Re: new RRTYPEs, was DNSSEC architecture vs reality

John Levine <johnl@taugh.com> Tue, 13 April 2021 01:50 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9391A3A0A87 for <ietf@ietfa.amsl.com>; Mon, 12 Apr 2021 18:50:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.851
X-Spam-Level:
X-Spam-Status: No, score=-1.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=ren00MUZ; dkim=pass (2048-bit key) header.d=taugh.com header.b=NE2KmdEK
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00x72v9lZse9 for <ietf@ietfa.amsl.com>; Mon, 12 Apr 2021 18:50:04 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67C153A0A86 for <ietf@ietf.org>; Mon, 12 Apr 2021 18:50:04 -0700 (PDT)
Received: (qmail 8847 invoked from network); 13 Apr 2021 01:50:01 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=228d.6074f8c9.k2104; bh=S31W0oKJKQ+xm+8CBsgSpYAgmanxVSYsBM4JheA01q8=; b=ren00MUZhHHYkgcz0/Wx/ZsM1+MDh+Ik1ZNi7dBLMytQw+VPA7jQrrsbP6zopRZTj8A+gu9cJbJt0OIPweQ2Pqu3veUM12rgY2akl9NscVee+oYnJzAP/jA1/uiiBXdrjOBI0IMtRE9TqueCZOgUjHQjrzN4gFgRkRmeL5KRyrgpjgXs3/NlCDvY02d+EkIaMlkgILP4/ZzYk4FMUD9eDYxuMIZ58pGkQvfhdddZJh3pba0ICcXeCf4Aj+Jm42IVt71NDlmfG5mf1e4QJtK+VZnEh6agTrbDY+H2EFCkQxFMS+ZxPEOGuTfhBg9Yd7eX6eC2pyJvTsfz6u0yOPP7Yg==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=228d.6074f8c9.k2104; bh=S31W0oKJKQ+xm+8CBsgSpYAgmanxVSYsBM4JheA01q8=; b=NE2KmdEKuxzapT79mh4M1rEwdKfPah/Neg8UNy/gN2dcYDTSJ8VkOUGEFpQoV/tt9EYRTMt7ipii413fcpvGIqv4E+W1vnXriZgo7XV2UjMOW+gDdpVvrLG58U5KG9Jgz6sphnFQcw0ZluPlNa7LmPhmCzRE4DZjMGU0Z78zC+khojaHQ4eDx5IxYQjWqghHUYa07BQRWJU89d78ZZ1qHZuJy3Pk5FUuHwYrA0jOg+Z0VXFimER+luw4090CYciAXGm0xXx36V2sItk7M7WwbYXjmxmAk3mdjSiE+T8LamYaxPmR/FoJ0emVgKgH+EMNxs8RiHZCi/ETfa3OGLfAQA==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 13 Apr 2021 01:50:01 -0000
Received: by ary.qy (Postfix, from userid 501) id 9297272C47BA; Mon, 12 Apr 2021 21:49:59 -0400 (EDT)
Date: 12 Apr 2021 21:49:59 -0400
Message-Id: <20210413015000.9297272C47BA@ary.qy>
From: "John Levine" <johnl@taugh.com>
To: ietf@ietf.org
Subject: Re: new RRTYPEs, was DNSSEC architecture vs reality
In-Reply-To: <7a1e1ac5-dcc6-ce2c-684d-5f6616916edb@mtcc.com>
Organization: Taughannock Networks
X-Headerized: yes
Cleverness: minimal
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/xYDnDpE2NOkzKQYJHBQ0qqlmeEU>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Apr 2021 01:50:10 -0000

It appears that Michael Thomas  <mike@mtcc.com> said:
>> But DNS itself shouldn't have to change to implement new RR types, 
>> more than (perhaps) adding a line to a table that says RR type NN has 
>> ASCII name XX and the following types of parameters. And that table 
>> should be globally and securely accessible. Encode the table in DNS 
>> somehow, put it in the root zone or other zone managed by the root, 
>> give it a very long TTL, and sign it with DNSSEC.

Hey, what a good idea.  Oh, look someone wrote it up as an I-D starting ten years ago:

https://datatracker.ietf.org/doc/draft-levine-dnsextlang/

And here's a python library to implement it with encoder, decoder, and
a dictionary of field types you can use to create and decode web forms:

https://pypi.org/project/dnsextlang/

For perl users, it's built into recent versions of Net::DNS.

>Uh, think the long tail of UI's. Even $megacorps use them. And they 
>don't look kindly to monkey patches either.

No kidding. You extend the UI once to use the extesion language to
create and parse forms for rrtypes, then fetch the rrtype descriptions from the
DNS. It really works, I use it in my own DNS provisioning crudware.

But as far as I can tell, nobody else does.

R's,
John