Review: draft-iab-dns-applications-07
Dave Crocker <dhc@dcrocker.net> Fri, 15 March 2013 10:57 UTC
Return-Path: <dhc@dcrocker.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 062DE21F9167; Fri, 15 Mar 2013 03:57:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.299
X-Spam-Level:
X-Spam-Status: No, score=-6.299 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, J_CHICKENPOX_44=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gDF+ZJWbhgX7; Fri, 15 Mar 2013 03:57:28 -0700 (PDT)
Received: from sbh17.songbird.com (sbh17.songbird.com [72.52.113.17]) by ietfa.amsl.com (Postfix) with ESMTP id 040EA21F915D; Fri, 15 Mar 2013 03:57:28 -0700 (PDT)
Received: from [130.129.135.34] ([130.129.135.34]) (authenticated bits=0) by sbh17.songbird.com (8.13.8/8.13.8) with ESMTP id r2FAvQJE007492 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 15 Mar 2013 03:57:27 -0700
Message-ID: <5142FE8F.1020404@dcrocker.net>
Date: Fri, 15 Mar 2013 06:57:19 -0400
From: Dave Crocker <dhc@dcrocker.net>
Organization: Brandenburg InternetWorking
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130307 Thunderbird/17.0.4
MIME-Version: 1.0
To: draft-iab-dns-applications.all@tools.ietf.org
Subject: Review: draft-iab-dns-applications-07
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (sbh17.songbird.com [72.52.113.17]); Fri, 15 Mar 2013 03:57:27 -0700 (PDT)
Cc: IAB IAB <iab@iab.org>, IETF Discussion <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: dcrocker@bbiw.net
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2013 10:57:32 -0000
Review of: Architectural Considerations on Application Features in the DNS I-D: draft-iab-dns-applications-07 Reviewed by: D. Crocker Review date: 15 March 2013 Summary: This review follows the one I provided for the -01 draft, on 20 April 2011 and recorded in: http://trac.tools.ietf.org/group/iab/trac/ticket/35 I recently received a note closing the ticket, with an extended commentary (contained in the above ticket citation). It asserted that the concerns of the previous review have been resolved. The current review was a fresh re-reading of the document. The current Abstract declares the purpose of the document to be: > This document explores the architectural > consequences of using the DNS to implement certain application > features, and provides guidance to future application designers as to > the limitations of the DNS as a substrate and the situations in which > alternative designs should be considered. Alas, the -07 version of the document remains fundamentally flawed in purpose, basic technical details, and writing style. After two years and 6 rounds of revision, a document that remains so deeply problematic needs very different handling than it has been getting. For the Detailed Comments section of a review, I normally delete any extended passages that have no comments. Given the extent of problems with this document, I'm leaving in all the text, to ensure proper context for the comments. I terminated the review on page 11. It simply is not productive to provide more detailed review, as I believe the included comments will make abundantly clear. My best guess is that the only way to bring this document to a level of reasonable competence is to start over, with much, much greater care, starting with much greater clarity about the document's purpose and how to achieve it. Detailed Comments: > Abstract > > A number of Internet applications rely on the Domain Name System > (DNS) to support their operations. Many applications use the DNS to > locate services for a domain; some for example transform identifiers > other than domain names into formats that the DNS can process, and > then fetch application data or service location data from the DNS. The text after the semi-colon is completely independent of the DNS. It's an app function that occurs before the DNS is involved. Given that the title of the document says "/in/ the DNS" the text actually distracting to refer to it here. The phrasing before the semi-colon seems to be trying to say something distinctive, by virtue of asserting a scope as being "to locate services" but nothing that follows is really about 'locating'. That word is a term of art in the IETF and does not refer to a service provided by the DNS. In addition, phrasing such as "into formats that the DNS can process" is clunky, at best, and more likely confusing. If it is meant to mean "into a domain name" then just say that. If it is meant to mean something else, I can't even guess what it is. A DNS query is a domain name. That's a pretty simple, clean and invariable point. It seems that the text is merely trying to say: Many applications use the DNS in a context that goes beyond simply mapping a domain name to an IP Address if a server that supports the application. Some applications include DNS access to obtain other, parametric information or as part of a more elaborate location mechanism. > Proposals incorporating sophisticated application behavior using DNS > as a substrate have raised questions about the role of the DNS as an The proposals have not raised questions; the questions are not /in/ the proposals. It's possible that you mean that the proposal prompted others to raise questions. (Yes, I'm hassling you about awkward sentence construction. The document needs to be very careful about its assignments of responsibility.) More generally, this language continues