IETF Logo Mail Archive

Re: [DNSOP] DNS Delegation Requirements

Shane Kerr <shane@time-travellers.org> Mon, 08 February 2016 11:45 UTC

Return-Path: <shane@time-travellers.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 596351AD2DF for <dnsop@ietfa.amsl.com>; Mon, 8 Feb 2016 03:45:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e1WwDmP3c_6P for <dnsop@ietfa.amsl.com>; Mon, 8 Feb 2016 03:45:06 -0800 (PST)
Received: from time-travellers.nl.eu.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5D7E1AD2D5 for <dnsop@ietf.org>; Mon, 8 Feb 2016 03:45:04 -0800 (PST)
Received: from [2001:470:78c8:2:224:9bff:fe13:3a9c] (helo=pallas.home.time-travellers.org) by time-travellers.nl.eu.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <shane@time-travellers.org>) id 1aSkFY-0002rv-9k; Mon, 08 Feb 2016 11:45:00 +0000
Date: Mon, 08 Feb 2016 12:45:00 +0100
From: Shane Kerr <shane@time-travellers.org>
To: Jakob Schlyter <jakob@kirei.se>
Message-ID: <20160208124500.4f2e8cd0@pallas.home.time-travellers.org>
In-Reply-To: <3A6EF5A0-928C-4F10-BD68-265DAE87F9A8@kirei.se>
References: <3A6EF5A0-928C-4F10-BD68-265DAE87F9A8@kirei.se>
X-Mailer: Claws Mail 3.13.2 (GTK+ 2.24.29; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/tAU45GAxz0wnOVSn_PRCIPTK7pg>
Cc: dnsop <dnsop@ietf.org>, Patrik Wallström <patrik.wallstrom@iis.se>
Subject: Re: [DNSOP] DNS Delegation Requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2016 11:45:10 -0000

Jakob,

At 2016-02-08 09:57:15 +0100
Jakob Schlyter <jakob@kirei.se> wrote:

> As we've seen to good summary on requirements for on a well-behaved DNS delegation of a domain name, Patrik Wallström and myself has written an Internet-Draft [1] describing such requirements. The requirements were developed within the CENTR Test Requirements Task Force (TRTF) and most of the original requirements and text originate from the Zonemaster [2][3] project.
> 
> At this point, we're seeking more public comments - on this mailing list (unless the chairs disapproves), on the our issue tracker [4] or via email to the authors.
> 
> 
> 	jakob
> 
> 
> [1] https://www.ietf.org/id/draft-wallstrom-dnsop-dns-delegation-requirements-00.txt
> [2] https://zonemaster.net/
> [3] https://github.com/dotse/zonemaster
> [4] https://github.com/CENTRccTLDs/TRTF/issues


Document structure
----

Just to be clear, the idea here is only to have really, absolutely
essential requirements? Because it seems like a mix of "just the
minimum" and "oh, here are some other things too".

I guess I kind of envision three levels:

1. Actual minimum requirements (SHOULD)
2. Strongly recommended requirements (MUST)
3. "-Wall" requirements, for people who want to know the Proper way to
   run DNS (a.k.a "Aussie rules" DNS operations)

In my mind, organizing the document in this order would be helpful. You
could have the same sections in each, such as "Routing" or "Zone
Contents" - the current set is probably fine.

This should make it easier both for authors - since it is clear what
is really, REALLY a requirement at all times. It should also make it
easier for operators and implementors, because you can start at the top
and then as you move on to softer requirements decide if they fit your
situation or not.


Specific requirements
----
Looking at the list, I see a lot of MUST requirements which seem too
strong for me:

6.3.  The name servers MUST have distinct IP addresses

Certainly this is not a MUST. Name server operations can happily
function like this, and I can possibly even think of reasons why this
might be easier if I squint my eyes and step back a bit. ;)

6.8.  SOA MNAME MUST be authoritative for the zone

Oddly the very first sentence uses SHOULD not MUST, which seems
appropriate. :)

7.1.  The DS Digest Type MUST be assigned by IANA
7.2.  The DNSKEY algorithm MUST be assigned by IANA

Both of these eliminate the chance for private (or public)
experimentation. For example, maybe I want to put in a DNSKEY RR that
uses some alternative crypto in addition to IANA ones. 7.2 forbids that.

8.4.  The SOA RNAME MUST not contain the '@' character
8.5.  The SOA RNAME MUST be a legal hostname
8.6.  The SOA MNAME MUST be a legal hostname

Breaking these rules happens all the time (mostly by mistake), and
nothing breaks. MUST seems too strong.

8.7.  The MX record in apex MUST point to a valid hostname

Getting this wrong will break e-mail, but I'm not 100% sure about MUST.

Cheers,

--
Shane

v2.23.0 | Report a Bug | By Email