IETF Logo Mail Archive

Re: Weakness of DNS classes (was Re: Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard)

John C Klensin <john-ietf@jck.com> Tue, 21 July 2015 17:24 UTC

Return-Path: <john-ietf@jck.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D08E71A1F1D for <ietf@ietfa.amsl.com>; Tue, 21 Jul 2015 10:24:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.61
X-Spam-Level:
X-Spam-Status: No, score=-2.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5xf2rOlIcgEh for <ietf@ietfa.amsl.com>; Tue, 21 Jul 2015 10:24:50 -0700 (PDT)
Received: from bsa2.jck.com (ns.jck.com [70.88.254.51]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FB511A00E9 for <ietf@ietf.org>; Tue, 21 Jul 2015 10:24:50 -0700 (PDT)
Received: from [198.252.137.35] (helo=JcK-HP8200.jck.com) by bsa2.jck.com with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <john-ietf@jck.com>) id 1ZHbHc-0008eT-Fd; Tue, 21 Jul 2015 13:24:48 -0400
Date: Tue, 21 Jul 2015 13:24:44 -0400
From: John C Klensin <john-ietf@jck.com>
To: Andrew Sullivan <ajs@anvilwalrusden.com>, ietf@ietf.org
Subject: Re: Weakness of DNS classes (was Re: Last Call: <draft-ietf-dnsop-onion-tld-00.txt> (The .onion Special-Use Domain Name) to Proposed Standard)
Message-ID: <23AD4AE239A9E3EE05835898@JcK-HP8200.jck.com>
In-Reply-To: <20150721143939.GJ3864@mx2.yitter.info>
References: <CD5AD7A8CCF5852BB1CE0AC1@JcK-HP5.jck.com> <20150721143939.GJ3864@mx2.yitter.info>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
X-SA-Exim-Connect-IP: 198.252.137.35
X-SA-Exim-Mail-From: john-ietf@jck.com
X-SA-Exim-Scanned: No (on bsa2.jck.com); SAEximRunCond expanded to false
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/TCCNfz-6prakFoX94V6YLywtmu4>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jul 2015 17:24:53 -0000

Andrew,

Thanks.  I have always assumed that class-independent aliases
were either an error or fuzzy thinking in RFC 1034/1035, but the
response format issue is significant.  Your explanation led me
to realize that while I can, in principle, specify records from
several CLASSes in the same (external format) zone file, or even
have a single owner in that zone file with records associated
with different classes, either would constitute a threading
nightmare for different root and delegation structures.   That
"same zone file" or "same owner" capability is, in retrospect,
completely consistent with class-independent aliases: with
appropriate restrictions, one could get one or the other to work
but not hoth.

The combination is, to me at least, at least as clearly
"mis-specified and cannot work" as, e.g., RFC 1034 inverse
queries.  

Good idea while it lasted.  The feature of separate trees (and,
btw, label types or equivalent) is probably a candidate for the
"DNSng" list.  Also, your explanation and parts of the above may
be candidates for any update to RFC 2181.

     john


--On Tuesday, July 21, 2015 16:39 +0200 Andrew Sullivan
<ajs@anvilwalrusden.com> wrote:

> Hi,
> 
> Warning to the ietf@ audience: this contains a bunch of stuff
> about the DNS.  If that makes your eyes glaze over, you might
> as well go to the next message.  It's probable that, if this
> generates more follow up, the thread should move to dnsop@ or
> dnsext@ (WG is closed, but the list is still alive) or
> something like that.
> 
> On Mon, Jul 20, 2015 at 01:15:11PM -0400, John C Klensin wrote:
>> 
>> I agree with your analysis, modulo one question.  You make the
>> comment that CLASSes don't really work, as have others.  I'd
>> like to understand it better.
> […]
>> actually be needed. I would not be surprised if you told me
>> that CLASS has been botched in some implementations and there
>> has been no incentive to fix it, that shouldn't surprise me
>> at all. However, if there were an important application, I
>> assume those implementations could be fixed.  So what do you
>> see as the issue?   Is it that we have needs to intermix
>> ordinary public names with "don't try to resolve this there"
>> stuff in the same environments?  I agree that would be a
>> problem for CLASS, but note some very strong analogies with
>> the IDNA kludge.
> 
> The first issue is exactly what you suggest: the class code is
> almost completely unexercised except to get responses to CHAOS
> queries, and that generally just for one purpose.  So we have
> an enormous installed base with likely bit-rot, even assuming
> the code ever did the right thing.  But that's not the problem.
> 
> It turns out that aliases are defined as class-independent.
> The CNAME algorithm (it works similarly in DNAME) is defined
> in RFC 1034, in section 3.6.2.  That algorithm says that you
> look for a CNAME record with a matching class, which sounds
> like you can have different RDATA at a name in one class vs
> another, which would mean that even though the CNAME RR is
> class independent there is no influence between classes.
> 
> Unfortunately, the discussion of the way the namespace is
> divided up says this:
> 
>     The class partition is simple.  The database for any class
> is     organized, delegated, and maintained separately from
> all other     classes.  Since, by convention, the name spaces
> are the same for     all classes, the separate classes can be
> thought of as an array of     parallel namespace trees.  Note
> that the data attached to nodes     will be different for
> these different parallel classes.
> 
> Now, if the databases are parallel for all classes, then
> presumably the RDATA of an aliasing record ought to maintain
> that parallelism. Since in principle the RDATA in different
> classes ought not to affect the other classes, this seems at
> least problematic.
> 
> Now perhaps we could just reject this "convention" (which
> would be the opposite of what we did with the preferred
> syntax, but of course that was widely used whereas classes
> perhaps are not).  At that point, we start to realise why
> people didn't use classes in the first place. For in a DNS
> packet, the class is in a really awkward place.  Even though
> the names might not be the same in all the classes, when you
> get an RR you get the name first, and only after that learn
> what the class is.  This means that you really have to parse
> the entire message before you realise, "Oh, look, this class
> says not to look this record up."  At bottom, the DNS message
> format is designed such as to make classes a pain in the neck
> to use.  I suspect that this fact is what is really
> encouraging the encoding of metadata about resolution inside
> the domain name itself: the name is the piece of data that is
> first and most easily accessible.  So, this is why I say that
> classes don't really work.
> 
> Best regards,
> 
> A

v2.23.0 | Report a Bug | By Email