the underlying tone of suspicion and fear that I noted about the earlier draft. The document will benefit from simply deleting this sentence. It adds nothing useful. > application platform. This document explores the architectural > consequences of using the DNS to implement certain application Actually, it doesn't. It says almost nothing about architectural consequences. It attempts quite a bit of pedagogy about existing DNS features, but that's quite a different task. For the most part, the features discussed in this document are not 'implemented' in the DNS. They are implemented /above/ the DNS. The document still needs to be significantly more careful with this distinction. The text explaining the closed tracking ticket item for my review declared that this distinction was now made in the document; I still don't see it. > features, and provides guidance to future application designers as to > the limitations of the DNS as a substrate and the situations in which > alternative designs should be considered. > > Table of Contents > > 1. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 4 > 2. Overview of DNS Application Usages . . . . . . . . . . . . . . 6 > 2.1. Locating Services in a Domain . . . . . . . . . . . . . . 6 > 2.2. NAPTR and DDDS . . . . . . . . . . . . . . . . . . . . . . 8 > 2.3. Arbitrary Data in the DNS . . . . . . . . . . . . . . . . 9 > 3. Challenges for the DNS . . . . . . . . . . . . . . . . . . . . 12 > 3.1. Compound Queries . . . . . . . . . . . . . . . . . . . . . 12 > 3.1.1. Responses Tailored to the Originator . . . . . . . . . 14 > 3.2. Using DNS as a Generic Database . . . . . . . . . . . . . 16 > 3.2.1. Large Data in the DNS . . . . . . . . . . . . . . . . 16 > 3.3. Administrative Structures Misaligned with the DNS . . . . 18 > 3.3.1. Metadata about Tree Structure . . . . . . . . . . . . 19 > 3.4. Domain Redirection . . . . . . . . . . . . . . . . . . . . 21 > 4. Private DNS and Split Horizon . . . . . . . . . . . . . . . . 24 > 5. Principles and Guidance . . . . . . . . . . . . . . . . . . . 27 > 6. Security Considerations . . . . . . . . . . . . . . . . . . . 29 > 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 > 8. IAB Members at Time of Approval . . . . . . . . . . . . . . . 31 > 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 32 > 10. Informative References . . . . . . . . . . . . . . . . . . . . 33 > Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 37 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Peterson, et al. Expires August 30, 2013 [Page 3] > > Internet-Draft Application Features in DNS February 2013 > > > 1. Motivation > > The Domain Name System (DNS) has long provided a general means of > translating domain names into Internet Protocol addresses, which > makes the Internet easier to use by providing a valuable layer of > indirection between names and lower-layer protocol elements. This is oddly phrased. For one thing, it seems to imply that there were domain names before there was the DNS, which of course is incorrect. I think you mean to be saying: The DNS provides a basic mechanism for mapping domain names to Internet Addresses, which makes the Internet easier to use. The names are considerably more human-friendly than IP Addresses. > [RFC0974] documented a further use of the DNS: to manage application 'manage'? not really. Few, if any, "uses of the DNS" manage applications. This sentence appears to be saying that this added email to the use; and of course, it didn't. > services operating in a domain with the Mail Exchange (MX) resource > record, which helped email addressed to the domain to find a mail > service for the domain sanctioned by the zone administrator. Again, not quite correct. So perhaps: [RFC0974] added special semantics when mapping from a domain name to an IP Address, by indicating a specific service supported at the host, namely email, through the use of a purpose-built RR, the Mail Exchange (MX) resource record. > The seminal MX record served as a prototype for other DNS resource > records that supported applications associated with a domain name. MX is a direct prototype for SRV. I do not understand how it qualifies as a prototype for the other RRs that followed, since they have no semantic or structural similarity. > The SRV resource record [RFC2052] provided a more general mechanism provided -> provides It's still in use. > for locating services in a domain, complete with a weighting system Generally, "locating" is probably not a very good vocabulary choice, since it tends to be taken to mean 'searching', which of course the DNS doesn't do. Again, "mapping to" is the more careful and typical language for describing the DNS' basic function. For reference, the tutorial nature of this document and the audiences that are likely to need to read this really do warrant considerably more care in the document's language. > and selection among transports. The Naming Authority Pointer (NAPTR, > originally [RFC2168]) resource record, especially as it evolved into > the more general Dynamic Delegation Discovery System (DDDS, > [RFC3401]) framework, added a generic mechanism for storing > application data in the DNS. Primarily, this involved a client-side > algorithm for transforming a string into a domain name, which might > then be resolved by the DNS to find NAPTR records. This enabled the > resolution of identifiers that do not have