RE: Context specific semantics was Re: uncooperative DNSBLs, wasseveral messages
"Hallam-Baker, Phillip" <pbaker@verisign.com> Thu, 13 November 2008 22:06 UTC
Return-Path: <ietf-bounces@ietf.org>
X-Original-To: ietf-archive@megatron.ietf.org
Delivered-To: ietfarch-ietf-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E96013A69CF; Thu, 13 Nov 2008 14:06:06 -0800 (PST)
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B4FBB28C0EC for <ietf@core3.amsl.com>; Thu, 13 Nov 2008 14:06:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.169
X-Spam-Level:
X-Spam-Status: No, score=-5.169 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qDt-52SKH6Hx for <ietf@core3.amsl.com>; Thu, 13 Nov 2008 14:06:04 -0800 (PST)
Received: from colibri.verisign.com (colibri.verisign.com [65.205.251.74]) by core3.amsl.com (Postfix) with ESMTP id 152E83A68AB for <ietf@ietf.org>; Thu, 13 Nov 2008 14:06:04 -0800 (PST)
Received: from MOU1WNEXCN02.vcorp.ad.vrsn.com (mailer2.verisign.com [65.205.251.35]) by colibri.verisign.com (8.13.6/8.13.4) with ESMTP id mADLjtqG008880; Thu, 13 Nov 2008 13:45:56 -0800
Received: from MOU1WNEXMB09.vcorp.ad.vrsn.com ([10.25.15.197]) by MOU1WNEXCN02.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 13 Nov 2008 14:05:58 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Subject: RE: Context specific semantics was Re: uncooperative DNSBLs, wasseveral messages
Date: Thu, 13 Nov 2008 14:05:58 -0800
Message-ID: <2788466ED3E31C418E9ACC5C316615572FFB4B@mou1wnexmb09.vcorp.ad.vrsn.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Context specific semantics was Re: uncooperative DNSBLs, wasseveral messages
Thread-Index: AclFy5moUC/x55vcSdG0VLk8/XDQiwADKWki
References: <Pine.LNX.4.33.0811121942450.12067-100000@egate.xpasc.com><20081113112302.38928.qmail@simone.iecc.com><e0c581530811130740g1db5cbfehbcdad361660bf48b@mail.gmail.com><491C5339.8090801@dcrocker.net> <20081113163833.GN76118@shinkuro.com><491C699B.4000702@nortel.com> <20081113180841.GO76118@shinkuro.com><491C711C.3030605@leisi.net> <20081113183919.GR76118@shinkuro.com><p06240603c542266a5094@[10.227.68.106]><alpine.LSU.2.00.0811131922190.14367@hermes-1.csi.cam.ac.uk> <p06240605c54237e869f2@[10.227.68.106]>
From: "Hallam-Baker, Phillip" <pbaker@verisign.com>
To: Ted Hardie <hardie@qualcomm.com>, Tony Finch <dot@dotat.at>
X-OriginalArrivalTime: 13 Nov 2008 22:05:58.0099 (UTC) FILETIME=[01BC0230:01C945DC]
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1325222676=="
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org
Since I have been critical of the insistence on a new RR in other contexts, I will give the reasons why I am unconvinced in this particular case and indeed would argue that a specific RR would be more effective. First, let us consider the reasons why you might want to re-use an RR rather than define a new one: 1) Avoid running out of RRs. 2) Incompatibility with existing DNS infrastructure 2a) DNS publishing server 2b) DNS caching/lookup server 2c) DNS client (Yes, I find the standard nomenclaure confusing and ambiguous) I do not see that the first objection applies in this case. This is a very specific application, it is providing a description of a part of the Internet address space which is a primary function of the DNS. Where I do see creation of new RRs to be a concern is in cases where there is a combinatorial issue, for example a scheme that would require a new RR to be created for each Internet application protocol. That gets us into the same problem as port exhaustion and is unacceptable. The second issue is somewhat different to the analysis for DKIM or other enterprise deployments. A DNSBL is almost always deployed by a specialist on dedicated infrastructure. I do not see any reason to object to a scheme that would require such a specialist to upgrade their DNS publishing server. The same is also true at the client end. Email infrastructure that uses a DNSBL should not be using the local DNS resolver to cache data. If the data is worth caching cache it in the email server. If you have enough email servers to make another arrangement worthwhile you have enough to know exactly what you are doing. Against this there is the fact that the original Vixie DNSBL spec is terrible. Reuse of the A record makes the somewhat bizarre assumption that all the info that you might want to put into a blacklist can be encoded into a 32 bit binary field. At least use a TXT record