Re: [DNSOP] New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt
Michael Casadevall <michael@casadevall.pro> Mon, 26 March 2018 14:22 UTC
Return-Path: <michael@casadevall.pro>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D18D1250B8 for <dnsop@ietfa.amsl.com>; Mon, 26 Mar 2018 07:22:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cOUjU4uyg-Nv for <dnsop@ietfa.amsl.com>; Mon, 26 Mar 2018 07:22:30 -0700 (PDT)
Received: from casadevall.pro (casadevall.pro [45.33.112.193]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1E2A12420B for <dnsop@ietf.org>; Mon, 26 Mar 2018 07:22:30 -0700 (PDT)
Received: from [192.168.2.2] (cpe-68-174-119-246.nyc.res.rr.com [68.174.119.246]) by casadevall.pro (Postfix) with ESMTPSA id 723A51F694 for <dnsop@ietf.org>; Mon, 26 Mar 2018 14:22:27 +0000 (UTC)
To: dnsop@ietf.org
References: <002DCABB-24CE-42FA-8DA6-2A458E5F89A1@isc.org> <5AB53F8B.9070504@redbarn.org> <7CF21F70-9419-4D6A-B555-FC229F90E8A9@isc.org> <5AB546CB.3030408@redbarn.org> <CCAE4014-67F8-4E73-A893-AA06B83E880B@isc.org> <20180324124958.GA29255@puck.nether.net> <CAJhMdTPRn=mUQ6xh_HFdFLBk109b_M2+saS86KFxsttb8_oVvw@mail.gmail.com> <20180325080558.GA18671@isc.org> <066C83F5-5E1C-4DF8-8D45-A7E9F3A44673@vpnc.org> <DCE31CFA-534E-451F-B743-E022F62C7516@isc.org> <20180326124544.GA32080@isc.org>
From: Michael Casadevall <michael@casadevall.pro>
Message-ID: <552cfda4-572b-7c88-b5b8-0cda5c49e2fd@casadevall.pro>
Date: Mon, 26 Mar 2018 10:22:30 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <20180326124544.GA32080@isc.org>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/tD1S9VyXK1TIAnqt1s44bcz7CxU>
Subject: Re: [DNSOP] New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Mar 2018 14:22:32 -0000
On 03/26/2018 08:45 AM, Evan Hunt wrote: > On Mon, Mar 26, 2018 at 02:09:14PM +0200, Ondřej Surý wrote: >> That’s one of the goals of the document - saying: “it’s ok to not >> implement those RR Types, and it’s ok to break if you receive them" > > We need to state clearly what is meant by "ok to break". > I think to be more specifically, the end goal should be the ability to treat obsolete record types as RFC 3597 and remove special casing for them. That way, new resolvers simply have to implement 3597 and not worry about associated edge cases with the obsolete types. > I described my preferred approach as an implementer upthread. Let me > state it again more formally and let people knock it down: > > 0. types will be flagged as obsolete/deprecated in the IANA registry, > and the following guidance is given to DNS implementors in the handling > of obsolete/deprecated RR types: > > 1. auth servers SHOULD log a warning when loading zones that contain > obsolete/deprecated rrtypes. > > 2. responders SHOULD NOT compress rdata when rendering obsolete/deprecated > type records to wire format. > The problem here is that right up until the point the camel declares these RRtypes dead, the specification specifically allows them to be compressed. Specifically quoting RFC 3597 here: To avoid such corruption, servers MUST NOT compress domain names embedded in the RDATA of types that are class-specific or not well- known. This requirement was stated in [RFC1123] without defining the term "well-known"; it is hereby specified that only the RR types defined in [RFC1035] are to be considered "well-known". By definition, the types are in RFC1035; they're well known and thus compressible. One DNS server may serve a given record uncompressed, while the next one down the pipe compresses it depending on it's implementation. This came up earlier in the thread, but PowerDNS has an open bug about this and the MB type due to BIND sending the record compressed, and PowerDNS not recognizing it: https://github.com/PowerDNS/pdns/issues/5687 > 3. queriers which receive obsolete/deprecated type records MAY interpret > them as unknown type records (rfc 3597), and MUST NOT interfere with > their transmission. > > 3a. note that the choice to parse obsolete/deprecated MAY be contingent > on whether the rdata is compressed: an obsolete type record MAY be > parsed as a known type if its rdata is uncompressed, but as an > unknown type otherwise. > > 4. validators and signers SHOULD treat rdata for obsolete/deprecated types > as opaque with respect to canonical RR ordering and deduplication > On the whole, I'm in favor of removing cruft from the specs wherever possible, but I'm starting to question if decommissioning RRtypes qualifies as low hanging fruit. If we actually want to decommission these RRtypes, and building off your starting point, I think the reasonable course of action needs to be this: 1. Authoritative servers SHOULD warn when loading zones with obsolete record types 2. Resolvers MUST never send obsolete RRtypes in a compressed format. 