traditional host > components through the DNS; the best-known examples of this are > telephone numbers, as resolved by the DDDS application ENUM. Recent > work such as Domain Keys Identified Mail (DKIM, [RFC6376]) has > enabled security features of applications to be advertised through > the DNS, via the TXT resource record. > > The scope of application usage of the DNS has thus increased over > time. Applications in many environments require features such as > confidentiality, and as the contexts in which applications rely on > the DNS have increased, some application protocols have looked to oh? This needs a citation and an explanation for the type of confidentiality that was proposed, relative to the DNS, making clear how it would have modified the DNS. > extend the DNS to include these sorts of capabilities. However, some > proposed usages of, and extensions to, the DNS have become misaligned 'become'? The proposals underwent a change? Worse is that this goes back to the tone of fear and criticism. Given the nature of this document, it should provide careful documentation of inappropriate proposals and explanations that justify claiming they were/are inappropriate. What is especially important is to distinguish between stray crazy ideas from random people, versus serious efforts that were problematic. The former are mere noise and should be ignored; they do not justify the tone of suspicion in this document. The latter are (potentially) the real danger, if any can be documented. > with both the DNS architecture and the DNS protocol. Taking the > example of confidentiality: In the global public DNS, the resolution > of domain names to IP addresses is public information with no > expectation of confidentiality, and thus the underlying query/ > response protocol has no encryption mechanism - typically, any > security required by an application or service is invoked after the > DNS query, when the resolved service has been contacted. Only in > private DNS environments (including split horizon DNS) where the > identity of the querier is assured through some external policy can > the DNS maintain confidential records, by providing distinct answers > to the private and public users of the DNS. In support of load > balancing or other optimizations, a DNS server may return different > addresses in response to queries from different sources, or even no > > > > Peterson, et al. Expires August 30, 2013 [Page 4] > > Internet-Draft Application Features in DNS February 2013 > > > response at all, which is discussed further in Section 3.1.1. The above paragraph offers confidentiality as an example, presumably as an inappropriate goal for the DNS, but then the text merely says that's not what's typically done. There's no real substance in the text for this purported example. For example, would it be inappropriate to have the resolver/server DNS exchange be encrypted against wiretapping (for some types of traffic analysis)? If yes, why? Is it inappropriate to consider /any/ security mechanisms for client/server DNS exchanges? What about server/server? Why? For load balancing, there really is literally no substance provided here. No sense of how it qualifies as problematic, or whatever the point that is intended; and I can't tell what that point is. > This document provides guidance to application designers, and > application protocol designers, looking to use the DNS to support > features in their applications. It provides an overview of past > application usage of the DNS, as well as reviewing proposed new > usages. It identifies concerns and trade-offs and provides guidance > on the question, "Should I store this information in the DNS, or use > some other means?" when that question arises during protocol > development. These guidelines remind application protocol designers > of the strengths and weaknesses of the DNS in order to make it easier > for designers to decide what features the DNS should provide for > their application. > > The guidance in this document complements the guidance on extending > the DNS given in [RFC5507]. Whereas [RFC5507] considers the > preferred ways to add new information to the underlying syntax of the > DNS (such as defining new resource records or adding prefixes or > suffixes to labels), the current document considers broader > implications of applications that rely on the DNS for the > implementation of certain features, be it through extending the DNS > or simply reusing existing protocol capabilities - implications that > may concern the invocation of the resolver by applications, the > behavior of name servers, resolvers or caches, extensions to the > underlying DNS protocol, the operational responsibilities of zone > administrators, security, or the overall architecture of names. When The purpose of the above sentence looks good. The sentence itself doesn't. Too long and convoluted. Break a sequence of shorter, simpler sentences. > existing DNS protocol fields are used in ways that their designers > did not intend to handle new applications, those applications may > demand further changes and extensions that are fundamentally at odds > with the strengths of the DNS. Remove the silliness about intent. Nevermind that you probably are wrong, it doesn't matter. Again, the tone of the above sentence is focused on the fear rather than on any concrete technical or operational substance. The technical