Re: [DNSSEC-Bootstrapping] Sharding?
Steve Crocker <steve@shinkuro.com> Tue, 19 October 2021 16:30 UTC
Return-Path: <steve@shinkuro.com>
X-Original-To: dnssec-bootstrapping@ietfa.amsl.com
Delivered-To: dnssec-bootstrapping@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF42B3A0D45 for <dnssec-bootstrapping@ietfa.amsl.com>; Tue, 19 Oct 2021 09:30:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=shinkuro-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wzavwviYResU for <dnssec-bootstrapping@ietfa.amsl.com>; Tue, 19 Oct 2021 09:30:42 -0700 (PDT)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 255013A0CBE for <dnssec-bootstrapping@ietf.org>; Tue, 19 Oct 2021 09:30:41 -0700 (PDT)
Received: by mail-ed1-x530.google.com with SMTP id ec8so15256553edb.6 for <dnssec-bootstrapping@ietf.org>; Tue, 19 Oct 2021 09:30:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=shinkuro-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=58YQtW8FtHwVEK/h9ZzrFitCdSo/8BWo5WwOgVPY3gU=; b=oiar1SN3AAsrznd+qoCKoypQ48qdtdTzvSJYg3WtnQSQH+IZKgBs9Tn5wuYRmqZmyS RJvWNGozLrg7jqV7ND/a3o6eo7hhDlNh9wrXo2a2M77hxuEp4qSx9R8O+hlSl8reKg3K uM1sOGaklrQE2vdGun52bI72vNmcRQWHWWwuLWq9gdv+45/TUdqLtgklfR7JXS6O06W8 gbvPz/BPHQ4nkud3Rt38nuWKES2GILiC1G9re3OSB7RQaaEyOJyu2ftqwWfwSrmeJBmN ggp54m+Hmkg80Bij/ah+APZ56X6n1prc9Cncspvrq4WH1Kc4O3S1Vk61meAgJkRHj4ra qF7g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=58YQtW8FtHwVEK/h9ZzrFitCdSo/8BWo5WwOgVPY3gU=; b=196iaOe8FS7gxvJHeSym0PawRq1kFZi7QfG7f+ggs/hHUGKqLBVliQhhBwOQiJwG1p EckUKJZh69UTQVbL5I8hYQp3CWZ37LYiL6e1s9227+Cs6/9m5CVOi1S3qsrSCaMLWid2 m/BFC6eUPNlD5geqT5+dxFZupW8v1zuBCnPH2RPwF8k68lmieHCliG+jvqjcMDIDLuQC PxhnMZHPCQxnrtAHUPZlcC4VLvuCfKRshTho0UN/qUItmcgqep6QXaYwBOIlqeZzOcFd QjTN7dUe20OggR/M68BR4ViNUORfrL/AofNBUdVOr4QwoGgy92EFMZvj+uabamVJj77x Sy0w==
X-Gm-Message-State: AOAM533wOSIBM1fctGC47Ft+oXmM1My5YQVa3z9QxL9mS62RbY1E+o1V yMkDesfkyD/vTbHkJP8FLxqGGw3b0Cg7dFFc4Miz00LgrfVJeA==
X-Google-Smtp-Source: ABdhPJwquNdkZqUFEtwu5KMkRQxpY6TF/QrzqmEeCqyx5Bpu+0id1lPxOkp/w0rjZ2NdrX/al6NNjFzROJtBYm+rGOA=
X-Received: by 2002:a05:6402:4382:: with SMTP id o2mr53925227edc.271.1634660880499; Tue, 19 Oct 2021 09:28:00 -0700 (PDT)
MIME-Version: 1.0
References: <59003805-21ea-bae9-61be-a4884baf828e@desec.io>
In-Reply-To: <59003805-21ea-bae9-61be-a4884baf828e@desec.io>
From: Steve Crocker <steve@shinkuro.com>
Date: Tue, 19 Oct 2021 12:27:48 -0400
Message-ID: <CABf5zv+bPFfHGxGwwryEO12AVOKxBFbZx=fhqB6R39nmMmF-sg@mail.gmail.com>
To: Peter Thomassen <peter@desec.io>
Cc: dnssec-bootstrapping@ietf.org
Content-Type: multipart/alternative; boundary="0000000000001d17c205ceb72554"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssec-bootstrapping/FVVBdQ1ujM9YYOzCOovlMGilkx4>
Subject: Re: [DNSSEC-Bootstrapping] Sharding?
X-BeenThere: dnssec-bootstrapping@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Authenticated Bootstrapping of DNSSEC Delegations <dnssec-bootstrapping.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssec-bootstrapping>, <mailto:dnssec-bootstrapping-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssec-bootstrapping/>
List-Post: <mailto:dnssec-bootstrapping@ietf.org>
List-Help: <mailto:dnssec-bootstrapping-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssec-bootstrapping>, <mailto:dnssec-bootstrapping-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Oct 2021 16:30:48 -0000
Peter, The sentence For a given second label such as hash(co.uk), the first label will indicate all the (bootstrappable) domains that the DNS operator manages under that ancestor. raises a question of nor only whether the number is too large but also how frequently it changes. How accurate does this have to be? If it's supposed to be completely accurate, this will likely be out of date very quickly for a large domain. Thanks, Steve On Tue, Oct 19, 2021 at 9:05 AM Peter Thomassen <peter@desec.io> wrote: > Hi all, > > In my other email, I mentioned an open question about the protocol format. > Here you go. > > So far, the owner name of the signaling record for example.co.uk hosted > on ns1.provider.net is: example.hash(co.uk)._boot.ns1.provider.net > > For a given second label such as hash(co.uk), the first label will > indicate all the (bootstrappable) domains that the DNS operator manages > under that ancestor. > > In case of the .com zone, I can imagine this to be a number that is > potentially very high. (The concern does not apply to the second label, as > many domains will have the same ancestor.) > > 1.) Do you think that this will be a problem for anyone, such as at the > scale of Cloudflare? > 2.) If yes: What could be done about it? > a. One migiation could be to synthesize signaling records ad hoc, > but that requires auth support. > b. Another way would be to introduce some kind of sharding (= > splitting the first label into several, possibly based on a few hash > digits). > c. ...? > > I am not sure this is really a problem at all, but an approach like 2.b) > would be a protocol change, so it will be hard to do it later. That's why > I'm interested in your opinions. (If nobody thinks this is a problem, we > can close it right away.) > > Cheers, > Peter > > -- > Like our community service? 💛 > Please consider donating at > > https://desec.io/ > > deSEC e.V. > Kyffhäuserstr. 5 > 10781 Berlin > Germany > > Vorstandsvorsitz: Nils Wisiol > Registergericht: AG Berlin (Charlottenburg) VR 37525 > > -- > DNSSEC-Bootstrapping mailing list > DNSSEC-Bootstrapping@ietf.org > https://www.ietf.org/mailman/listinfo/dnssec-bootstrapping >
- [DNSSEC-Bootstrapping] Sharding? Peter Thomassen
- Re: [DNSSEC-Bootstrapping] Sharding? Steve Crocker
- Re: [DNSSEC-Bootstrapping] Sharding? Brian Dickson
- Re: [DNSSEC-Bootstrapping] Sharding? Peter Thomassen
- Re: [DNSSEC-Bootstrapping] Sharding? Brian Dickson
- Re: [DNSSEC-Bootstrapping] Sharding? Nils Wisiol
- Re: [DNSSEC-Bootstrapping] Sharding? Peter Thomassen
- Re: [DNSSEC-Bootstrapping] Sharding? Peter Thomassen