Re: [DNSOP] Call for Adoption: draft-bortzmeyer-dns-qname-minimisation
On 7 Oct 2014, at 00:04, Tim Wicinski tjw.i...@gmail.com wrote: Dear DNSOP WG, After discussions about the landing spot of this document, DNSOP vs the newer DNS Privacy WG, it was realized the updated DNSOP charter specifically had work like this in mind. This starts a Call for Adoption for draft-bortzmeyer-dns-qname-minimisation. Support adoption, will review/contribute (regardless of how unlikely that sounds to people who have been waiting for me to come up for air for the past several months). Joe ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-bortzmeyer-dns-qname-minimisation
On 10 Dec 2014, at 11:41, Joe Abley jab...@hopcount.ca wrote: On 7 Oct 2014, at 00:04, Tim Wicinski tjw.i...@gmail.com wrote: Dear DNSOP WG, After discussions about the landing spot of this document, DNSOP vs the newer DNS Privacy WG, it was realized the updated DNSOP charter specifically had work like this in mind. This starts a Call for Adoption for draft-bortzmeyer-dns-qname-minimisation. Support adoption, will review/contribute (regardless of how unlikely that sounds to people who have been waiting for me to come up for air for the past several months). Oh, haha, that mail was from _October_. Never mind! :-) Joe ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-bortzmeyer-dns-qname-minimisation
On Tue, Oct 7, 2014 at 12:04 AM, Tim Wicinski tjw.i...@gmail.com wrote: Dear DNSOP WG, After discussions about the landing spot of this document, DNSOP vs the newer DNS Privacy WG, it was realized the updated DNSOP charter specifically had work like this in mind. This starts a Call for Adoption for draft-bortzmeyer-dns-qname- minimisation. The draft is available here: https://datatracker.ietf.org/ doc/draft-bortzmeyer-dns-qname-minimisation/ Please review this draft to see if you think it is suitable for adoption by DNSOP, and comments to the list, clearly stating your view. yes Please also indicate if you are willing to contribute text, review, etc. nohats yes /nohats This call for adoption ends Monday 20-October-2014 at 23:59 ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-bortzmeyer-dns-qname-minimisation
On Tue, Oct 07, 2014 at 12:04:22AM -0400, Tim Wicinski wrote: Please review this draft to see if you think it is suitable for adoption by DNSOP, and comments to the list, clearly stating your view. I do not support accepting the draft (or the proposal it carries) as a work item. Other than the author - and obviously others - I believe that the resolution algorithm of RFC 1034 is pretty clear about the QNAME being sent in full and that has been operational reality for 25+ years. A whole system has been successfully built around it with complex interdependencies. 'parent centric' and 'child centric' resolvers and query patterns evolved along that algorithm. The fact that certain services may have experimented (successfully, to them) with the proposed algorithm already gives anecdotal evidence at most, but no evidence for the absence of harm. Making the zone cut, an otherwise arbitrary boundary, a central search element, is another huge paradigm shift that I see with great interest. Please don't anyone tell me that's the case with DNSSEC already - the story there is different. Finally, QNAME minimization is providing little gain in the traditional forward tree and already needs kludges in deeper, nested name spaces. Comparing the (little) gain with the unclear risk, I'd rather see work and energy devoted to a long term solution. -Peter ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-bortzmeyer-dns-qname-minimisation
Just to expand on my comments after some arguments made against. The reason I think the WG should adopt the work item is that the original design of DNS is now defective in the light of contemporary privacy concerns. There is no reason that the operators of registries should have sight of any information they do not have a need to know. The business relationships built up over the years on the assumption that this data will be available and for sale to the highest bidder are of neither consequence nor concern. These practices are going to be insisted on regardless of choices made by this group. If indeed minimization has operational effects it is much better to document them and allow parties to avoid unintended consequences. At this point however, there is no evidence of harm. Proof of very substantial showing of harm should be necessary to block consideration of a proposal at the outset. Opponents will after all have plenty of time to make objections in WG process, that being the point of WG process. It would be a terrible mistake to reject this work without a hearing because of the mere possibility that a problem could occur. If indeed the state of the DNS is as fragile as is suggested it will soon collapse of its own accord. I rather suspect however that the fears are unfounded. On Mon, Oct 20, 2014 at 2:32 PM, Phillip Hallam-Baker ph...@hallambaker.com wrote: On Tue, Oct 7, 2014 at 12:04 AM, Tim Wicinski tjw.i...@gmail.com wrote: Dear DNSOP WG, After discussions about the landing spot of this document, DNSOP vs the newer DNS Privacy WG, it was realized the updated DNSOP charter specifically had work like this in mind. This starts a Call for Adoption for draft-bortzmeyer-dns-qname- minimisation. The draft is available here: https://datatracker.ietf.org/ doc/draft-bortzmeyer-dns-qname-minimisation/ Please review this draft to see if you think it is suitable for adoption by DNSOP, and comments to the list, clearly stating your view. yes Please also indicate if you are willing to contribute text, review, etc. nohats yes /nohats This call for adoption ends Monday 20-October-2014 at 23:59 ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-bortzmeyer-dns-qname-minimisation
