IETF Logo Mail Archive

Re: [dnsext] does making names the same NEED protocol changes at all?

Brian Dickson <brian.peter.dickson@gmail.com> Fri, 25 February 2011 19:01 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E62403A67F8; Fri, 25 Feb 2011 11:01:24 -0800 (PST)
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 305E93A67F8 for <dnsext@core3.amsl.com>; Fri, 25 Feb 2011 11:01:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2CwDpguTiAX3 for <dnsext@core3.amsl.com>; Fri, 25 Feb 2011 11:01:22 -0800 (PST)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id E95493A66B4 for <dnsext@ietf.org>; Fri, 25 Feb 2011 11:01:21 -0800 (PST)
Received: by fxm15 with SMTP id 15so2025157fxm.31 for <dnsext@ietf.org>; Fri, 25 Feb 2011 11:02:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=MjMJArKjm8d9XjrIJIkTZvOcetgJ3QfPWs8vWsgkXJc=; b=UU/sFCqCmNIN3si9s0C7xU6L3PkTqz8WdgeKTy9cLQ1K0M5dBuLvAjN6bDVdjA1FeB PZ8ZVEo9e+mmnkT90aG32X1aYrvkyFptKT6ewPk9FX0D5mBQfyHb+dWPp9ubGtAlkh2L 8WUTE2I42uaegwiw+9SwNJ2jJ1oZLi9XyrnTc=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=g00NiAbOjlzqcwkqtZ4Tbv+U/ON6kmKfaLNzuc/mhBq0m9dt0Mr9uCGKKwx9mPE7QP jnfFPE+4n3gFyJVSMVWH9hG4mBfQtFEcogv0JLSJiuq1/p1slNetWi0NKzmH5YAB2Bzr MPjtDhpkeH7GpqiMzeoia352BZUlvnUpMHlUw=
MIME-Version: 1.0
Received: by 10.223.96.66 with SMTP id g2mr3114174fan.61.1298660534300; Fri, 25 Feb 2011 11:02:14 -0800 (PST)
Received: by 10.223.107.132 with HTTP; Fri, 25 Feb 2011 11:02:14 -0800 (PST)
In-Reply-To: <A6CD428C-2D90-44DE-B623-26E80828677B@icsi.berkeley.edu>
References: <AANLkTikHm62x=+xWpSRyERw2cB31yZZhVkTT-90dgFjk@mail.gmail.com> <39EBBA76-22F1-4935-9300-B0078B229793@ICSI.Berkeley.EDU> <5A100E65-FB09-4556-AA5A-BF9FE0468DDA@ICSI.Berkeley.EDU> <AANLkTikECGtJm5WyDnX=s8zTERu89qLbFDebf8R1y4Pa@mail.gmail.com> <6AD400292B2C771C7FE70E8F@Ximines.local> <20110225143043.GB74938@shinkuro.com> <AANLkTimfhfsj65Vec61-_Q18+RoC1144Zf1E2bQhvt18@mail.gmail.com> <alpine.LSU.2.00.1102251653290.5244@hermes-1.csi.cam.ac.uk> <AANLkTinvqqGTGPeMXUcAv5iY1KGn_=LwfGr3debWo_GE@mail.gmail.com> <F87B152F-4941-4B6D-8DC1-4F7D60198DA7@icsi.berkeley.edu> <20110225184838.GS74938@shinkuro.com> <A6CD428C-2D90-44DE-B623-26E80828677B@icsi.berkeley.edu>
Date: Fri, 25 Feb 2011 15:02:14 -0400
Message-ID: <AANLkTimXd_9NvWgaap=BMkN0hd9ZAXjVrWGct7JegFmA@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: Nicholas Weaver <nweaver@icsi.berkeley.edu>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] does making names the same NEED protocol changes at all?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Fri, Feb 25, 2011 at 2:51 PM, Nicholas Weaver
<nweaver@icsi.berkeley.edu> wrote:
>
> On Feb 25, 2011, at 10:48 AM, Andrew Sullivan wrote:
>
>> No hat
>>
>> On Fri, Feb 25, 2011 at 10:34:22AM -0800, Nicholas Weaver wrote:
>>>
>>> There is NOTHING which prevents such slaves from forwarding the dynamically signed requests to the master and caching the results and forwarding it on.
>>
>> Except, of course, that it would be insane, since that would turn the
>> master into a potential single point of failure for any lookup in the
>> zone.  A significant reason for the success of the DNS is its loose
>> consistency and resulting resilience to failure.  Any scheme which
>> replaces that with a single server is doomed to failure.
>
> It is ONLY a point of failure for NeW MiXED CasINGs which appear.  Old ones remain cached.
>
> And unlike other schemes, does NOT require any changes to resolvers.  Any proposal which requires changes to resolvers rather than just authorities which want to support non-ascii mixed case is IMO, a non-starter.

I think it is useful to be precise in scoping exactly what changes
we're talking about.

Specifically, when it comes to DNSSEC and signatures, there are
several individual cases, whose deployed implementation may or may not
require changes, depending on the specific proposal(s):
- validating iterative resolvers
- non-validating, DNSSEC-aware iterative resolvers (is there such a thing?)
- DNSSEC-unaware iterative resolvers
- validating stub resolvers
- non-validating, DNSSEC-aware stub resolvers (CD=1) (who talk to
validating iterative resolvers)
- DNSSEC-unaware resolvers (who may be talking to any of the above
sorts of iterative resolvers)

The tails on each of these is of (drastically, IMHO) different lengths.

And, the behavior in the cases of unmodified instances of the above,
in the face of modified authority server answers (new RRtypes, new
DNSSEC RRTYPEs, new DNSSEC validation logic), may differ too.
(Bogus vs Insecure is a huge difference.)

Let's hold off on passing judgement until:
- the requirements doc is cleaned up and accepted (or not)
- proposals are available for evaluation, and/or have been read and
commented on.

(ObContent - my somewhat stale DS2 draft is on-topic, I hope, and
could use some reviewers and feedback, even if it is not yet time to
propose adopting it for WG consideration. Applies only to validating
resolvers (of both kinds) and authority servers who want to use it,
and is benign/fail-safe-ish, with "insecure" rather than "bogus" when
the validator does not understand it.)

Brian
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email