IETF Logo Mail Archive

Re: [DNSOP] HTTPS SVCB no service available signal.

Mark Andrews <marka@isc.org> Fri, 10 July 2020 03:02 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 173ED3A0C61 for <dnsop@ietfa.amsl.com>; Thu, 9 Jul 2020 20:02:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 325AzgvkeDAA for <dnsop@ietfa.amsl.com>; Thu, 9 Jul 2020 20:02:54 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBEF33A0C5E for <DNSOP@ietf.org>; Thu, 9 Jul 2020 20:02:54 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 842993AB070; Fri, 10 Jul 2020 03:02:54 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 7358A160038; Fri, 10 Jul 2020 03:02:54 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 4189016003E; Fri, 10 Jul 2020 03:02:54 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id zc-CAYFJPTEc; Fri, 10 Jul 2020 03:02:54 +0000 (UTC)
Received: from [1.0.0.3] (unknown [49.2.181.130]) by zmx1.isc.org (Postfix) with ESMTPSA id 56C21160038; Fri, 10 Jul 2020 03:02:53 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.5\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <C4CA557F-7095-4BC4-AF5D-E66A2328F14C@hopcount.ca>
Date: Fri, 10 Jul 2020 13:02:49 +1000
Cc: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, dnsop WG <DNSOP@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2133DA0C-4640-4489-9C6A-485A57BCBF70@isc.org>
References: <CAHbrMsByWLUGwe9+1QC5VjVXDsEUmC27uLmNiZjV9tjm8=fTMA@mail.gmail.com> <CAJhMdTMiQzJv299d=p13UdBzGp1QMdmg0+jBn22q-feaPfsVkw@mail.gmail.com> <AFC8B7F0-134B-43C7-A0E5-E18725C50F3E@isc.org> <C4CA557F-7095-4BC4-AF5D-E66A2328F14C@hopcount.ca>
To: Joe Abley <jabley@hopcount.ca>
X-Mailer: Apple Mail (2.3445.9.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/zKp7kTlxbkJQPmrzjFMmref2Qzc>
Subject: Re: [DNSOP] HTTPS SVCB no service available signal.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2020 03:02:56 -0000


> On 10 Jul 2020, at 11:53, Joe Abley <jabley@hopcount.ca> wrote:
> 
> On 9 Jul 2020, at 18:48, Mark Andrews <marka@isc.org> wrote:
> 
>> On 10 Jul 2020, at 08:17, Joe Abley <jabley@hopcount.ca> wrote:
>> 
>>> On Jul 9, 2020, at 17:18, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> wrote:
>>> 
>>>> This seems like a reasonable idea to me.  We should be able to incorporate this for the next draft revision.
>>> 
>>> I guess I'll mention that when I suggested MNAME=. to indicate that a zone did not accept dynamic updates, the proposal was roundly shot down as a disgusting idea that would cause junk to be sent to root servers.
>> 
>> You attempted to CHANGE the purpose of MNAME from identifing the primary server to signalling that UPDATE is not supported.
> 
> By that logic, DNS UPDATE changed the original purpose of MNAME to be the target for a DNS UPDATE.

No. DNS UPDATE says any listed nameserver is a target for DNS UPDATE.  If the SOA MNAME matches a NS name then you try that nameserver FIRST.

>> When you change the purpose of a field you have to consider the existing users of that field.
> 
> The only purpose of MNAME today that I am aware of is to identify the target for a DNS UPDATE. If you know of another way that the field is interpreted I'd be interested to hear it. Even without DNS UPDATE being a primary concern, there are many zones whose provisioning means that "primary master" has no real meaning; there's no reachable server that is more master or more primary than any other; the concept of a single, primary master server or service is a legacy that no longer applies to many high-use zones.

So you discard everyone that has to diagnose DNS issues.  You discard anyones self configuring provisioning system.  The field is in use for purposes other than DNS UPDATE.

>> Given that there is a registered SRV prefix for UPDATE (_dns-update._tcp) you already have a signal.
> 
> That is certainly an option for clients that use SRV lookups to identify targets for a DNS UPDATE. I'm not aware of any, but I believe your inference that they exist. I think it's fair to say that there are other clients that don't support that mechanism, though. It wasn't mentioned in RFC 2136.

You local MacOS machine will lookup _dns-update._tcp SRV as do some CPE routers.

>>> I didn't agree with that reaction at the time. I remember noting established use of MX 0 . to indicate that a domain did not accept mail, and my suggested use with NOTIFY didn't seem very different.
>> 
>> Changing MX was also after the fact but “MX 0 .” didn’t have another use.
> 
> Sure it did; it had the meaning that the highest-priority host for delivering mail to is the empty string, which would have the effect of denying mail delivery since that empty string could not be used as a host name to derive an address. That's shockingly close to the intent of "MNAME = ." And by shockingly close I really mean it's the same.
> 
> I still think it'd be a service at this point to codify the use of an empty string in a field that is intended for use as a hostname to indicate that no host is available to do whatever the client was hoping to do. The only identified harm from such a definition, even after the fact, is the potential for a few client libraries that are unfamiliar with the concept of a hostname sending a few queries that will quickly be cached at multiple levels.
> 
> Making this assertion for all RDATA fields that might contain hostnames seems more beneficial than poking about in particular RRSet definitions, since it opens the door for efficient suppression of traffic in client libraries.
> 
> Having clients inadvertently send DNS UPDATEs to servers that are not prepared to accept the is at least an inefficiency; at worst it's a systematic leak of local topology information.

> Joe

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email