IETF Logo Mail Archive

[dnsext] does making names the same NEED protocol changes at all?

Nicholas Weaver <nweaver@ICSI.Berkeley.EDU> Thu, 24 February 2011 16:59 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 03EDA3A677E; Thu, 24 Feb 2011 08:59:51 -0800 (PST)
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A12193A677E for <dnsext@core3.amsl.com>; Thu, 24 Feb 2011 08:59:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.299
X-Spam-Level:
X-Spam-Status: No, score=-2.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L4hK3AeBxbNG for <dnsext@core3.amsl.com>; Thu, 24 Feb 2011 08:59:47 -0800 (PST)
Received: from taffy.ICSI.Berkeley.EDU (taffy.ICSI.Berkeley.EDU [192.150.187.26]) by core3.amsl.com (Postfix) with ESMTP id C9D283A65A5 for <dnsext@ietf.org>; Thu, 24 Feb 2011 08:59:47 -0800 (PST)
Received: from gala.icir.org (gala.ICIR.org [192.150.187.49]) (Authenticated sender: nweaver) by taffy.ICSI.Berkeley.EDU (Postfix) with ESMTP id 14BD136A58D; Thu, 24 Feb 2011 09:00:38 -0800 (PST)
References: <20110216165921.GW96213@shinkuro.com> <3B90ED2E-980D-4B01-889F-447D66D0B58D@insensate.co.uk> <20110216174011.GZ96213@shinkuro.com> <20110218143653.GC84482@bikeshed.isc.org> <20110218151209.GF66684@shinkuro.com> <4D5EEE09.4080405@dougbarton.us> <20110218222950.GL74065@shinkuro.com> <4D5F270F.20401@abenaki.wabanaki.net> <199C7B2B4228461FB024E59A990DB46D@ics.forth.gr> <4D641DB6.4090705@necom830.hpcl.titech.ac.jp> <20110222205617.GS53815@shinkuro.com> <4D64489B.7020901@necom830.hpcl.titech.ac.jp> <713D992A-1DB9-4F72-9D18-8E923AD51D8D@icsi.berkeley.edu> <AANLkTikf2ixw7JkxQiRBobv-seYnaYS0E3G8TboosnA=@mail.gmail.com> <alpine.LSU.2.00.1102231029260.27602@hermes-1.csi.cam.ac.uk> <AANLkTin6-mXBeKC_TzgvWUaCyxKfeZxTK1BQvXtpwuCN@mail.gmail.com> <4CC95816-8225-4CAE-897F-3F13F965BCEE@ICSI.Berkeley.EDU> <alpine.LSU.2.00.1102240953550.5244@hermes-1.csi.cam.ac.uk> <AANLkTiniVDDZXFOV4WryNN=+hK29rBO8_HTAqw7bK=Nf@mail.gmail.com> <AANLkTikZYBYyRKkZzMCuCJbVpqLx-2BBYW3TSMQ8ZL81@mail.gmai l.com> <8657EF4A-A08D-46E5-8917-553AE377CAD8@ICSI.Berkeley.EDU> <AANLkTikHm62x=+xWpSRyERw2cB31yZZhVkTT-90dgFjk@mail.gmail.com> <39EBBA76-22F1-4935-9300-B0078B229793@ICSI.Berkeley.EDU>
In-Reply-To: <39EBBA76-22F1-4935-9300-B0078B229793@ICSI.Berkeley.EDU>
Mime-Version: 1.0 (Apple Message framework v1082)
Message-Id: <5A100E65-FB09-4556-AA5A-BF9FE0468DDA@ICSI.Berkeley.EDU>
From: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
Date: Thu, 24 Feb 2011 09:00:37 -0800
To: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
X-Mailer: Apple Mail (2.1082)
Cc: dnsext@ietf.org
Subject: [dnsext] does making names the same NEED protocol changes at all?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Feb 24, 2011, at 5:52 AM, Nicholas Weaver wrote:

> 
> On Feb 24, 2011, at 5:44 AM, Phillip Hallam-Baker wrote:
> 
>> So you are saying that it is TOO LATE to make a change that would have major impact on the practice of domain management?
> 
> I'm stating that your "nobody validates DNSSEC" claim is demonstrably false.

More precisely, there is a large ISP, Comcast, where ALL users who've opted out of NXDOMAIN wildcarding are behind DNSSEC validating resolvers.  I would call this a significant operational deployment of DNSSEC validation.



However, back to the original topic: why does case insensitivity for non-ASCII NEED protocol changes?  Can't it be done with just authority changes for only those authorities needing case insensitive non-ASCII names (rather than a protocol change which needs universal changes to the resolvers)


The authority has a standard mapping for case insensitivity in the language in question.  

a: If its the terminal authority for a name, it just runs the mapping and returns the value (if necessary, generating a DNSSEC signature on the fly if its an uncached mapping).

b:  If the authority is not a terminal, and it knows that the authority directly beneath it for a name support case insensitivity, it just runs the mapping and returns the appropriate value (if necessary, generating a DNSSEC signature on the fly if its an uncached mapping).

c:  If the authority is not a terminal, and it does NOT know that the authority directly beneath it supports case insensitivity, it runs the mapping to generate a canonicalized DNAME or CNAME (as appropriate) with TTL=0 and, if necessary, generates the appropriate signature.


Cases A and B Just Work (tm).  

Case C will work as well because you don't have the CNAME + DNAME problem because the TTL is 0.  Case C may reduce caching and also increase latency, but that is ONLY network load on the authority not computation load (because the DNSSEC signature is cached), and creates an incentive for the authority directly beneath to support case-insensitive names.


NO DNS protocol changes are required, everything is provisioning and authority side changes.


By maintaining a cache of signed data, the reality is although it supports effectively exponential case-recasing, the ones which are actually used get in the cache.  If the cache is well structured and sticky, a computational DOS won't be able to evict valid entries (limiting its effect to only new BizArrE caSeS of TyPogRaphy)

_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email