Re: [DNSOP] DNS versioning, was The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"

"Woodworth, John R" <John.Woodworth@CenturyLink.com> Sat, 22 July 2017 21:40 UTC

Return-Path: <John.Woodworth@CenturyLink.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7F63131B39 for <dnsop@ietfa.amsl.com>; Sat, 22 Jul 2017 14:40:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xoOCrWx49eoP for <dnsop@ietfa.amsl.com>; Sat, 22 Jul 2017 14:40:16 -0700 (PDT)
Received: from lxdnp29m.centurylink.com (lxdnp29m.centurylink.com [155.70.32.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CD86131B5E for <dnsop@ietf.org>; Sat, 22 Jul 2017 14:40:16 -0700 (PDT)
Received: from lxdnp04n.corp.intranet (lxdnp04n.corp.intranet [151.119.92.83]) by lxdnp29m.centurylink.com (8.14.8/8.14.8) with ESMTP id v6MLeE4L011965 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Sat, 22 Jul 2017 15:40:15 -0600
Received: from lxdnp04n.corp.intranet (localhost [127.0.0.1]) by lxdnp04n.corp.intranet (8.14.8/8.14.8) with ESMTP id v6MLe9nc033460; Sat, 22 Jul 2017 15:40:09 -0600
Received: from lxdnp32k.corp.intranet (lxdnp23m.corp.intranet [151.119.92.134]) by lxdnp04n.corp.intranet (8.14.8/8.14.8) with ESMTP id v6MLe9HM033453 (version=TLSv1/SSLv3 cipher=AES256-SHA256 bits=256 verify=NO); Sat, 22 Jul 2017 15:40:09 -0600
Received: from lxdnp32k.corp.intranet (localhost [127.0.0.1]) by lxdnp32k.corp.intranet (8.14.8/8.14.8) with ESMTP id v6MLe9CY063354; Sat, 22 Jul 2017 15:40:09 -0600
Received: from vodcwhubex501.ctl.intranet (vodcwhubex501.ctl.intranet [151.117.206.27]) by lxdnp32k.corp.intranet (8.14.8/8.14.8) with ESMTP id v6MLe9rx063347 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sat, 22 Jul 2017 15:40:09 -0600
Received: from PODCWMBXEX501.ctl.intranet ([169.254.1.120]) by vodcwhubex501.ctl.intranet ([151.117.206.27]) with mapi id 14.03.0339.000; Sat, 22 Jul 2017 16:40:09 -0500
From: "Woodworth, John R" <John.Woodworth@CenturyLink.com>
To: "'Matthew Pounsett'" <matt@conundrum.com>, John R Levine <johnl@taugh.com>
CC: dnsop <dnsop@ietf.org>, Paul Wouters <paul@nohats.ca>, "Woodworth, John R" <John.Woodworth@CenturyLink.com>
Thread-Topic: [DNSOP] DNS versioning, was The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"
Thread-Index: AQHTANpDgEgN9xEOMEWNOGhWzVLUxqJdKxeAgAAHwwCAAcu9AIABY6Bw
Date: Sat, 22 Jul 2017 21:40:08 +0000
Message-ID: <A05B583C828C614EBAD1DA920D92866BD0824617@PODCWMBXEX501.ctl.intranet>
References: <alpine.LRH.2.20.1707190347390.10419@ns0.nohats.ca> <20170719215749.2241.qmail@ary.lan> <20170720152559.GD22702@laperouse.bortzmeyer.org> <alpine.OSX.2.21.1707201752240.5469@dhcp-9d40.meeting.ietf.org> <CAAiTEH8VWv=WXOQDukVby=59Upa-+Y8ox7u4hk_qur_ZQ_3RBQ@mail.gmail.com>
In-Reply-To: <CAAiTEH8VWv=WXOQDukVby=59Upa-+Y8ox7u4hk_qur_ZQ_3RBQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [151.117.206.8]
Content-Type: multipart/alternative; boundary="_000_A05B583C828C614EBAD1DA920D92866BD0824617PODCWMBXEX501ct_"
MIME-Version: 1.0
X-TM-AS-MML: disable
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/uIsoZsr_HDWCKh5xQxzdEk7a2PI>
Subject: Re: [DNSOP] DNS versioning, was The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Jul 2017 21:40:18 -0000

> From: DNSOP [mailto:dnsop-bounces@ietf.org] On Behalf Of Matthew Pounsett
>
> > On 20 July 2017 at 17:53, John R Levine <johnl@taugh.com> wrote:
> > That's why I don't share the fears about BULK: you cannot easily
> > deploy a new feature that will require a change in the resolvers,
> > because you don't know all the resolvers, and cannot change them even
> > if you know they are too old. But your secondaries are only a small
> > set of carefully chosen servers, and you have your say.
>
> I hear otherwise from people who run big DNS farms.  It's common to
> use multiple secondary providers, and it's hard to tell who's running
> what server software.  I also note that it took about a decade before
> people felt comfortable using DNAMEs.
>

Hi Matthew,

Thanks for your comments.

I hear and understand your concerns.  We have similar concerns but
*I* feel we could offer a phased-in approach to set everyone's
expectations appropriately.  If one chooses to step ahead of the phase
at least they'd have an idea what troubles await them.

>
> Dear $VENDOR.
>
> I'm a customer who is considering deploying the BULK RR type into my
> zone, and I would like to know whether your systems support it.
>
> Thank you,
> $CUSTOMER.
>
>
> That said.. there is still an issue with key distribution for online
> signing which is required to make this work.   I see the utility in
> BULK, but I'm persuaded that there needs to be more work before it's
> deployable in an environment where *XFR is required.
>

Online signing in this environment will not be possible until this
is solved but I believe the phased in approach would give us the time
to solve for it without delaying insecure deployment (phase1).


Thanks,
John
>
-- THESE ARE THE DROIDS TO WHOM I REFER:
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.