if you are going to go that route. Take the opportunity to get a little more descriptive info in there. For example, is the basis for the info objective or subjective when was the information last updated? One problem with DNSBLs is that some folk start a service because they think it might be fun and then get bored with maintenance but the server stays up in perpetuity. Its like one of those abandonded lobster pots that just acts as a permanent death trap for sea creatures. I know that there are less people starting email blacklists today, but just wait till the next set of blacklists are required. We will have the same process of boom - bust and gradual decay. Having some better info on what the age of the complaint is would be a big improvement. At least that way the DNSBLs that are designed in good faith will automatically disable themselves over time. ________________________________ From: ietf-bounces@ietf.org on behalf of Ted Hardie Sent: Thu 11/13/2008 3:08 PM To: Tony Finch Cc: ietf@ietf.org Subject: Context specific semantics was Re: uncooperative DNSBLs, wasseveral messages At 11:23 AM -0800 11/13/08, Tony Finch wrote: >On Thu, 13 Nov 2008, Ted Hardie wrote: >> >> Thanks for the pointer. I had missed this technical comment in the >> crowd, and I think it is very important indeed. By re-using RRs with >> context-specific semantics, the proposal does serious harm to >> interoperability. > >Is there any evidence for that? > >Tony. >-- >f.anthony.n.finch <dot@dotat.at> http://dotat.at/ >VIKING NORTH UTSIRE SOUTH UTSIRE: SOUTHERLY OR SOUTHWESTERLY 5 TO 7, >OCCASIONALLY GALE 8 IN NORTH UTSIRE AT FIRST, AND PERHAPS GALE 8 IN VIKING >LATER. ROUGH OR VERY ROUGH. RAIN. MODERATE OR GOOD, OCCASIONALLY POOR. The draft currently says: DNSxLs also MAY contain an A record at the apex of the DNSxL zone that points to a web server, so that anyone wishing to learn about the bad.example.net DNSBL can check http://bad.example.net <http://bad.example.net/> . That's an example in which an A record in this zone has the standard DNS meaning and the expectation is that you can use it construct a URI. The other A records have a specific meaning in which the data returned indicates that indicates something about its reputation in a specific context (what reputation etc. being context specific). One of these things is not like the other. Using the same record type for both creates a need to generate some other context that enables you to figure out what was really meant. The whole approach here is "An A record in this zone has a meaning different from the meaning in other zones". That creates a DNS context for the RRTYPE based on the zone of the query, which is not what the DNS currently uses for disambiguating the types of requests/responses. Using a different RR type puts you back into the standard way of doing things. regards, Ted Hardie _______________________________________________ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
_______________________________________________ Ietf mailing list Ietf@ietf.org https://www.ietf.org/mailman/listinfo/ietf
- Re: several messages der Mouse
- Re: several messages David Morris
- Re: several messages Dean Anderson
- Re: several messages Randy Presuhn
- Re: several messages David Morris
- Re: several messages Matthias Leisi
- Re: several messages Steve Linford
- Re: several messages Peter Dambier
- Re: several messages Steve Linford
- Re: several messages Keith Moore
- Re: several messages der Mouse
- Re: several messages Chris Lewis
- Re: several messages Mark Andrews
- Re: several messages der Mouse
- Re: several messages Chris Lewis
- Re: several messages David Romerstein
- Re: several messages Randy Presuhn
- Re: several messages Chris Lewis
- Re: several messages David Romerstein
- Re: several messages David Romerstein
- Re: several messages Keith Moore
- Re: several messages Chris Lewis
- Re: several messages Al Iverson
- More anti-spam (was: Re: several messages) John C Klensin
- RE: several messages michael.dillon
- Re: several messages Matthias Leisi
- Re: several messages Mark Andrews
- Re: several messages David Morris
- Re: several messages Al Iverson
- Re: uncooperative DNSBLs, was several messages John Levine
- Re: uncooperative DNSBLs, was several messages Jim Hill
- Re: several messages John C Klensin
- Re: several messages Al Iverson
- RE: several messages Hallam-Baker, Phillip
