IETF Logo Mail Archive

Re: [dnsext] ICANN's "synchronized domains" and the DNSEXT alias maybe-work

Brian Dickson <brian.peter.dickson@gmail.com> Sat, 10 April 2010 16:12 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D50233A6923; Sat, 10 Apr 2010 09:12:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.712
X-Spam-Level:
X-Spam-Status: No, score=0.712 tagged_above=-999 required=5 tests=[AWL=-1.207, BAYES_40=-0.185, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a5gr7TKE+ONw; Sat, 10 Apr 2010 09:12:20 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 044173A67DA; Sat, 10 Apr 2010 09:12:19 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.71 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1O0dAI-000Lmi-7A for namedroppers-data0@psg.com; Sat, 10 Apr 2010 16:04:10 +0000
Received: from [74.125.83.52] (helo=mail-gw0-f52.google.com) by psg.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <brian.peter.dickson@gmail.com>) id 1O0dAA-000Lix-2h for namedroppers@ops.ietf.org; Sat, 10 Apr 2010 16:04:02 +0000
Received: by gwj23 with SMTP id 23so2049170gwj.11 for <namedroppers@ops.ietf.org>; Sat, 10 Apr 2010 09:04:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:received:message-id:subject:from:to:cc:content-type; bh=eJG5pJ8EskqJGkhLABRP6wy6z+ByatKcOgPdEcYC0F0=; b=cnO5kTRp4AdFJag2Q8Gt9bN/ZOMwt2cDYPqoBya/cRY0CrRZg4g71nlCzwQ6wsGyjg AJtiEbp0Ez43Wp9E/JZJLAL0fgE02jSLA/rhUBIwSX1dCF9vJvoQi4XvHLkyBlF4OUbu dxk1fWKbvc+8uqJ8tvrmQNl2DHqbRa0o1naX4=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=fCRGztxHWnfx7uM4IZaAro2v/BO3wuunpD43Uu4Gu1cVgZa8juShTCq4LeayRch0Cp Pkb/Xke2orRw7s70JOZF9wkoiQCAXWfe9asm75ljbfVZOoJcf4IywCPKkVQaCVWU8auy 1Y2X/zgc5f+RKtQk1YmYVsHX+uSBf5qXz1aaM=
MIME-Version: 1.0
Received: by 10.100.91.5 with HTTP; Sat, 10 Apr 2010 09:04:00 -0700 (PDT)
In-Reply-To: <4BC062CA.8030203@abenaki.wabanaki.net>
References: <20100409145117.GH3595@shinkuro.com> <5B0CB63F-B238-44A8-89A6-09D508FE0FF9@icann.org> <20100409154138.GK3595@shinkuro.com> <1C64D935-BFA7-4C33-95AC-D7F514D093A0@icann.org> <20100409180535.GQ3595@shinkuro.com> <E304875B-8BB9-4DD6-A8B6-B79A8AFF2AC4@virtualized.org> <20100409190101.GY3595@shinkuro.com> <g2o3e1abd2c1004091936i45200fdl1d09e7ac4a29a4e7@mail.gmail.com> <4BC062CA.8030203@abenaki.wabanaki.net>
Date: Sat, 10 Apr 2010 13:04:00 -0300
Received: by 10.101.29.22 with SMTP id g22mr2555417anj.56.1270915440819; Sat, 10 Apr 2010 09:04:00 -0700 (PDT)
Message-ID: <p2r3e1abd2c1004100904jf5f4af98tc9cac4f7df524ebe@mail.gmail.com>
Subject: Re: [dnsext] ICANN's "synchronized domains" and the DNSEXT alias maybe-work
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: Eric Brunner-Williams <ebw@abenaki.wabanaki.net>
Cc: Andrew Sullivan <ajs@shinkuro.com>, namedroppers@ops.ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>

I think we are (all) in agreement, to some degree.

Here's what I'm trying to say, obviously not clearly enough to date:

There are currently mechanisms with limited ability to "deliver"
multiple names for the same data: CNAME and DNAME.
Those are limited mechanisms, which do not handle all cases.
And also, quite importantly, they do not in and of themselves support
DNSSEC validation without additional work by the Signer.

There are also brute-force means by which multiple names can be
enumerated, which does not use any DNS protocol elements.
Brute force, however, puts the burden on maintaining parallel zones on
the registrant.

The problem is scaling.

What we don't yet have, in terms of problem statement, is an answer to
what the scaling requirements are.

If the answer is "two", then likely no protocol work is needed. Two
scales nicely. I do not believe "two" is the answer, however.

If, on the other hand, the answer is P (as in P vs NP), polynomial
scaling, then I think we need to contemplate providing solutions in
the WG.

An example of polynomial is the expansion of regular expressions of the form:
{$A|$B|$C|...}
where
$A == $x.{$a|$b|$c}.{$d|$e}
$B == {$f|$g}.{$h|$i}.{$j|$k}
$C == $y.{$l|$m}.$z
and so on.

We haven't *yet* been given that as a requirement, at least from ICANN
or other groups.

However, if the real world users, i.e. registrants and end-users,
expect to be able
to refer to things by such multitudes of names, and get "the same" answers,
then scalability issues suggest having the technological means of
keeping the zones
completely identical is a firm requirement. And I believe that means
DNS protocol work,
either directly to do this, or indirectly to support non-DNS
implementations, e.g. literally
by means of indirection.

I also believe that *use* of DNS protocol technology envisioned needs
to be optional, and that
the brute force and existing CNAME/DNAME solutions all need to be
allowed and supported.

One size does not fit all.

And the sizes currently available do not include XXL, which is the real problem.

Brian

On Sat, Apr 10, 2010 at 8:36 AM, Eric Brunner-Williams
<ebw@abenaki.wabanaki.net> wrote:
> On 4/9/10 10:36 PM, Brian Dickson wrote:
>> ...
>> ICANN are concerned with the root and TLDs, but there ends their mandate.
>
> Please see rfc1591. In particular Section 3, parts 2 and 3.
>
>> ...
>> The TLDs need to provision and serve whatever is mandated by ICANN.
>
> ICANN is a California domiciled 501(c)(3) corporation which enters
> into contracts with what it calls "registry operators" (aka
> "contracted parties"). Contracts do not contain "mandates", unlike
> regulations. ICANN is not a regulatory body, authorized by some
> specific enabling legislation.
>
> In broad terms, ICANN has contractual relationships with some (about
> 20) "registry operators" (far fewer actually independent "registry
> backend service providers", seven I think, pre-coffee), and memorada
> with some other "registry operators".
>
>> ...
>> And the registrants, particularly in the IDN space, need something of
>> real value,
>> especially beyond just the TLDs, to make it worth doing IDNs in the first place.
>
> The overwhelming bulk of that particular work has already been done,
> first in the IDNA WG, completed seven years ago, and more recently in
> the IDNAbis WG, recently completed.
>
> The problem statement here is either an administrative convenience
> statement for arbitrary similarity, or the edge cases arising from a
> very limited number of equivalent (in some sense) code points in the
> third-party repertoire, or the specific case of intelligibility and
> therefore equivalence (in some sense) of arbitrary substitution of
> code points in two sub-repertoires, commonly denoted "Simplified" and
> "Traditional" Chinese (aka "SC/TC equivalence").
>
> The utility of non-LDH labels, even if bootstring encoded from an LDH
> alphabet, and available only through presentation, does not depend on
> any work this group can conceivably take.
>
> Eric
>

v2.23.0 | Report a Bug | By Email