reality is that the DNS design permits a range of extensibilities, albeit within constraints. The other reality is that the modern DNS is used in a variety of application contexts. A document like this needs to use these technical and operational realities as its starting point. With respect to cautions, what matters is distortions of the DNS that actually break functionality, performance or administration. For example, things like overloading a field have classic risks, since they create ambiguity. > > > > > > > > > > > > > > > > > > > > > > Peterson, et al. Expires August 30, 2013 [Page 5] > > Internet-Draft Application Features in DNS February 2013 > > > 2. Overview of DNS Application Usages > > [RFC0882] identifies the original and fundamental connection between identifies the original and fundamental -> specifies the { it's inventing something, not uncovering it } > the DNS and applications. It begins by describing how the > interdomain scope of applications creates "formidable problems when Hmmm. RFC882 doesn't use the term "interdomain". It also doesn't use the word "scope". Given the actual language in the RFC that precedes the portion quoted here, I suggest: It establishes its basis by noting the scale and diversity of resources on the network, which creates "... > we wish to create consistent methods for referencing particular > resources that are similar but scattered throughout the environment." > This motivated transitioning the "mapping between host names... and > ARPA Internet addresses" from a global table (the original "hosts" > file) to a "distributed database that performs the same function." > [RFC0882] also envisioned some ways to find the resources associated > with mailboxes in a domain: without these extensions, a user trying > to send mail to a foreign domain lacked a discovery mechanism to > locate the right host in the remote domain to which to connect. > > While a special-purpose service discovery mechanism could be built > for each such application protocol that needed this functionality, > the universal support for the DNS encourages installing these > features into its public tree rather than inventing something new. > Thus, over time, several other applications leveraged DNS resource > records for locating services in a domain or for storing application > data associated with a domain in the DNS. This section gives > examples of various types of DNS usage by applications to date. > > 2.1. Locating Services in a Domain > > The MX resource record provides the simplest example of an > application advertising its domain-level resources in the Domain Name > System. The MX resource record contains the domain name of a server > that receives mail on behalf of the administrative domain in > question; that domain name must itself be resolved to one or more IP > addresses through the DNS in order to reach the mail server. While > naming conventions for applications might serve a similar purpose (a > host might be named "mail.example.com" for example), approaching > service location through the creation of a new resource record yields > important benefits. For example, one can put multiple MX records > under the same name, in order to designate backup resources or to > load balance across several such servers (see [RFC1794]); these > properties could not easily be captured by naming conventions (see > [RFC4367], though more recently, DNS-SD > ([I-D.cheshire-dnsext-dns-sd]) codifies service instance naming > conventions for use across applications to locate services in a > domain). > > While the MX record represents a substantial improvement over naming > conventions as a means of service location, it remains specific to a it remains -> it is There have been no forces attempting to change it. > single application. Thus, the general approach of the MX record was > adapted to fit a broader class of applications through the Service > > > > Peterson, et al. Expires August 30, 2013 [Page 6] > > Internet-Draft Application Features in DNS February 2013 > > > (SRV) resource record (originally [RFC2052]). The SRV record allows > DNS resolvers to query for particular services and underlying > transports (for example, HTTP running over TLS, see [RFC2818]) and to > learn a host name and port where that service resides in a given > domain. It also provides a weighting mechanism to allow load > balancing across several instances of a service. > > The reliance of applications on the existence of MX and SRV records > has important implications for the way that applications manage > identifiers, and the way that applications pass domain names to This is an interesting observation. I was under the impression that applications pass domain names to resolvers in a consistent manner that does not depend on the type or nature of RR being sought. Please document this odd bit of contingent API behavior. > resolvers. Email identifiers of the form "user@domain" rely on MX 'A' records are still legal and still used for routing to email servers. MX might dominate but is not required. The language here implies that only MX is used. In addition, email addresses don't 'rely' on anything other than uniqueness and validity of their two fields. And they can be resolved to addresses without the DNS, such as internal configuration tables. My point is that this paragraph is entirely muddled in terms of premise and technical details. > records