IETF Logo Mail Archive

Re: [dnsext] Fwd: New Version Notification for draft-sury-dnsext-cname-dname-00

Ondřej Surý <ondrej.sury@nic.cz> Fri, 23 April 2010 10:22 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6E23D28C37C; Fri, 23 Apr 2010 03:22:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -97.3
X-Spam-Level:
X-Spam-Status: No, score=-97.3 tagged_above=-999 required=5 tests=[AWL=-0.600, BAYES_50=0.001, J_CHICKENPOX_14=0.6, J_CHICKENPOX_23=0.6, J_CHICKENPOX_42=0.6, J_CHICKENPOX_52=0.6, J_CHICKENPOX_55=0.6, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sQtuY-44vS8C; Fri, 23 Apr 2010 03:22:36 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 275F528C379; Fri, 23 Apr 2010 02:43:10 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1O5FKT-0000j2-RV for namedroppers-data0@psg.com; Fri, 23 Apr 2010 09:37:45 +0000
Received: from [2001:1488:800:400::400] (helo=mail.nic.cz) by psg.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <ondrej.sury@nic.cz>) id 1O5FKQ-0000ih-Jr for namedroppers@ops.ietf.org; Fri, 23 Apr 2010 09:37:42 +0000
Received: from [IPv6:2001:1488:ac14:1400:ac14:1a29:0:2] (unknown [IPv6:2001:1488:ac14:1400:ac14:1a29:0:2]) by mail.nic.cz (Postfix) with ESMTPSA id 24602734430; Fri, 23 Apr 2010 11:37:38 +0200 (CEST)
Message-ID: <4BD16A61.90301@nic.cz>
Date: Fri, 23 Apr 2010 11:37:37 +0200
From: Ondřej Surý <ondrej.sury@nic.cz>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4
MIME-Version: 1.0
To: YAO Jiankang <yaojk@cnnic.cn>
CC: Mark Andrews <marka@isc.org>, namedroppers@ops.ietf.org
Subject: Re: [dnsext] Fwd: New Version Notification for draft-sury-dnsext-cname-dname-00
References: <4BC720DE.8080900@nic.cz> <5C8B7499CFD24579BD7B75CB8050FDA1@local> <4BD0521B.9090803@nic.cz> <986F4044CBEE422BB769C7BA94B90BF2@local> <4BD064E4.9060700@nic.cz> <201004230031.o3N0VRQb069783@drugs.dv.isc.org> <4BD1558D.5090703@nic.cz> <472013124.07253@cnnic.cn>
In-Reply-To: <472013124.07253@cnnic.cn>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>

On 23.4.2010 10:58, YAO Jiankang wrote:
>
>> So it looks like those two common existing implementation are already
>> ready for CNAME+DNAME.
>>
>> And that's exacly  my point - with very simple change in CNAME semantics
>> we can get full alias in the DNS tree, which is already supported by
>> majority of DNS servers in the wild (at least those supporting DNAME).
>>
>
> the CNAME is the basic record. many protocols base on it.

That's not true.  No protocol I know except DNS rely on CNAME.  All 
other protocols asks for A,AAAA (usually via getaddrinfo via your 
resolver), MX, SRV, etc.  I am not aware of any protocol directly asking 
for CNAME records.

> if you want to break CNAME,  you are trying to shake the basis of DNS.

I am not breaking CNAME.  If you think I am breaking CNAME please prove 
it or stop saying that.  I am enhancing CNAME semantics to allow 
coexistence with DNAME.  CNAME and DNAME don't share same alias space. 
Also there is no change by default - it could only affect other party in 
case you also add DNAME.

> if you build a rule, 1000 users have followed it and you may update or modify the rule.
>
> if you build a rule, 1000,000,000 users have followed it and you should be CAUTION when you wish to update or modify the rule.
>
> if a new Record is submitted, someone may choose to follow or not.
> but if you change the basic rule, you must push each of 1000,000,000 users  to follow it.

Sorry, but no, that's not true either.  This could possibly break some 
authoritative and/or recursive DNS server.  But in a way which is 
exactly same as adding new RRTYPE - since nobody is forced to add 
CNAME+DNAME to it's zone.  And I have already proven that it doesn't 
break Bind 9 or Unbound functioning as resolvers, and that's mainly 
because there are already much worse scenarios in DNS tree - as I have 
also shown with idos.cz case.  And I am willing to retest more resolvers 
(including older versions of Bind9), I just don't have a time for it 
right now.

It will have no impact on common end user - because in normal 
circumstances CNAME is not used directly - it's handled by resolvers.

Also loosening CNAME rules will not break anything for 1.000.000.000 
users already using CNAMEs.  It will only affect:

1) users adding CNAME+DNAME to their zones
2) users using such zones

But that's not different from BNAME.

I know I am touching the very basics of DNS and I also consider RFC1034 
and RFC1034 to be sacred :-), but please let's work with facts, test 
cases, test scenarios etc.  If you feel that CNAME+DNAME proposal breaks 
anything, please provide a test case.  I would be first to say we should 
drop CNAME+DNAME if there is a serious breakage somewhere, but we should 
not reject the proposal based on Fear, Uncertainty, Doubt (tm).

Also anybody is free to use experimental dname.cz zone, I am willing to 
add any combination of records to the zone, so you can test whatever 
protocol and test case you want.  I could add simplified/mandarIDN f.e. 
if you want.

BTW let me show you something, try pasting these into your browser:

www.cnnic.测试.dname.cz
www.cnnic.測試.dname.cz

in punycode:
www.cnnic.xn--0zwm56d.dname.cz
www.cnnic.xn--g6w251d.dname.cz

And check your mail log for rejected mail sent to:

yaojk@cnnic.xn--0zwm56d.dname.cz
and
yaojk@cnnic.xn--g6w251d.dname.cz

I put those two email addresses to Bcc:, so we don't keep them in next 
conversation.

Ondrej

> Jiankang Yao
>
>
>
>> I am sure that this will break something somewhere, but those place
>> would be broken with BNAME as well.  But BNAME has to be implemented
>> everywhere - authoritative DNS, resolvers, firewalls, etc.
>>
>> Don't get me wrong, I think that BNAME is fine proposal, but I think
>> that we have much simpler option right before us.  Also it not something
>> new, we did change semantics of CNAME before, because of DNSSEC, so I am
>> not proposing revolution, just merging of two existing working principles.

Ondrej
-- 
  Ondřej Surý
  vedoucí výzkumu/R&D manager
  -------------------------------------------
  CZ.NIC, z.s.p.o.    --    Laboratoře CZ.NIC
  Americka 23, 120 00 Praha 2, Czech Republic
  mailto:ondrej.sury@nic.cz    http://nic.cz/
  tel:+420.222745110       fax:+420.222745112
  -------------------------------------------

v2.23.0 | Report a Bug | By Email