Re: new RRTYPEs, was DNSSEC architecture vs reality

[Phillip Hallam-Baker <phill@hallambaker.com>]

On Wed, Apr 14, 2021 at 2:26 PM Nico Williams <nico@cryptonector.com> wrote:

> On Wed, Apr 14, 2021 at 12:48:05PM -0400, Phillip Hallam-Baker wrote:
> > I did propose a TXT record that could be used for unstructured config
> > and the DNS folk rejected it (as they always do). So I really don't
> > care how upset they get about the uses their comment field is being
> > put to.
>
> If we were starting from scratch we might well not bother with
> non-textual RDATA, or domainname compression (we'd zlib-compress all
> message payloads).
>
> As tempting as just-one-last-new-RRtype would be, a TXT-like RR with a
> sub-type prefix of its textual RDATA, the fact that there would be no
> easy way to select for RRs of this type and with a particular sub-type
> prefix means we'd probably end up being unhappy with it.  Knowing little
> else about this, I'm inclined to believe that that "the DNS folk
> rejected it" with good reason.
>

So your argument is that you don't know what my proposal was so you will
invent your own proposal which is stupid and then conclude that it was
rightfully dismissed as stupid. If you don't understand someone's proposal,
better to ask them rather than making up stories.

It isn't that difficult to make prefixed records delegate correctly either.
I proposed a way to do that. But folk would much rather insist that their
way of doing things is right and that everyone else is in the wrong for
ignoring them.

TXT records are a means of publishing policy information in the DNS. The
principled approach is to use a prefixed record. That this breaks
wildcarding in DNSSEC is a DNSSEC issue, not a DNS policy issue.

If as John Klensin claims, there is a need for comments in the DNS, create
a REM RRType for that purpose. The lack of selectors is irrelevant as they
are merely comments.


Why not just do the job in a scalable fashion? The reason DNS names cost
$10/yr is that the protocol is broken and requires the TLDs to be published
by means of an interactive query protocol even though the data being
published almost never changes. Push that task out to the party providing
authoritative query service for the zone and over 99% of the costs of
running the registry disappear:

Mathematical Mesh 3.0 Part VII: Mesh Callsign Service (ietf.org)
<https://www.ietf.org/archive/id/draft-hallambaker-mesh-callsign-00.html>

Building out a PKI to validate names already assigned is a really hard
problem. Building out a PKI as the names are assigned is a very different
matter.

But of course, nobody will read my proposal, you will just complain
afterwards that I did it all wrong.