to provide the convenience of simply specifying a "domain" > component rather than requiring an application to guess which > particular host handles mail on behalf of the domain. While for The idea that a host would do guessing about IP Addresses, or that they ever have, is silly and it's counterproductive to offer such statements. > applications like web browsing, naming conventions continue to abound For what other applications do naming conventions 'abound'? I'm not asking whether "some" configurations use such naming conventions, but where they "abound". > ("www.example.com"), SRV records allow applications to query for an to query for an -> query for support of an > application-specific protocol and transport in the domain. For LDAP, > the SRV service name corresponds to the URL scheme of the identifier > invoked by the application (e.g., when "ldap://example.com" is the > identifier, the SRV query passed to the resolver is for > "_ldap._tcp.example.com"); for other applications, the SRV service > name that the application passes to the resolver may be implicit in huh? What does this mean and how does it work? > the identifier rather than explicit. In either case, the application > delivers the service name to the DNS to find the location of the host 1. The resolver delivers the name to the DNS 2. In terms of DNS semantics, it is not delivering a service name to the DNS. Rather, an overlay convention encodes service name in the DNS name, transparently to the DNS. This is not a small point of quibbling; it's fundamental to the nature of these kinds of enhancements. The current language could easily lead a reader to believe that DNS query semantics are tailored to service name. Everything being discussed here is specific to the internals of the SRV record and the conventions of its use, not any other aspect of the DNS. The text should make sure that the reader understands this difference and should attribute the semantics being discussed to the details of the SRV RR specification. > of that service for the domain, the port where the service resides on > that host, additional locations or ports for load balancing and fault > tolerance, and related application features. > > Locating specific services for a domain was the first major function > for which applications started using the DNS beyond simple name > resolution. SRV broadened and generalized the precedent of MX to > make service location available to any application, rather than just > to mail. As applications that acquire MX (or SRV) records might need > to perform further queries or transformations in order to arrive at > an eventual domain name that will resolve to the IP addresses for the > service, [RFC1034] allowed that the Additional Data section of DNS allowed -> allows. It still allows it! This text implies that the additional data feature is restricted to MX and SRV. It isn't. > responses may contain the corresponding address records for the names responses may contain the corresponding -> response. These can contain information, such as the corresponding > of services designated by the MX record; this optimization, which record; this optimization, which -> record. This efficiency mechanism, which requires > requires support in the authoritative server and the resolver, is an > initial example of how support for application features requires > changes to DNS operation. At the same time this is an example of an > extension of the DNS that cannot be universally relied on: Many DNS > resolver implementations will ignore the addresses in the additional > section of the DNS answers because of the trustworthiness issues > described in [RFC2181]. However the cost of non-support is merely additional queries. > > > > > > > Peterson, et al. Expires August 30, 2013 [Page 7] > > Internet-Draft Application Features in DNS February 2013 > > > 2.2. NAPTR and DDDS > > The NAPTR resource record evolved to fulfill a need in the transition > from Uniform Resource Locators (URLs) to the more mature URI > [RFC3986] framework, which incorporated Uniform Resource Names I thought the RR was core to URN support in the DNS, and is not dependent on a transition process. That is, "a need in transition" seems to focus on a frankly irrelevant point. > (URNs). Unlike URLs, URNs typically do not convey enough semantics > internally to resolve them through the DNS, and consequently a > separate URI-transformation mechanism is required to convert these > types of URIs into domain names. This allows identifiers with no > recognizable domain component to be treated as domain names for the > purpose of name resolution. Once these transformations result in a > domain name, applications can retrieve NAPTR records under that name > in the DNS. NAPTR records contain a far more rich and complex > structure than MX or SRV resource records. A NAPTR record contains > two different weighting mechanisms ("order" and "preference"), a > "service" field to designate the application that the NAPTR record > describes, and then two fields that can contain translations: a > "replacement" or "regular expression" field, only one of which > appears in given NAPTR record. A "replacement," like NAPTR's > ancestor the PTR record, simply designates another domain name where > one would look for records associated with this service in the > domain. The "regexp," on the other hand, allows regular expression > transformations on the original URI intended to turn it into an > identifier that the DNS can resolve. This is missing an "architectural" technical summary, such as: So, URI support represents an integrated design consisting partly of an overlay to the DNS and partly a new RR, but no change to basic DNS mechanisms. The overlay performs mapping between a URI name and a domain name, and the retrieved RR then provides a rich encoding environment for specifying the "meaning" of the URI. { I might have the "meaning" phrasing wrong. } > As the Abstract of [RFC2915] says, "This allows the DNS to be used to > lookup services for a wide variety of resource names (including URIs) > which are not in domain name syntax." Any sort of hierarchical > identifier can potentially be encoded as a domain name, and thus > historically the DNS has often been used to resolve identifiers that > were never devised as a name for an Internet host. A prominent early > example is found in the in-addr domain [RFC0882], in which IPv4 > addresses are encoded as domain names by applying a string > preparation algorithm that required reversing the octets and treating > each individual octet as a label in a domain name - thus, for > example, the address 192.0.2.1 became 1.2.0.192.in-addr.arpa. This > allowed resolvers to query the DNS to learn name(s) associated with > an IPv4 address. The same mechanism has been applied to IPv6 > addresses [RFC3596] and other sorts of identifiers that lack a domain > component. Eventually, this idea connected with activities to create > a system for resolving telephone numbers on the Internet, which > became known as ENUM (originally [RFC2916]). ENUM borrowed from an > earlier proposal, the "tpc.int" domain [RFC1530], which provided a > means for encoding telephone numbers as domain names by applying a > string preparation algorithm that required reversing the digits and > treating each individual digit as a label in a domain name - thus, > for example, the number +15714345400 became > 0.0.4.5.4.3.4.1.7.5.1.tpc.int. In the ENUM system, in place of > > > > Peterson, et al. Expires August 30, 2013 [Page 8] > > Internet-Draft Application Features in DNS February 2013 > > > "tpc.int" the special domain "e164.arpa" was reserved for use. > > In the more mature form of the NAPTR standard, in the Dynamic In what way is it "more mature"? What does that mean? It's more complex. It might even be more powerful. But more "mature"??? > Delegation and Discovery Service (DDDS) ([RFC3401] passim) framework, > the initial transformation of an identifier (such as a telephone > number) to a domain name was called the "First Well Known Rule." The > capability to define a "First Well Known Rule" for each application > of NAPTR generalizes the address-reversing mechanism used in- > addr.arpa. Its flexibility has inspired a number of proposals beyond > ENUM to encode and resolve unorthodox identifiers in the DNS. "unorthodox"? I think you just mean "other" identifiers into domain names. in the DNS -> into domain names > Provided that the identifiers transformed by the "First Well Known > Rule" have some meaningful structure and are not overly lengthy, > virtually anything can serve as an input for the DDDS structure: for This flexibility in naming is not specific to DDDS usage. That's the important lesson of the TPC/ENum approach. The language here is unnecessarily tied to DDDS. > example, civic addresses. Though [RFC3402] stipulates of the > identifier that "the lexical structure of this string must imply a > unique delegation path," there is no requirement that the identifier > be hierarchical, nor that the points of delegation in the domain name > created by the "First Well Known Rule" correspond to any points of > administrative delegation inherent in the structure of the > identifier. So? It sounds like an important point. Explain it and/or its implications. > While this ability to look up names "which are not in the domain name > syntax" does not change the underlying DNS protocol - the names > generated by the DDDS algorithm are still just domain names - it does > change the context in which applications pass name to resolvers, and > can potentially require very different operational practices of zone > administrators (see Section 3.3). In terms of the results of a DNS ???? If that section contains statements specific to the point being made here, refer to them explicitly. If it doesn't, then explain the concern here. In it current general form, this raises yet another vague fear without making it concrete enough to be actionable. > query, the presence of the "regexp" field of NAPTR records enabled It still enables. > unprecedented flexibility in the types of identifiers that Drop 'unprecedented'. Again, it's unnecessarily dramatic. But generally this sentence seems to be redundant with earlier statements. > applications could resolve with the DNS. Since the output of the > regular expression frequently took the form of a URI (in ENUM Took? Past tense? It doesn't work anymore? > resolution, for example, a telephone number might be converted into a > SIP URI [RFC3261]), anything that could be encoded as a URI might be > the result of resolving a NAPTR record - which, as the next section > explores, essentially means arbitrary data. Very awkward sentence form. > > 2.3. Arbitrary Data in the DNS > > URI encoding has ways of encapsulating