Re: [DNSOP] DNS Delegation Requirements
Shane Kerr <shane@time-travellers.org> Mon, 08 February 2016 11:45 UTC
Return-Path: <shane@time-travellers.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 596351AD2DF for <dnsop@ietfa.amsl.com>; Mon, 8 Feb 2016 03:45:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e1WwDmP3c_6P for <dnsop@ietfa.amsl.com>; Mon, 8 Feb 2016 03:45:06 -0800 (PST)
Received: from time-travellers.nl.eu.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5D7E1AD2D5 for <dnsop@ietf.org>; Mon, 8 Feb 2016 03:45:04 -0800 (PST)
Received: from [2001:470:78c8:2:224:9bff:fe13:3a9c] (helo=pallas.home.time-travellers.org) by time-travellers.nl.eu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <shane@time-travellers.org>) id 1aSkFY-0002rv-9k; Mon, 08 Feb 2016 11:45:00 +0000
Date: Mon, 08 Feb 2016 12:45:00 +0100
From: Shane Kerr <shane@time-travellers.org>
To: Jakob Schlyter <jakob@kirei.se>
Message-ID: <20160208124500.4f2e8cd0@pallas.home.time-travellers.org>
In-Reply-To: <3A6EF5A0-928C-4F10-BD68-265DAE87F9A8@kirei.se>
References: <3A6EF5A0-928C-4F10-BD68-265DAE87F9A8@kirei.se>
X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/tAU45GAxz0wnOVSn_PRCIPTK7pg>
Cc: dnsop <dnsop@ietf.org>, Patrik Wallström <patrik.wallstrom@iis.se>
Subject: Re: [DNSOP] DNS Delegation Requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2016 11:45:10 -0000
Jakob, At 2016-02-08 09:57:15 +0100 Jakob Schlyter <jakob@kirei.se> wrote: > As we've seen to good summary on requirements for on a well-behaved DNS delegation of a domain name, Patrik Wallström and myself has written an Internet-Draft [1] describing such requirements. The requirements were developed within the CENTR Test Requirements Task Force (TRTF) and most of the original requirements and text originate from the Zonemaster [2][3] project. > > At this point, we're seeking more public comments - on this mailing list (unless the chairs disapproves), on the our issue tracker [4] or via email to the authors. > > > jakob > > > [1] https://www.ietf.org/id/draft-wallstrom-dnsop-dns-delegation-requirements-00.txt > [2] https://zonemaster.net/ > [3] https://github.com/dotse/zonemaster > [4] https://github.com/CENTRccTLDs/TRTF/issues Document structure ---- Just to be clear, the idea here is only to have really, absolutely essential requirements? Because it seems like a mix of "just the minimum" and "oh, here are some other things too". I guess I kind of envision three levels: 1. Actual minimum requirements (SHOULD) 2. Strongly recommended requirements (MUST) 3. "-Wall" requirements, for people who want to know the Proper way to run DNS (a.k.a "Aussie rules" DNS operations) In my mind, organizing the document in this order would be helpful. You could have the same sections in each, such as "Routing" or "Zone Contents" - the current set is probably fine. This should make it easier both for authors - since it is clear what is really, REALLY a requirement at all times. It should also make it easier for operators and implementors, because you can start at the top and then as you move on to softer requirements decide if they fit your situation or not. Specific requirements ---- Looking at the list, I see a lot of MUST requirements which seem too strong for me: 6.3. The name servers MUST have distinct IP addresses Certainly this is not a MUST. Name server operations can happily function like this, and I can possibly even think of reasons why this might be easier if I squint my eyes and step back a bit. ;) 6.8. SOA MNAME MUST be authoritative for the zone Oddly the very first sentence uses SHOULD not MUST, which seems appropriate. :) 7.1. The DS Digest Type MUST be assigned by IANA 7.2. The DNSKEY algorithm MUST be assigned by IANA Both of these eliminate the chance for private (or public) experimentation. For example, maybe I want to put in a DNSKEY RR that uses some alternative crypto in addition to IANA ones. 7.2 forbids that. 8.4. The SOA RNAME MUST not contain the '@' character 8.5. The SOA RNAME MUST be a legal hostname 8.6. The SOA MNAME MUST be a legal hostname Breaking these rules happens all the time (mostly by mistake), and nothing breaks. MUST seems too strong. 8.7. The MX record in apex MUST point to a valid hostname Getting this wrong will break e-mail, but I'm not 100% sure about MUST. Cheers, -- Shane
- Re: [DNSOP] DNS Delegation Requirements Warren Kumari
- Re: [DNSOP] DNS Delegation Requirements Ray Bellis
- Re: [DNSOP] DNS Delegation Requirements Patrik Wallström
- Re: [DNSOP] DNS Delegation Requirements Ólafur Guðmundsson
- Re: [DNSOP] DNS Delegation Requirements Jakob Schlyter
- Re: [DNSOP] DNS Delegation Requirements Mark Andrews
- Re: [DNSOP] DNS Delegation Requirements Shane Kerr
- Re: [DNSOP] DNS Delegation Requirements Ralf Weber
- [DNSOP] DNS Delegation Requirements Jakob Schlyter
- Re: [DNSOP] DNS Delegation Requirements Mark Andrews
- Re: [DNSOP] DNS Delegation Requirements Darcy Kevin (FCA)
- Re: [DNSOP] DNS Delegation Requirements Mark Andrews
- Re: [DNSOP] DNS Delegation Requirements Darcy Kevin (FCA)
- Re: [DNSOP] DNS Delegation Requirements Warren Kumari
- Re: [DNSOP] DNS Delegation Requirements Jacques Latour
- Re: [DNSOP] DNS Delegation Requirements Darcy Kevin (FCA)
- Re: [DNSOP] DNS Delegation Requirements George Michaelson
- Re: [DNSOP] DNS Delegation Requirements Tony Finch
- [DNSOP] normative language in BCPs Re: DNS Delega… Suzanne Woolf
- Re: [DNSOP] normative language in BCPs Re: DNS De… George Michaelson
- Re: [DNSOP] normative language in BCPs Re: DNS De… Mark Andrews
- Re: [DNSOP] DNS Delegation Requirements John Kristoff
- Re: [DNSOP] DNS Delegation Requirements Darcy Kevin (FCA)
- Re: [DNSOP] DNS Delegation Requirements Jakob Schlyter