Re: new DNS classes

Pete Resnick <> Sat, 08 July 2017 16:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6BE1E129B72; Sat, 8 Jul 2017 09:05:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7.002
X-Spam-Status: No, score=-7.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DFjkZawNxUxb; Sat, 8 Jul 2017 09:05:05 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D86F0127873; Sat, 8 Jul 2017 09:05:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=qcdkim; t=1499529905; x=1531065905; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=C/YtHOKCp+1yWmIkJHw7H3uj3Imrt3EFdinJ+CoKWu4=; b=FsjpRpnHSeLyAYBlgIbNbqsoynLjF8rc35q5cQSMyCRa1YbMfDCJtT0D LD9FVUm5d12xXvQlEpEfznhAUqTS0htUNXuahcFIoBWhnvwc2/bN0rBuG lbIwCVMyYu36WhFGVIdr244FJLg73+mynWHW8sJzgRD1pzhuh/qRTLCrC c=;
X-IronPort-AV: E=Sophos;i="5.40,329,1496127600"; d="scan'208";a="109989335"
Received: from unknown (HELO ([]) by with ESMTP; 08 Jul 2017 09:05:04 -0700
X-IronPort-AV: E=McAfee;i="5800,7501,8585"; a="1402247209"
X-MGA-submission: =?us-ascii?q?MDHQ+L3s0NEb7pK1EW4NTcei0QGSZiUiwzMYFX?= =?us-ascii?q?131AlYLHxHjCegMKiA9rU2RXqlmPKMooa6tVFiFe7+PhUvRXPov5M9Yz?= =?us-ascii?q?c25xlifZd/XgAjvBysxidP16/QlPtoRZ4pJLRgPYWqrFYj3h1cmDyJqY?= =?us-ascii?q?vj?=
Received: from ([]) by with ESMTP/TLS/RC4-SHA; 08 Jul 2017 09:05:04 -0700
Received: from [] ( by ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Sat, 8 Jul 2017 09:05:03 -0700
From: Pete Resnick <>
To: Mark Andrews <>
CC: Nico Williams <>, John C Klensin <>, dnsop <>, Phillip Hallam-Baker <>, Paul Vixie <>, IETF <>
Subject: Re: new DNS classes
Date: Sat, 8 Jul 2017 11:05:01 -0500
Message-ID: <>
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <562EC659F89FA92A09CAC4DB@PSB> <20170706153955.GB3393@localhost> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format=flowed; markup=markdown
Content-Transfer-Encoding: 8bit
X-Mailer: MailMate (1.9.6r5347)
X-Originating-IP: []
X-ClientProxiedBy: ( To (
Archived-At: <>
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 08 Jul 2017 16:05:07 -0000

On 7 Jul 2017, at 19:18, Mark Andrews wrote:

> In message <>om>, 
> Pete Resnick writes:
>> On 6 Jul 2017, at 16:52, Mark Andrews wrote:
>>> Or you could stop trying to reinforce the myth that new RR types
>>> are hard to deploy.  They really aren't.  They actually get used
>>> all the time.
>> I'm running the latest version of MacOS Server. I can't get a new RR
>> type into the UI. Even if I use the command line "dnsconfig" tool, I
>> can't add a record of a type it doesn't know about; I only get A, 
>> AAAA,
>> CNAME, NS, MX, PTR, SRV, and TXT. Yes, I could go hacking around in 
>> the
>> BIND configs that underly their implementation. And at that point I 
>> say,
>> "New RR types are hard to deploy; not a myth." Telling me I can use a
>> different operating system or not use a validating UI is not a
>> reasonable response.
> Well use nsupdate.  That also ships with the Mac.

Of course doing that likely means I'll have records that don't show up 
in the server UI. Not entirely thrilling. And I could accomplish exactly 
the same thing by directly editing the BIND config files, so I'm not 
sure what that gains me in terms of "not hard to deploy".

>> The fact is the DNS doesn't provide a way for implementations to
>> dynamically update the RR types to provide sensible UI; it's left as 
>> an
>> exercise for each individual implementer. (Yes, I know about
>> draft-levine-dnsextlang; it doesn't seem to have gotten anywhere.) 
>> You
>> can't much complain about the difficulty of deployment when the
>> community won't provide the tools to make deployment easier.
> Well BIND is designed to allow new types to be added easily.  It
> may require recompiling rather than updating a text file but it is
> not beyond people to do because we see people doing just that.

¬(∃𝑥𝐶(𝑥) → ∀𝑥𝐶(𝑥))

Just because you you see some people recompiling does not mean that all 
(or most, or a significant number) can. Set that aside, it is nowhere 
near reasonable for knowing how to recompile a piece of code to be 
required in order for me to add a new RR type. Set that aside, this is 
the epitome of "hard to deploy": Some implementations can't do it at 
all, some implementations you have to go hacking around in hidden config 
files, and some implementations you have to recompile the binary to get 
a reasonable UI experience.

This is the problem with DNS being considered a system service rather 
than a user application. It's got both aspects. Until the user 
experience for configuring the DNS with a new RR type does not require 
the skills of someone able to recompile code, it is absolutely going to 
be the case that new RR types are hard to deploy, and calling it a myth 
is not helpful.

Pete Resnick <>
Qualcomm Technologies, Inc. - +1 (858)651-4478