3. Signers MUST treat rdata as opaque 4. Obsolete RRtypes MUST never be treated as a known-type with respect to the wire protocol 5. Resolvers MAY support legacy compression for received data for backward compatibility if desired, but SHOULD warn if such information is received. Compressed records MUST never be re-transmitted. 6. Validators MAY attempt to to use legacy RR ordering and de-duplication should validation. If legacy validation is required, the validator SHOULD warn that it was needed to validate the RRSIGs. In effect, we're basically saying, these RRtypes are now RFC 3597, with the caveat that it's OK to try and use them as legacy says but it's not required. By specifically allowing resolvers to understand compressed records, but never send them, it allows for the case that there may be people using these RRtypes, but sets the standard going forward to treat them as RFC 3597. The special case of allowing compressed versions to be accepted allows for backwards compatibility and notifying where things still need to be updated. Then it's essentially a matter of writing a new RFC that describes how to handle sun-setting a RRtype, and what RRtypes have been put out to pasture formally. Everyone can understand uncompressed RRtypes, and by forcing decompression, and those who want to use these for legacy RRtypes can. New resolvers don't need to worry about it, and as resolvers get upgraded, the special case in 5 goes away. For the small handful of people actually using these types, life continues as long as their resolver maintains legacy receiving support. New resolvers can just treat them as RFC 3597. Plus we now have a procedure if we want to obsolete any other RRtypes. Michael
- [DNSOP] Fwd: New Version Notification for draft-s… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Martin Hoffmann
- Re: [DNSOP] Fwd: New Version Notification for dra… Matthijs Mekking
- Re: [DNSOP] Fwd: New Version Notification for dra… Mukund Sivaraman
- Re: [DNSOP] Fwd: New Version Notification for dra… Bob Harold
- Re: [DNSOP] Fwd: New Version Notification for dra… Ondřej Surý
- Re: [DNSOP] Fwd: New Version Notification for dra… Bob Harold
- Re: [DNSOP] Fwd: New Version Notification for dra… Ondřej Surý
- Re: [DNSOP] Fwd: New Version Notification for dra… Bob Harold
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Ondřej Surý
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Ondřej Surý
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Ondřej Surý
- Re: [DNSOP] Fwd: New Version Notification for dra… P Vix
- Re: [DNSOP] Fwd: New Version Notification for dra… Dick Franks
- Re: [DNSOP] Fwd: New Version Notification for dra… Jared Mauch
- Re: [DNSOP] Fwd: New Version Notification for dra… Joe Abley
- Re: [DNSOP] Fwd: New Version Notification for dra… Jim Reid
- Re: [DNSOP] Fwd: New Version Notification for dra… Ondřej Surý
- Re: [DNSOP] Fwd: New Version Notification for dra… Viktor Dukhovni
- Re: [DNSOP] Fwd: New Version Notification for dra… Matthew Pounsett
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Mukund Sivaraman
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] Fwd: New Version Notification for dra… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-su… Paul Hoffman
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Wouters
- Re: [DNSOP] Fwd: New Version Notification for dra… Matthijs Mekking
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Shane Kerr
- Re: [DNSOP] New Version Notification for draft-su… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Evan Hunt
- Re: [DNSOP] Fwd: New Version Notification for dra… Tony Finch
- Re: [DNSOP] Fwd: New Version Notification for dra… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Michael Casadevall
- Re: [DNSOP] Fwd: New Version Notification for dra… Dick Franks
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Jim Reid
- Re: [DNSOP] New Version Notification for draft-su… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] New Version Notification for draft-su… Michael Casadevall
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Paul Vixie
- Re: [DNSOP] New Version Notification for draft-su… Richard Gibson
- Re: [DNSOP] New Version Notification for draft-su… Michael Casadevall
- Re: [DNSOP] New Version Notification for draft-su… Dick Franks
- Re: [DNSOP] New Version Notification for draft-su… Paul Vixie
- Re: [DNSOP] New Version Notification for draft-su… Dick Franks
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý
- Re: [DNSOP] New Version Notification for draft-su… Robert Edmonds
- Re: [DNSOP] New Version Notification for draft-su… Evan Hunt
- Re: [DNSOP] New Version Notification for draft-su… Wessels, Duane
- Re: [DNSOP] New Version Notification for draft-su… william manning
- Re: [DNSOP] New Version Notification for draft-su… william manning
- Re: [DNSOP] New Version Notification for draft-su… Ondřej Surý