Re: [dnsext] Fw: I-D Action:draft-yao-dnsext-bname-02.txt
Mark Andrews <marka@isc.org> Wed, 16 June 2010 21:42 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F1AEF3A6934; Wed, 16 Jun 2010 14:42:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.232
X-Spam-Level:
X-Spam-Status: No, score=-0.232 tagged_above=-999 required=5 tests=[AWL=-0.833, BAYES_50=0.001, J_CHICKENPOX_55=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SfT-qJi6oD6u; Wed, 16 Jun 2010 14:42:57 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 88F723A6936; Wed, 16 Jun 2010 14:42:57 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1OP0Iy-0003sv-B4 for namedroppers-data0@psg.com; Wed, 16 Jun 2010 21:37:52 +0000
Received: from [2001:4f8:0:2::2b] (helo=mx.pao1.isc.org) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.71 (FreeBSD)) (envelope-from <marka@isc.org>) id 1OP0It-0003sI-FY for namedroppers@ops.ietf.org; Wed, 16 Jun 2010 21:37:47 +0000
Received: from farside.isc.org (farside.isc.org [IPv6:2001:4f8:3:bb::5]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "farside.isc.org", Issuer "ISC CA" (verified OK)) by mx.pao1.isc.org (Postfix) with ESMTPS id BC0BCC9420; Wed, 16 Jun 2010 21:37:35 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (not verified)) by farside.isc.org (Postfix) with ESMTP id EAC27EFA1D; Wed, 16 Jun 2010 21:37:34 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.3) with ESMTP id o5GLbSjM042451; Thu, 17 Jun 2010 07:37:29 +1000 (EST) (envelope-from marka@drugs.dv.isc.org)
Message-Id: <201006162137.o5GLbSjM042451@drugs.dv.isc.org>
To: George Barwood <george.barwood@blueyonder.co.uk>
Cc: Jiankang YAO <yaojk@cnnic.cn>, namedroppers@ops.ietf.org
From: Mark Andrews <marka@isc.org>
References: <476592152.09177@cnnic.cn> <833E80C68446499A9F68638299F2F349@local> <476687310.07502@cnnic.cn> <9497997BEBD1436AA9B3BB63A1DBB7D7@local>
Subject: Re: [dnsext] Fw: I-D Action:draft-yao-dnsext-bname-02.txt
In-reply-to: Your message of "Wed, 16 Jun 2010 15:54:31 +0100." <9497997BEBD1436AA9B3BB63A1DBB7D7@local>
Date: Thu, 17 Jun 2010 07:37:28 +1000
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>
In message <9497997BEBD1436AA9B3BB63A1DBB7D7@local>, "George Barwood" writes: > > ----- Original Message ----- > > From: "George Barwood" <george.barwood@blueyonder.co.uk> > > To: "Jiankang YAO" <yaojk@cnnic.cn>; <namedroppers@ops.ietf.org> > > Sent: Tuesday, June 15, 2010 5:42 PM > > Subject: Re: [dnsext] Fw: I-D Action:draft-yao-dnsext-bname-02.txt > > > >> As far as I can see, DNAME is capable of preventing an exponential increase > >> in records, and the necessity of mirroring any data records in the zone apex > >> that are not redirected by DNAME is a relatively minor administrative inconvenience, > >> that can probably be mitigated by judicious use of the $INCLUDE directive. > >> > > > > there is a dname discussion related to the draft http://tools.ietf.org/id/draft-yao-dnsop-idntld-implementation-01.txt > > in dnsop list. you may see it in dnsop list > > > >> The draft does not seem to mention the incompatibility of BNAME with existing validating > >> resolvers. I think some discussion of how a transition might be managed ( new algorithms?), > > > > do you want to make the existing validating resolvers to recognize the bname? > > if yes, you need to update the validating resolvers to support bname. > > if not, the existing validating resolvers will do it as if there were not bname. > > so the draft said " In order to make BNAME valid in DNSSEC > > verification, the DNSSEC enabled resolvers and servers MUST support > > BNAME. " Correct which is why we need to signal BNAME support with a algorithm number change the same way as we did for NSEC3. > This is an obstacle for the introduction of BNAME. If existing algorithms are used, then > resolvers that have not been updated would get validation errors ( Bogus => SERVERFAIL ), > since the CNAME records cannot be validated. This is almost certainly unacceptable. > > If new algorithms are used, resolvers that have not been updated will get Insecure, which is probably > more acceptable, but still a major disadvantage. Which is what I've been recommending all along. > Either way, a long time would have to elapse before (for example) the root zone could use BNAME, > to allow people time to update their resolver software. No. Lots of validators out there don't support RSASHA256 but the root is using that. BNAME doesn't require resolvers to be upgraded for it to be used. > > your possible suggestion ( new algorithms?) also need update the resolvers or servers. > > > > if you doesn't update anything but make the existing validating resolvers to recognize the bname, it seems to be impossible to do so. > > > > do u have good idea about it? > > I think relaxing the restriction on CNAME+DNAME, as per > > http://tools.ietf.org/id/draft-sury-dnsext-cname-dname-00.txt > > may be a more practical way forward, since apparently it is not necessary in practice for resolvers to be updated. > This assertion needs to be checked carefully - I have personally checked BIND and Unbound (via the public resolvers at https://www.dns-oarc.net/oarc/services/odvr ) and my own implementation, and they all appear to work fine. Only the authoritative server software need be updated, which is under the control of anyone who wishes to publish CNAME+DNAME. CNAME+DNAME also has DNSSEC validation issues. CNAME is used instead of a NSEC to prove non-existance of the type. Change the rules requires old servers to send NSEC's as well as the CNAME records to answer DNAME queries. > Regards, > George Barwood -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [dnsext] Fw: I-D Action:draft-yao-dnsext-bname-02… Jiankang YAO
- Re: [dnsext] Fw: I-D Action:draft-yao-dnsext-bnam… Jiankang YAO
- Re: [dnsext] Fw: I-D Action:draft-yao-dnsext-bnam… Jiankang YAO
- Re: [dnsext] Fw: I-D Action:draft-yao-dnsext-bnam… Mark Andrews
- Re: [dnsext] Fw: I-D Action:draft-yao-dnsext-bnam… Mark Andrews
- [dnsext] bname new algorithm identifier Jiankang YAO
- Re: [dnsext] bname new algorithm identifier Olafur Gudmundsson
- Re: [dnsext] bname new algorithm identifier Jiankang YAO