Re: [nscp] Updating zone *content* in-scope or not?

Jeffrey Hutzelman <> Mon, 20 September 2010 22:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 11B883A67B6 for <>; Mon, 20 Sep 2010 15:49:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -106.54
X-Spam-Status: No, score=-106.54 tagged_above=-999 required=5 tests=[AWL=0.059, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HP9aFCgXW6fT for <>; Mon, 20 Sep 2010 15:49:43 -0700 (PDT)
Received: from (SMTP03.SRV.CS.CMU.EDU []) by (Postfix) with ESMTP id 87B4E3A6AF2 for <>; Mon, 20 Sep 2010 15:49:42 -0700 (PDT)
Received: from LYSITHEA.FAC.CS.CMU.EDU (LYSITHEA.FAC.CS.CMU.EDU []) (authenticated bits=0) by (8.13.6/8.13.6) with ESMTP id o8KMo4AA014667 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 20 Sep 2010 18:50:04 -0400 (EDT)
Date: Mon, 20 Sep 2010 18:50:04 -0400
From: Jeffrey Hutzelman <>
To: Edward Lewis <>
Message-ID: <>
In-Reply-To: <2697_1285007087_o8KIOkgj014039_a06240800c8bd5615cdee@[]>
References: <> <p062408d6c8b692e2c226@> <> <p062408dbc8b6aaf55b1a@> <> <> <p0624081fc8b7e8b23cc0@> <> <p06240837c8b839e8f192@> <> <p0624083ac8b8499641a3@> <22489_1284679010_o8GNGnKr014689_AANLkTikkgZs3keRo0DcRCx9jSAbrFiHeLsyxE5ss> <> <p0624086fc8b998cb98d6@[]> <> <2697_1285007087_o8KIOkgj014039_a06240800c8bd5615cdee@[]>
X-Mailer: Mulberry/4.0.8 (Linux/x86)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Scanned-By: mimedefang-cmuscs on
Subject: Re: [nscp] Updating zone *content* in-scope or not?
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Nameserver control/configuration protocol discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 20 Sep 2010 22:49:46 -0000

--On Monday, September 20, 2010 02:24:30 PM -0400 Edward Lewis 
<> wrote:

> At 18:27 -0400 9/17/10, Jeffrey Hutzelman wrote:
>> As I see it, zone content management should be in scope for the
>> to-be-developed protocol, and needs to be one of the things we consider
>> as we design that protocol, even if actually defining how it works is
>> not one of the first things we work on.
> Have you read RFCs 1995, 1996 and 5936 for inter-authority server
> coordination of zone content and RFCs 2136 and 3007 for altering the
> content?

No, I've never read any DNS-related RFC's, and I don't understand a thing 
about how the system works.  I certainly have never operated a nameserver, 
let alone operated a moderately complex system of servers supporting 
several dozen zones and over 25K names for over a decade.  And I've never, 
ever written a line of DNS-related code.

I think it should be quite clear that while zone transfers and IXFR (and 
the associated notification mechanisms) are effective for distributing zone 
data to slaves, they are not a management mechanism.  Since we're here to 
talk about management, and the immediate question is whether and to what 
extent management of zone content should be in scope, I fail to see how the 
existance of zone distribution mechanisms, incremental or otherwise, is 

Certainly DDNS is useful for one-off updates.  It works well for updates 
from DHCP servers, or from clients/end-users.  It even works well for 
management, if your operation is simple enough that you can simply declare 
that the nameserver is the ultimate source of authority and all updates are 
done by administrators manually issuing DDNS updates.  Unfortunately, for 
_automatic_ management, such as keeping up to date with an external source 
that is the true authority while simultaneously accepting some kinds of 
update dynamically from users, DDNS is woefully inadequate.  I covered some 
of this in my first message on the topic, which apparently people didn't 
bother to read before telling me I was an idiot or that I needed to justify 
my argument:

> To make loading generated zone data work well, I need to keep metadata
> alongside each record indicating where it came from, so I can distinguish
> changes made by DDNS clients from situations where the zone simply
> doesn't match the current version of the generated data.  Today I do that
> by keeping a specially-formatted TXT record alongside each "real" record,
> so they can be updated at the same time (as part of the same (atomic)
> DDNS update).  I'd much rather do zone content management outside the DNS
> protocol, with the server not only keeping my record-origin metadata but
> also providing me with information about when a record was last updated
> and by what client, which doesn't appear in the DNS.

Let me make my position crystal-clear, if I can:

I'm not arguing that support for managing zoen content needs to happen now. 
I _am_ arguing that it needs to be able to happen in the future.  If I see 
work proceeding in a direction that would make it difficult or impossible 
to add record-level management operations, I will object.  If I see a 
proposed charter that is designed to forestall such objections now and 
forever by ruling record-level management out of scope, I will object to 

> Certainly the specified mechanism(s) have their limitations, but that's
> not what I think is needed to be discussed now.

On the contrary, what we're discussing now is the scope of the proposed 
working group.  If there's an argument to be made that certain work should 
be out of scope because it's adequately addressed by existing protocols, 
then the limitations of such protocols are certainly relevant to the 

-- Jeffrey T. Hutzelman (N3NHS) <>
   Carnegie Mellon University - Pittsburgh, PA