basically arbitrary data: the > most extreme example is data URL [RFC2397]. Thus, resolving a NAPTR Domain names are resolved. The returned RR is not. Therefore: Thus, resolving a NAPTR record might result in an output other than an identifier that would -> Thus, the returned NAPTR record might be interpreted to produce output other than a domain name that ... > record might result in an output other than an identifier that would > subsequently be resolved to IP addresses and contacted for a > particular application - it could give a literal result which would This two-sentence sequence appears to be a non-sequitor, since the syntactic issue of 'encapsulation', in the first sentence, is quite a different issue from data semantics, stated in the second. > be consumed by the application. Originally, in [RFC2168], the > intended applicability of the regular expression field in NAPTR was > narrower: the regexp field contained a "substitution expression that > is applied to the original URI in order to construct the next domain > name to lookup," in order to "change the host that is contacted to > > > > Peterson, et al. Expires August 30, 2013 [Page 9] > > Internet-Draft Application Features in DNS February 2013 > > > resolve a URI" or as a way of "changing the path or host once the URL > has been assigned." The regular expression tools available to NAPTR > record authors, however, grant much broader powers to alter the input I doubt that author tools grant the power. I suspect that the NAPTR specification document grants the power... The tools might exploit that power, but that's a very different matter. > string, and thus applications began to rely on NAPTR to perform more > radical transformations that did not serve any of those > aforementioned needs. By [RFC3402], the output of DDDS is wholly DDDS is an overlay capability. NAPTR is a DNS RR. The text here moves between the layers without distinguishing where actual changes have taken place. My guess is that the intended meaning is that the DDDS overlay service was specified to exploit the underlying power of NAPTR, with application-specific conventions. > application-specific: "the Application must determine what the > expected output of the Terminal Rule should be," and the example > given in the document is one of identifying automobile parts by > inputting a part number and receiving at the end of the process > information about the manufacturer. > > Historically speaking, NAPTR did not pioneer the storage of arbitrary > data in the DNS. At the start, [RFC0882] observed that "it is > unlikely that all users of domain names will be able to agree on the > set of resources or resource information that names will be used to > retrieve," and consequently places little restriction on the > information that DNS records might carry: it might be "host > addresses, mailbox data, and other as yet undetermined information." FWIW, note that this makes clear that the author of the DNS did not 'intend' only name-to-address mapping, as was earlier clamed, and that he did envision a broader range of uses... > [RFC1035] defined the TXT record, a means to store arbitrary strings > in the DNS; [RFC1034] specifically stipulates that a TXT contains > "descriptive text" and that "the semantics of the text depends on the > domain where it is found." The existence of TXT records has long > provided new applications with a rapid way of storing data associated > with a domain name in the DNS, as adding data in this fashion > requires no registration process. [RFC1464] experimented with a > means of incorporating name/value pairs to the TXT record structure, > which allowed applications to differentiate different chunks of data > stored in a TXT record - surely not just "descriptive text" as the > TXT originally specified. In this fashion, an application that wants > to store additional data in the DNS can do so without registering a > new resource record type - though [RFC5507] points out that it is > "difficult to reliably distinguish one application's record from > others, and for its parser to avoid problems when it encounters other > TXT records." > > While open policies surrounding the use of the TXT record have > resulted in a checkered past for standardizing application usage of > TXT, TXT has been used as a technical solution for many applications, It's not the vague drama of a "checkered past" but the inherent, technical ambiguity created by overloading the record with multiple, uncoordinated uses that can't be readily distinguished. > most recently for DKIM [RFC6376] to store necessary information about > the security of email in DNS, though within a narrow naming > convention (records stored under "_domainkey" subdomains). Storing This phrasing entirely misses the way that the underscore name component restricts the TXT record to an unambiguous usage. I suggest: many applications. Recently a number of applications, such as DKIM [RFC6376], have resolved the problem of TXT ambiguity by storing it under a specialized DNS naming structure that includes the component ("_domainkeys"), which serves to restrict the scope of the TXT solely to DKIM use. > keys in the DNS became the preferred solution for DKIM for several > reasons: notably, because email applications already queried the DNS > in their ordinary operations, because the public keys associated with > email required wide public