- Re: uncooperative DNSBLs, was several messages Matthias Leisi
- Re: uncooperative DNSBLs, was several messages Al Iverson
- RE: several messages Anthony Purcell
- Re: uncooperative DNSBLs, was several messages Dave CROCKER
- Re: several messages der Mouse
- Re: uncooperative DNSBLs, was several messages Andrew Sullivan
- Re: uncooperative DNSBLs, was several messages David Romerstein
- Re: uncooperative DNSBLs, was several messages Jim Hill
- Re: several messages Chris Lewis
- Re: uncooperative DNSBLs, was several messages Chris Lewis
- Re: uncooperative DNSBLs, was several messages John C Klensin
- Re: uncooperative DNSBLs, was several messages Dave CROCKER
- Re: uncooperative DNSBLs, was several messages Tony Finch
- Re: uncooperative DNSBLs, was several messages Andrew Sullivan
- Re: uncooperative DNSBLs, was several messages John C Klensin
- Re: uncooperative DNSBLs, was several messages Matthias Leisi
- Re: uncooperative DNSBLs, was several messages Al Iverson
- Re: uncooperative DNSBLs, was several messages Andrew Sullivan
- Re: uncooperative DNSBLs, was several messages John C Klensin
- Re: uncooperative DNSBLs, was several messages Ted Hardie
- Re: uncooperative DNSBLs, was several messages Matthias Leisi
- Re: uncooperative DNSBLs, was several messages Ted Hardie
- Re: uncooperative DNSBLs, was several messages Tony Finch
- Context specific semantics was Re: uncooperative … Ted Hardie
- Clarifying harm to DNS (was: uncooperative DNSBLs… Andrew Sullivan
- Re: Context specific semantics was Re: uncooperat… Ted Hardie
- Re: uncooperative DNSBLs, IETF misinformation (wa… Steve Linford
- RE: Context specific semantics was Re: uncooperat… Hallam-Baker, Phillip
- Re: uncooperative DNSBLs, was several messages Peter Dambier
- Re: uncooperative DNSBLs, was several messages David Romerstein
- Re: uncooperative DNSBLs, was several messages Peter Dambier
- Re: uncooperative DNSBLs, was several messages Keith Moore
- Re: uncooperative DNSBLs, was several messages Chris Lewis
- RE: uncooperative DNSBLs, IETF misinformation (wa… michael.dillon
- Re: uncooperative DNSBLs, IETF misinformation (wa… Steve Linford
- RE: uncooperative DNSBLs, IETF misinformation (wa… michael.dillon
- Re: Context specific semantics was Re: uncooperat… Tony Finch
- Re: Context specific semantics was Re: uncooperat… John Levine
- RE: Context specific semantics was Re: uncooperat… Hardie, Ted
- RE: Context specific semantics was Re: uncooperat… Tony Finch
- Re: several messages Rich Kulawiec
- Re: uncooperative DNSBLs, was several messages Rich Kulawiec
- Re: uncooperative DNSBLs, IETF misinformation (wa… Al Iverson
- Re: Context specific semantics was Re: uncooperat… Ted Hardie
- RE: Context specific semantics was Re: uncooperat… Ted Hardie
- Re: several messages John C Klensin
- Re: several messages Al Iverson
- Re: Context specific semantics was Re: uncooperat… John L
- RE: uncooperative DNSBLs, IETF misinformation (wa… michael.dillon
- Re: uncooperative DNSBLs, IETF misinformation (wa… Al Iverson
- RE: uncooperative DNSBLs, IETF misinformation (wa… michael.dillon
- Re: several messages John C Klensin
- Re: several messages Chris Lewis
- Re: uncooperative DNSBLs, IETF misinformation (wa… Keith Moore
- Re: several messages Al Iverson
- RE: several messages michael.dillon
- Re: uncooperative DNSBLs, IETF misinformation (wa… Al Iverson
- Re: Context specific semantics was Re: uncooperat… Ted Hardie
- Re: Context specific semantics was Re: uncooperat… Douglas Otis
- Re: uncooperative DNSBLs, IETF misinformation (wa… Theodore Tso
- Re: Context specific semantics was Re: uncooperat… Theodore Tso
- Re: uncooperative DNSBLs, IETF misinformation (wa… Chris Lewis
- Re: more bad ideas, was uncooperative DNSBLs, was… John Levine
- Re: more bad ideas, was uncooperative DNSBLs, was… Chris Lewis
- Re: Context specific semantics was Re: uncooperat… John L
- Detecting and disabling bad DNSBLs Peter Dambier
- Re: Detecting and disabling bad DNSBLs Steve Linford
- Re: several messages Pekka Savola
- Re: more bad ideas, was uncooperative DNSBLs, was… Keith Moore
- Re: several messages Rich Kulawiec
- Is USA qualified for 2.3 of draft-palet-ietf-meet… YAO
- RE: [73attendees] Is USA qualified for 2.3 ofdraf… Song Haibin
- Re: several messages Tom.Petch
- Re: [73attendees] Is USA qualified for 2.3 of dra… Phillip Hallam-Baker
- Re: [73attendees] Is USA qualified for 2.3 of dra… james woodyatt
- Re: several messages John C Klensin