Re: [dnsext] does making names the same NEED protocol changes at all?

Ted Hardie <> Fri, 25 February 2011 21:07 UTC

Return-Path: <>
Received: from [] (localhost []) by (Postfix) with ESMTP id B11B23A6A40; Fri, 25 Feb 2011 13:07:01 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6FBF33A6A40 for <>; Fri, 25 Feb 2011 13:07:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.644
X-Spam-Status: No, score=-3.644 tagged_above=-999 required=5 tests=[AWL=-0.045, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Seng+KRKkQ4O for <>; Fri, 25 Feb 2011 13:06:59 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 398D03A6A4C for <>; Fri, 25 Feb 2011 13:06:59 -0800 (PST)
Received: by qyk7 with SMTP id 7so1630283qyk.10 for <>; Fri, 25 Feb 2011 13:07:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=XDophiYpAnnxEkphtX1eKh99nUK87ByEgyEV19whlKo=; b=ETQleatcyB0f6q/2FhzutFl5EAcbNeI8aW7nob0NjvFklfUoLXxbygrw/AJOXCWmGC 2KOk1RiqyK+o8H8Zhqw3OgElXFff3gtdZmOgHPTHopaUcFGEdl9nM1Hz5y+5cbuJWz72 EVFgRL2gnM/yrJh/XN+kZ4MhDE9GBeLqepwvk=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=aZnUZZGCYbO1HawFSwZzn5w4A7O7ikTV1GRLrEiaVc+fKloXko4jShJe56M+0/NtiP FqBv9L/TMhwuC4elJNUE6z5zE1R1g68vPVvVjVj1nOBATtPyjh+9rK9T64XuYId6fp5x UPSLwcoSysPOLZU4U88bLQtL9WpL5OUIwxdIQ=
MIME-Version: 1.0
Received: by with SMTP id q7mr2197120qcl.262.1298668072071; Fri, 25 Feb 2011 13:07:52 -0800 (PST)
Received: by with HTTP; Fri, 25 Feb 2011 13:07:51 -0800 (PST)
In-Reply-To: <>
References: <5A100E65-FB09-4556-AA5A-BF9FE0468DDA@ICSI.Berkeley.EDU> <> <6AD400292B2C771C7FE70E8F@Ximines.local> <> <> <> <> <> <> <> <>
Date: Fri, 25 Feb 2011 13:07:51 -0800
Message-ID: <>
From: Ted Hardie <>
To: Andrew Sullivan <>
Subject: Re: [dnsext] does making names the same NEED protocol changes at all?
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64

On Fri, Feb 25, 2011 at 11:20 AM, Andrew Sullivan <>; wrote:

> But as you can see, we can discuss all of that without recourse to the
> specifics of the language, since the actual issue is that a zone
> administrator knows a label to label mapping of the items.

Dearly as I would love to agree with you, I fear I cannot.  The actual
issue is that humans interpolate well and canonicalize badly. We're
exploring how to mesh the untidy reality that colour/color, 中國/中国, and
a host of other examples are "the same" to those humans but not to an
exact much look-up protocol.

There are several classes of solutions we can envision.  On is a
referral from variants to canonical forms (like DNAME/CNAME and its
synthetic friends).  That works fine from a protocol perspective, but
it requires there to be a single "real" label and variants which only
point to it.  Some zones don't want that result, for both political
and practical reasons.

Another is one in which there is no DNS change at all, but zone
synchronization methods that ensure that the records at one label and
those at another are in sync.  This avoids declaring one to be "real",
but has a very large potential cost in terms of applications which
will not match them as the DNS is, in essence, declaring them to be

Another is to create a "canonical + supported variants" approach.
That would involve both mapping variants to a single label and storing
at that label some information about what the zone maintainer
considered variants, so that applications and local caches could treat
them the same.  The security properties of this approach are, to put
it mildly, interesting, but for variants all within a single
administrative domain, it is possibly workable.  The operational
consequences are also pretty daunting unless the record stores a
pointer to some well-known representation of the normalization rules
rather the variants themselves.

This is a case where people want to treat DNS labels as human-friendly
strings.  They are asking us how far down that road we can go without
breaking fundamental bits of the DNS's design and deployment.  So far,
I hear "we can give you referrals to canonical forms, you can give
yourself synchronized zones, and we may be able to achieve a method
that stores variant information with a canonical form".  The label to
label mapping problem is pretty clearly solved somewhere in that set,
but it is not at all sure that the "humans interpolate well, but
canonicalize badly" problem is or can be.

Just my two cents,

Ted Hardie
dnsext mailing list