Re: [keyassure] PKIX/KIDNS validation results and draft-hoffman-keys-linkage-from-dns

[Olafur Gudmundsson <ogud@ogud.com>]

On 10/30/2010 09:02 PM, Warren Kumari wrote:
>
> On Oct 30, 2010, at 8:07 PM, James Cloos wrote:

> Another option (which has some (IMO) of the elegance retained, but
> probably has scalability and leakage issues) is
> foo.example.com <http://foo.example.com> IN A 192.0.2.1
> IN KIDNS 443 545254634563546354
> IN KIDNS 993 435245243523452345
> IN KIDNS 5222 23452345435234545
> ) -- basically, have the records for foo.example.com
> <http://foo.example.com> (or just exmaple.com <http://exmaple.com>) all
> at the same level, but have the ports included in the response.
>
>>
>> Or both, preferring the more specific if both exist?
>
> Oooh, that's interesting -- to be honest I hadn't thought of that... One
> huge consideration is minimizing the number of DNS lookups needed to
> make all the magic happen -- if this system requires lots of lookups,
> the browser folk will be unwilling to implement as the user experience
> will be horrendous....
>
>>
>> The more specifc option permits different certs for, eg, _http._tcp
>> vs _smtp._tcp vs _sip._tcp, but also means maintaining probably
>> identical RRs for eg _sip._tcp, _sip._udp and _sip._sctp.
>>
>> I can see how each might be perceived as necessary, but also how each
>> might be perceived as undesirable.
>
> Yes, both are (IMO) sub-optimal -- my *personal* view of the world

Rule #1 in DNS land: Do not optimize until you know exactly what the 
problem is as most "design" optimization have turned out to be bad
for protocol or operations.

> involves having unique names for each service (www.example.com
> <http://www.example.com>, imap.exmaple.com <http://imap.exmaple.com>,
> jabber.example.com <http://jabber.example.com>) which sidesteps this
> issue, but enough folk have raised this issue that it needs to be
> addressed....
>
>

There are multiple ways to address this, in general DNS people recommend 
strongly against "sub-typing" i.e. having multiple different protocols 
share the same RRset.
There are number of issues here to think about:
	size of the RRset
	Number of foot prints per protocol/port
	How is/are the RRsets are maintained, in particular is
		dynamic update used.

Think about operations for a minute, if the 'web' team has write access 
via dynamic update to the web KIDNS rrset then they maintain it without
involving the 'dns' team.
Now having the 'mail', 'web' and other protocols share one set then all 
of them either need write access or to involve the 'dns' team for 
arbitration.

As Chome has demonstrated there it is not that hard to have multiple 
queries in flight at the same time, in general the rule should be
"prefer more specific".

Additionally there may be different ways to reach the same service,
like www.foo.bar and foo.bar. are then two copies of KIDNS records 
stored or does the protocol need KIDNS_ALIAS [<port>] <name> that has
pointer to the real set?

I want to emphasize Jakob's point that it is important to differentiate 
between where service is described (MX) and where it is provided (A 
records).

	Olafur

	Olafur