IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

Joe Abley <jabley@hopcount.ca> Sun, 29 July 2018 19:44 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F2B5130E85 for <dnsop@ietfa.amsl.com>; Sun, 29 Jul 2018 12:44:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d-NwAiiShs8l for <dnsop@ietfa.amsl.com>; Sun, 29 Jul 2018 12:44:42 -0700 (PDT)
Received: from mail-it0-x22d.google.com (mail-it0-x22d.google.com [IPv6:2607:f8b0:4001:c0b::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0682112F1AB for <dnsop@ietf.org>; Sun, 29 Jul 2018 12:44:42 -0700 (PDT)
Received: by mail-it0-x22d.google.com with SMTP id d70-v6so7391514ith.1 for <dnsop@ietf.org>; Sun, 29 Jul 2018 12:44:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=UUaSpsGmm372qBVTNoVR6EJRNJyOahT9lfbr/TrV9mM=; b=JEqSAMWvzjrxC6nVOlwofq+inKvXKuU/J4GWqqA/5pJsltk2KHQZzzNjFekBsWOJaT EB0UGJ+3zsEf4UBET6FsUXFeyslvQE4kGZVsEyHW/1ysMMjMYMp/0oYPDhRzmqYCORK7 ngtogxyGg+Ig3wnCM2+N1kct6uld3Vm78BzoU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=UUaSpsGmm372qBVTNoVR6EJRNJyOahT9lfbr/TrV9mM=; b=Jw6O5D+QmM4tWwlbyfdX9AKGVVGASOHxkSuTX23r8oDJpuMrznjLP7FWX3mvGPXB3P Mj9rsbQcZvzwscxc8RowtRr/Wt9HDoQt40i4rxhFwAcdP/lXiS0UwRxgUbogOSn9PL3r NPjve5vqWeeNHlqDyUWPztCQOBOAOvSBkjdS0lUZJGLSGjTUsaXYaQeoeEPIEwyta1z4 1mhRUY1oN9xGNoq6Bp+FKtgUnJO+C+aXHZcpgvRxSjmblawzUMOsGJNewMAkT3EdE6Sj kOz+bIAT41MXgcQZXP/74w6Jc/9Z+SX61sDmbRwsCl/Zhmq61zup8ENo4cw6FP7E49cC yqbQ==
X-Gm-Message-State: AOUpUlE127b5aSUUpAsKsDa8D2ZPFW88BbUzn7Vs5l7i8hgqjggqLdri UUmPtGS0Dv2ymx9xXDDFirNVnN7BZQE=
X-Google-Smtp-Source: AAOMgpfjLQsYXX3fnUa5ETCEntsVeoqUW+Xft4Cvuft0UqNw1ARv2pDpxI2TniEtQujukBT0bn3Z2w==
X-Received: by 2002:a24:55cd:: with SMTP id e196-v6mr11490965itb.8.1532893480917; Sun, 29 Jul 2018 12:44:40 -0700 (PDT)
Received: from ?IPv6:2607:f2c0:101:3:6d81:e02f:e86f:3b17? ([2607:f2c0:101:3:6d81:e02f:e86f:3b17]) by smtp.gmail.com with ESMTPSA id n195-v6sm5235058itg.16.2018.07.29.12.44.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 29 Jul 2018 12:44:39 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Joe Abley <jabley@hopcount.ca>
X-Mailer: iPad Mail (15G77)
In-Reply-To: <CABf5zvLq4PUiVYk3-sBZ-HF-Ecp7eSzBKhm-Fw=2+80OOYQ0ug@mail.gmail.com>
Date: Sun, 29 Jul 2018 15:44:38 -0400
Cc: dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <03FAA51D-C9EE-4619-91A7-636C29D2D6F1@hopcount.ca>
References: <20180729155014.C8F2C20030CD40@ary.qy> <5F1A8568-02D6-4145-8ECE-59385C31DA7C@shinkuro.com> <CAJhMdTP-J8qaGQE1rTQQ6KUC0fdtHpJeztr9GaY2n-WGpYm8Pg@mail.gmail.com> <CABf5zvLq4PUiVYk3-sBZ-HF-Ecp7eSzBKhm-Fw=2+80OOYQ0ug@mail.gmail.com>
To: Steve Crocker <steve@shinkuro.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/vd5TXRW63SJrQwJrzn4zoB7lK7w>
Subject: Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Jul 2018 19:44:44 -0000

Hi Steve,

On Jul 29, 2018, at 15:09, Steve Crocker <steve@shinkuro.com> wrote:

> As an individuals, you, I, or anyone else, can do whatever we like, of course.  On the other hand, as system designers we presumably look at the overall system and try to put in place an operational structure that anticipates and meets the likely needs of the users.

Agreed!

> The present and long-standing system provides the recursive resolvers with well-oiled and highly effective solutions to (a) finding the root servers and (b) getting highly reliable and highly responsive answers from them.

This is true. However, there are some disadvantages of the current system that are worth thinking about when we consider alternatives, such as the privacy implications of having all resolvers call home to a set of well-known servers and the aggregate cost of engineering and operations that has gone into making the root system as resilient as it is.

I have spoken in the past in opposition to the idea that slaving the root zone on resolvers was a desirable end-state; I think it leaves operational gaps that we should want to fill. Being able to validate the contents of the zone and have software react appropriately (without human operator intervention) when zone data is found to be stale or inaccurate obviates many of my concerns.

Perhaps there is a future where the root server system was preserved only to serve legacy clients, whilst more modern software had a diversity of options in addition to that fall-back.

I think the root zone is a convenient starting point for these kinds of discussions, but I think the scope could be wider. Maybe one day the DNS protocol (for all zones, not just the root zone) is only comonly used for communications between stub and resolver, where we have the deployed base with the longest tail, and where capacity planning and attack resistance is a different kind of problem because all your traffic generators are on-net. Perhaps the database problem of replicating authoritative data into resolver caches is solved in different ways.

It would be nice if end-users didn't have to rely upon authoritative servers being up in order to resolve names; it would be nice if there wasn't a small set of targets against which the next memcached-scale attack could be used to take us back to 21 October 2016; it would be nice if the integrity of the naming scheme didn't ultimately rely upon the deployment of BCP38.

If such a mechanism relied upon DNSSEC to ensure integrity of data in the absence of plausible channel authentication, availability of zones might be aligned with DNSSEC deployment, which would give the Alexa 500 a(nother) reason to sign their zones.

There are lots of things to think about here. I don't think clinging to the status quo in terms of infrastructure or institutions is necessarily a good idea, although I do agree with the idea of preserving legacy compatability and incremental change.


Joe

v2.23.0 | Report a Bug | By Email