been a lot of to and fro on type-specific rules. RFC 1123 requires name compression, but one might as well abandon it and put out names in full, esp. over TCP. It'll eat more bytes, but not much compared to Youtube and software updates. * All these new additional answer / additional section multi-RR proposals.. if you ask me, I don't want it in our DNS implementation. ----- Language in RFCs of the time of 1034/1035 is underspecified. We're counting pages, but one way to reduce confusion about the protocol is to _add_ more details and write a bis using 1034/1035 + ncache + edns + clarifications, etc. with modern language and extra detail. As an example, I was asked by a colleage a couple of days ago if any RFCs required that, if the answer section of a reply had: (1) a valid answer RRset matching the RR type that was queried, and (2) _other_ RRs that are unrelated, then should the reply message be discarded? While this may be classified to be "common sense", this case does not appear to be specified, and it was a valid enough question for someone to ask about it. RFC 1034 has ambiguous language which can be misconstrued to mean anything: > Step 4 involves analyzing responses. The resolver should be highly > paranoid in its parsing of responses. However, back in its day, the synthesized CNAME for DNAME replies would be totally meaningless if there was a type mismatch and a resolver implementation of that day threw away a response if an unrelated (and back in the day unknown) DNAME type was found in the response. There are details in DNS implementation code on how to handle cases that are not specified in RFCs. A modern document should specify more behaviors clearly, which would increase its page count, but also increase understanding. Mukund
- [DNSOP] Fwd: New Version Notification for draft-s… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Martin Hoffmann
- Re: [DNSOP] Fwd: New Version Notification for dra… Matthijs Mekking
- Re: [DNSOP] Fwd: New Version Notification for dra… Mukund Sivaraman
- Re: [DNSOP] Fwd: New Version Notification for dra… Bob Harold
- Re: [DNSOP] Fwd: New Version Notification for dra… Ondřej Surý
- Re: [DNSOP] Fwd: New Version Notification for dra… Bob Harold
- Re: [DNSOP] Fwd: New Version Notification for dra… Ondřej Surý
- Re: [DNSOP] Fwd: New Version Notification for dra… Bob Harold
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Ondřej Surý
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Ondřej Surý
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Ondřej Surý
- Re: [DNSOP] Fwd: New Version Notification for dra… P Vix
- Re: [DNSOP] Fwd: New Version Notification for dra… Dick Franks
- Re: [DNSOP] Fwd: New Version Notification for dra… Jared Mauch
- Re: [DNSOP] Fwd: New Version Notification for dra… Joe Abley
- Re: [DNSOP] Fwd: New Version Notification for dra… Jim Reid
- Re: [DNSOP] Fwd: New Version Notification for dra… Ondřej Surý
- Re: [DNSOP] Fwd: New Version Notification for dra… Viktor Dukhovni
- Re: [DNSOP] Fwd: New Version Notification for dra… Matthew Pounsett
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] Fwd: New Version Notification for dra… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-su… Paul Hoffman
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Wouters
- Re: [DNSOP] Fwd: New Version Notification for dra… Matthijs Mekking
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Shane Kerr
- Re: [DNSOP] New Version Notification for draft-su… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Evan Hunt
- Re: [DNSOP] Fwd: New Version Notification for dra… Tony Finch
- Re: [DNSOP] Fwd: New Version Notification for dra… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Michael Casadevall
- Re: [DNSOP] Fwd: New Version Notification for dra… Dick Franks
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Jim Reid
- Re: [DNSOP] New Version Notification for draft-su… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] New Version Notification for draft-su… Michael Casadevall
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Paul Vixie
- Re: [DNSOP] New Version Notification for draft-su… Richard Gibson
- Re: [DNSOP] New Version Notification for draft-su… Michael Casadevall
- Re: [DNSOP] New Version Notification for draft-su… Dick Franks
- Re: [DNSOP] New Version Notification for draft-su… Paul Vixie
- Re: [DNSOP] New Version Notification for draft-su… Dick Franks
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Robert Edmonds
- Re: [DNSOP] New Version Notification for draft-su… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-su… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-su… william manning
- Re: [DNSOP] New Version Notification for draft-su… william manning
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý