IETF Logo Mail Archive

Re: [dnsext] does making names the same NEED protocol changes at all?

Phillip Hallam-Baker <hallam@gmail.com> Thu, 24 February 2011 17:16 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 294523A67AF; Thu, 24 Feb 2011 09:16:24 -0800 (PST)
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C032E3A67AF for <dnsext@core3.amsl.com>; Thu, 24 Feb 2011 09:16:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.566
X-Spam-Level:
X-Spam-Status: No, score=-3.566 tagged_above=-999 required=5 tests=[AWL=0.032, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 42Iod+XTWPDo for <dnsext@core3.amsl.com>; Thu, 24 Feb 2011 09:16:22 -0800 (PST)
Received: from mail-bw0-f44.google.com (mail-bw0-f44.google.com [209.85.214.44]) by core3.amsl.com (Postfix) with ESMTP id 0B6EC3A677E for <dnsext@ietf.org>; Thu, 24 Feb 2011 09:16:21 -0800 (PST)
Received: by bwz13 with SMTP id 13so1468133bwz.31 for <dnsext@ietf.org>; Thu, 24 Feb 2011 09:17:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=gQhauXZfF3oHWcggRWJfIVLjpcXtiGAMN7n6hrzNW2c=; b=W/G/h2uRe+9KlnwxrtDo3mi2G9ql2fyMbykBb5Gt/ThyaVFnSj4qJySLEnMTJmkC1Q l52PAorLP+olByHsvArbVt+vjVjiACPqv2vU5s0mETFry/prQ/oy2QR9/xy1syixwjr5 ibxs/o3SYQSDIGrXd+qyhenOgojeSfLLSVW/c=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=O/q8NBtHj8ldqpJ8AIL21knNUEyt31JMawROnoUI2RpXIuBJWuSS6mHRiQFxkUqWSY f/INhe5VklUlCWPkP0UQBJSjIVWd1IXp0F6Fr334g7WvKDFIWfPlO0oSn+Q5I9Sb32jN vG7Ud5fxc+e8GXCNhZR/c/m58R9Sv2ONltv4o=
MIME-Version: 1.0
Received: by 10.204.52.136 with SMTP id i8mr1051201bkg.74.1298567830204; Thu, 24 Feb 2011 09:17:10 -0800 (PST)
Received: by 10.204.14.139 with HTTP; Thu, 24 Feb 2011 09:17:10 -0800 (PST)
In-Reply-To: <5A100E65-FB09-4556-AA5A-BF9FE0468DDA@ICSI.Berkeley.EDU>
References: <20110216165921.GW96213@shinkuro.com> <3B90ED2E-980D-4B01-889F-447D66D0B58D@insensate.co.uk> <20110216174011.GZ96213@shinkuro.com> <20110218143653.GC84482@bikeshed.isc.org> <20110218151209.GF66684@shinkuro.com> <4D5EEE09.4080405@dougbarton.us> <20110218222950.GL74065@shinkuro.com> <4D5F270F.20401@abenaki.wabanaki.net> <199C7B2B4228461FB024E59A990DB46D@ics.forth.gr> <4D641DB6.4090705@necom830.hpcl.titech.ac.jp> <20110222205617.GS53815@shinkuro.com> <4D64489B.7020901@necom830.hpcl.titech.ac.jp> <713D992A-1DB9-4F72-9D18-8E923AD51D8D@icsi.berkeley.edu> <AANLkTikf2ixw7JkxQiRBobv-seYnaYS0E3G8TboosnA=@mail.gmail.com> <alpine.LSU.2.00.1102231029260.27602@hermes-1.csi.cam.ac.uk> <AANLkTin6-mXBeKC_TzgvWUaCyxKfeZxTK1BQvXtpwuCN@mail.gmail.com> <4CC95816-8225-4CAE-897F-3F13F965BCEE@ICSI.Berkeley.EDU> <alpine.LSU.2.00.1102240953550.5244@hermes-1.csi.cam.ac.uk> <AANLkTiniVDDZXFOV4WryNN=+hK29rBO8_HTAqw7bK=Nf@mail.gmail.com> <8657EF4A-A08D-46E5-8917-553AE377CAD8@ICSI.Berkeley.EDU> <AANLkTikHm62x=+xWpSRyERw2cB31yZZhVkTT-90dgFjk@mail.gmail.com> <39EBBA76-22F1-4935-9300-B0078B229793@ICSI.Berkeley.EDU> <5A100E65-FB09-4556-AA5A-BF9FE0468DDA@ICSI.Berkeley.EDU>
Date: Thu, 24 Feb 2011 12:17:10 -0500
Message-ID: <AANLkTikECGtJm5WyDnX=s8zTERu89qLbFDebf8R1y4Pa@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: Nicholas Weaver <nweaver@icsi.berkeley.edu>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] does making names the same NEED protocol changes at all?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1651465367=="
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

The problem here comes in that the downstream server needs to be prepared to
support the scheme. And there can be multiple levels of ambiguity so the
cache requirement grows exponentially with each level.

I am starting to get a really bad feeling about the resolve the same
requirement. Is the objective here really to make things work better or did
the authorities that raised this in ICANN have a rather different agenda?




On Thu, Feb 24, 2011 at 12:00 PM, Nicholas Weaver <nweaver@icsi.berkeley.edu
> wrote:

>
> On Feb 24, 2011, at 5:52 AM, Nicholas Weaver wrote:
>
> >
> > On Feb 24, 2011, at 5:44 AM, Phillip Hallam-Baker wrote:
> >
> >> So you are saying that it is TOO LATE to make a change that would have
> major impact on the practice of domain management?
> >
> > I'm stating that your "nobody validates DNSSEC" claim is demonstrably
> false.
>
> More precisely, there is a large ISP, Comcast, where ALL users who've opted
> out of NXDOMAIN wildcarding are behind DNSSEC validating resolvers.  I would
> call this a significant operational deployment of DNSSEC validation.
>
>
>
> However, back to the original topic: why does case insensitivity for
> non-ASCII NEED protocol changes?  Can't it be done with just authority
> changes for only those authorities needing case insensitive non-ASCII names
> (rather than a protocol change which needs universal changes to the
> resolvers)
>
>
> The authority has a standard mapping for case insensitivity in the language
> in question.
>
> a: If its the terminal authority for a name, it just runs the mapping and
> returns the value (if necessary, generating a DNSSEC signature on the fly if
> its an uncached mapping).
>
> b:  If the authority is not a terminal, and it knows that the authority
> directly beneath it for a name support case insensitivity, it just runs the
> mapping and returns the appropriate value (if necessary, generating a DNSSEC
> signature on the fly if its an uncached mapping).
>
> c:  If the authority is not a terminal, and it does NOT know that the
> authority directly beneath it supports case insensitivity, it runs the
> mapping to generate a canonicalized DNAME or CNAME (as appropriate) with
> TTL=0 and, if necessary, generates the appropriate signature.
>
>
> Cases A and B Just Work (tm).
>
> Case C will work as well because you don't have the CNAME + DNAME problem
> because the TTL is 0.  Case C may reduce caching and also increase latency,
> but that is ONLY network load on the authority not computation load (because
> the DNSSEC signature is cached), and creates an incentive for the authority
> directly beneath to support case-insensitive names.
>
>
> NO DNS protocol changes are required, everything is provisioning and
> authority side changes.
>
>
> By maintaining a cache of signed data, the reality is although it supports
> effectively exponential case-recasing, the ones which are actually used get
> in the cache.  If the cache is well structured and sticky, a computational
> DOS won't be able to evict valid entries (limiting its effect to only new
> BizArrE caSeS of TyPogRaphy)
>
>


-- 
Website: http://hallambaker.com/

_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email