distribution, and because email > identifiers contain a domain component that applications can easily > use to consult the DNS. If the application had to negotiate support This implies that there have been other solutions. There hasn't. Hence: For DKIM, the choice of storing keys in the DNS, rather than specifying a new and independent key distribution service, takes advantage of the existing, Internet-wide installed base of DNS software and operations. Email applications already queried the DNS in their ordinary operations and the public keys associated with email require wide public distribution. The last clause: "and email identifiers contain a domain component that applications can easily use to consult the DNS" doesn't make much sense to me and doesn't appear relevant to the reasons I am aware of for choosing the DNS as a key distribution mechanism. Given that I've been involved with DKIM since the Yahoo Domainkeys effort, I'd have expected to hear of that reason... > If the application had to negotiate support > for the DKIM mechanism with mail servers, it would give rise to bid- > down attacks (where attackers misrepresent that DKIM is unsupported > in the domain) that are not possible if the DNS delivers the keys I'm pretty sure that this analysis is wrong. DKIM is a cooperative service. It requires that the signer and the verifier cooperate to achieve a validated identifier. A receiving server can simply choose to ignore DKIM if it wants. It doesn't need to play games. A sending server can do the same. So what is the exact scenario that is is being hypothesized here? > (provided that DNSSEC [RFC4033] guarantees authenticity of the data). The benefit of using DNSSEC is that the DNS response cannot be spoofed. That's entirely different from -- or, at least, much broader than -- a bid-down attack. And DKIM does not rely on the presence of DNSSEC. If DNSSec is to be cited with DKIM, it needs to be as a combinatorial enhancement that goes beyond either mechanism independently. And it needs to be made clear that it is a future benefit, since it does not yet have extensive deployment. It's an appealing combination and will no doubt eventually dominate as DNSSec use grows, but it hasn't happened yet and DKIM has never relied on its happening, except in very generic terms, by way of deferring reasonable concerns that the storage of DKIM keys could be compromised. > However, there are potential issues with storing large data in the This raises a valid point, but in a confusing manner. Perhaps: The size of public keys, encoded as text, along with other parameters used by DKIM, pushes towards the maximum number of characters that can be stored in a TXT RR, as discussed in Section 3.2.1. In addition, the domain naming convention used by DKIM and other services limits the ability to use DNS wildcards. (For reference, the DKIM does not 'prevent' the use of wildcards; it limits their utility and can introduce some other surprises. But wildcards are sometimes still possible to use effectively.) > DNS, as discussed in Section 3.2.1 as well as with the DKIM namespace > conventions that prevent the use of DNS wildcards (as discussed in > section 6.1.2 of [RFC6376] and in more general terms in [RFC5507]). > If prefixes are used to identify TXT records used by an application, > potentially the use of wildcards may furthermore cause leakages that > other applications will need to detect. Huh? What 'leakages' are you talking about? I have no idea what this bit of fear is about. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Peterson, et al. Expires August 30, 2013 [Page 11] > > Internet-Draft Application Features in DNS February 2013 > > > 3. Challenges for the DNS > > The methods discussed in the previous section for transforming > arbitrary identifiers into domain names, and for returning arbitrary > data in response to DNS queries, both represent significant > departures from the basic function of translating host names to IP Sorry, but this persists in confusing dominant use with basic architecture, even with the ending clause of the sentence. The "basic function" of the DNS doesn't know or care that some RRs carry IP Addresses and others don't, and it never has. And TXT records have been used for rather too long a time to refer to them as a "departure"... > addresses, yet neither fundamentally alters the underlying semantics Does it alter it a little bit? No. So the implication of "fundamentally" is wrong. > of the DNS. When we consider, however, that the URIs returned by > DDDS might be base 64 encoded binary data in a data URL, the DNS What is a "data" URL? Do you mean RFC 2397? If so, cite it. > could effectively implement the entire application feature set of any > simple query-response protocol. Effectively, the DDDS framework > considers the DNS a generic database - indeed, the DDDS framework was No it doesn't. It considers it an indexed storage engine. That's rather simpler than a "database", which implies richer functionality, such as searching and content-based indexes that the DNS doesn't have. It's frankly surprising that an IAB draft would refer to the DNS as a database... {review terminated } d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net -- Dave Crocker Brandenburg InternetWorking bbiw.net
- Review: draft-iab-dns-applications-07 Dave Crocker
- Re: Review: draft-iab-dns-applications-07 John Levine