Re: new RRTYPEs, was DNSSEC architecture vs reality

Phillip Hallam-Baker <> Wed, 14 April 2021 19:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2628C3A1C8F for <>; Wed, 14 Apr 2021 12:26:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cbxCBvhskwdm for <>; Wed, 14 Apr 2021 12:26:53 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2D6B93A1C4E for <>; Wed, 14 Apr 2021 12:26:53 -0700 (PDT)
Received: by with SMTP id y2so21306974ybq.13 for <>; Wed, 14 Apr 2021 12:26:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uGO6XC9pExR4Q6vh75aGvczeEZbc978OOPI/aU+ubWA=; b=Koy/9aio/LONtWG1rztvxw0ySO7nRZEVUWknEP4Gbho2cRxHbKtttvj99qWFnqiP8Y FDJkUNdM2pZHr/fx7syp/FNW9irbsyV6GlFrRCecKW4YzaQpjD/yUfhvFBFJzEjtUCcV Zoyhv+dza9ybyoyCJkPSoUKJDRhCWOpjRiax0HkI/x+ezratpc0iZ+0FbhouRLUjq9IS etwAfN/z0Lu+VkFG+7YUAGE1Cymm4vZnLPPeBIDOmZeJb+RgXO3A6THa79pA8GgCRaHp Ye6NfcXhMmo4EC/fvm/SmAag2HNxHrPftdNmr5M4cO8Dn9R6S7eiMICZjAv7s2Z9r/Qu ac3A==
X-Gm-Message-State: AOAM531Pft7AFddkXbCpbgSJ4TbQgcQM8eBNSMKBwee8cLKcrVoSS1xb B6/hrCn8lbIisjrrdHT7OGEWLMTlkU0X3X4bPBLbo2VomQs=
X-Google-Smtp-Source: ABdhPJwvUGBxa5P1lPcrA8KE4bTdWBZMI1Cl5npJ3a8Vmg48B1Od1U2qcGu3EcEzs28BlGQqg+05hM0lOwyhwB287BY=
X-Received: by 2002:a25:7752:: with SMTP id s79mr48739486ybc.522.1618428412054; Wed, 14 Apr 2021 12:26:52 -0700 (PDT)
MIME-Version: 1.0
References: <20210413015000.9297272C47BA@ary.qy> <> <> <> <20210414182644.GO9612@localhost>
In-Reply-To: <20210414182644.GO9612@localhost>
From: Phillip Hallam-Baker <>
Date: Wed, 14 Apr 2021 15:26:40 -0400
Message-ID: <>
Subject: Re: new RRTYPEs, was DNSSEC architecture vs reality
To: Nico Williams <>
Cc: John R Levine <>, IETF general list <>
Content-Type: multipart/alternative; boundary="00000000000098604705bff3ba5a"
Archived-At: <>
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 14 Apr 2021 19:26:56 -0000

On Wed, Apr 14, 2021 at 2:26 PM Nico Williams <> wrote:

> On Wed, Apr 14, 2021 at 12:48:05PM -0400, Phillip Hallam-Baker wrote:
> > I did propose a TXT record that could be used for unstructured config
> > and the DNS folk rejected it (as they always do). So I really don't
> > care how upset they get about the uses their comment field is being
> > put to.
> If we were starting from scratch we might well not bother with
> non-textual RDATA, or domainname compression (we'd zlib-compress all
> message payloads).
> As tempting as just-one-last-new-RRtype would be, a TXT-like RR with a
> sub-type prefix of its textual RDATA, the fact that there would be no
> easy way to select for RRs of this type and with a particular sub-type
> prefix means we'd probably end up being unhappy with it.  Knowing little
> else about this, I'm inclined to believe that that "the DNS folk
> rejected it" with good reason.

So your argument is that you don't know what my proposal was so you will
invent your own proposal which is stupid and then conclude that it was
rightfully dismissed as stupid. If you don't understand someone's proposal,
better to ask them rather than making up stories.

It isn't that difficult to make prefixed records delegate correctly either.
I proposed a way to do that. But folk would much rather insist that their
way of doing things is right and that everyone else is in the wrong for
ignoring them.

TXT records are a means of publishing policy information in the DNS. The
principled approach is to use a prefixed record. That this breaks
wildcarding in DNSSEC is a DNSSEC issue, not a DNS policy issue.

If as John Klensin claims, there is a need for comments in the DNS, create
a REM RRType for that purpose. The lack of selectors is irrelevant as they
are merely comments.

Why not just do the job in a scalable fashion? The reason DNS names cost
$10/yr is that the protocol is broken and requires the TLDs to be published
by means of an interactive query protocol even though the data being
published almost never changes. Push that task out to the party providing
authoritative query service for the zone and over 99% of the costs of
running the registry disappear:

Mathematical Mesh 3.0 Part VII: Mesh Callsign Service (

Building out a PKI to validate names already assigned is a really hard
problem. Building out a PKI as the names are assigned is a very different

But of course, nobody will read my proposal, you will just complain
afterwards that I did it all wrong.