TL;DR tidbit: IF the combined authority+resolver case (when switching ISP hosting companies) is not handled by the QNAME minimization draft, IMHO it should consider adding it. It is a real-world problem edge-case seen frequently. On Tue, Oct 07, 2014 at 12:04:22AM -0400, Tim Wicinski wrote: Please review this draft to see if you think it is suitable for adoption by DNSOP, and comments to the list, clearly stating your view. I do not support accepting the draft (or the proposal it carries) as a work item. Other than the author - and obviously others - I believe that the resolution algorithm of RFC 1034 is pretty clear about the QNAME being sent in full and that has been operational reality for 25+ years. A whole system has been successfully built around it with complex interdependencies. 'parent centric' and 'child centric' resolvers and query patterns evolved along that algorithm. The fact that certain services may have experimented (successfully, to them) with the proposed algorithm already gives anecdotal evidence at most, but no evidence for the absence of harm. Making the zone cut, an otherwise arbitrary boundary, a central search element, is another huge paradigm shift that I see with great interest. Please don't anyone tell me that's the case with DNSSEC already - the story there is different. Finally, QNAME minimization is providing little gain in the traditional forward tree and already needs kludges in deeper, nested name spaces. Comparing the (little) gain with the unclear risk, I'd rather see work and energy devoted to a long term solution. -Peter There are two places where there is potential impact, by definition: - recursive resolvers - authority servers The case for recursive resolvers is plain: any QUERY below an NXDOMAIN can avoid querying the parental unit of the original NXDOMAIN. The problem being solved is DOS of recursive resolvers. The argument implicit in Peter's message is, there is little or no gain on the authority server side. I would like to illustrate one example case which, however rarely it occurs, can be made moot by QNAME minimization. Here is an example case in bullet form, showing delegations and a change. example.com is administered by one department, and delegates administration of other departments to their respective nameservers. The group that does the administration of example.com is a sub-department of one of the delegates. Now imagine that the sub-department migrates its own zone from the shared nameserver of example.com, to its own separate nameserver. In doing so, imagine an error is made - the zone in question is not removed from the example.com nameserver. (It is like a lame delegation only in reverse.) Nomenclature for the example: X:Y means server X hosts zone Y. Before: X:example.com - Y:foo.example.com - X:bar.foo.example.com After: X:example.com - Y:foo.example.com - Z:bar.foo.example.com (but X:bar.foo.example.com still exists). No QNAME minimization: Querying X for www.bar.foo.example.com returns the values on X, instead of the values on Z. Admins looking at servers Y and Z fail to see why this is occurring. QNAME minimization: Querying X for www.bar.foo.example.com gives delegation to Y, etc., eventually returning values from Z. The presence of the undelegated instance on X never causes problems. This might happen rarely in Academic institutions, but is more likely to happen when a ETLD registrant changes hosting providers/ISPs, and where the old hosting provider/ISP does not follow BCP, and combines authoritative service and resolution on the same DNS servers. Old (and now undelegated) zone data gets served. Brian ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-bortzmeyer-dns-qname-minimisation
On Oct 20, 2014, at 11:37 AM, Peter Koch p...@denic.de wrote: A whole system has been successfully built around it with complex interdependencies. Please say more. What are those dependencies are from a protocol point of view? 'parent centric' and 'child centric' resolvers and query patterns evolved along that algorithm. Please say more. Are they documented anywhere? How do they affect current operations? The fact that certain services may have experimented (successfully, to them) with the proposed algorithm already gives anecdotal evidence at most, but no evidence for the absence of harm. This is the DNS: everything harms something else. We try to minimize known harm. --Paul Hoffman ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-bortzmeyer-dns-qname-minimisation
this is a +1. see below. Phillip Hallam-Baker mailto:ph...@hallambaker.com Monday, October 20, 2014 12:04 PM Just to expand on my comments after some arguments made against. The reason I think the WG should adopt the work item is that the original design of DNS is now defective in the light of contemporary privacy concerns. There is no reason that the operators of registries should have sight of any information they do not have a need to know. The business relationships built up over the years on the assumption that this data will be available and for sale to the highest bidder are of neither consequence nor concern. These practices are going to be insisted on regardless of choices made by this group. If indeed minimization has operational effects it is much better to document them and allow parties to avoid unintended consequences. At this point however, there is no evidence of harm. Proof of very substantial showing of harm should be necessary to block consideration of a proposal at the outset. Opponents will after all have plenty of time to make objections in WG process, that being the point of WG process. It would be a terrible mistake to reject this work without a hearing because of the mere possibility that a problem could occur. If indeed the state of the DNS is as fragile as is suggested it will soon collapse of its own accord. I rather suspect however that the fears are unfounded. +1, to all observations above. -- Paul Vixie ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-bortzmeyer-dns-qname-minimisation
In message cah1iciourwmohyqw3dq0y3tcopwapd7k8gab-ecx-8pj1ho...@mail.gmail.com , Brian Dickson writes: TL;DR tidbit: IF the combined authority+resolver case (when switching ISP hosting companies) is not handled by the QNAME minimization draft, IMHO it should consider adding it. It is a real-world problem edge-case seen frequently. On Tue, Oct 07, 2014 at 12:04:22AM -0400, Tim Wicinski wrote: Please review this draft to see if you think it is suitable for adoption by DNSOP, and comments to the list, clearly stating your view. I do not support accepting the draft (or the proposal it carries) as a work item. Other than the author - and obviously others - I believe that the resolution algorithm of RFC 1034 is pretty clear about the QNAME being sent in full and that has been operational reality for 25+ years. A whole system has been successfully built around it with complex interdependencies. 'parent centric' and 'child centric' resolvers and query patterns evolved along that algorithm. The fact that certain services may have experimented (successfully, to them) with the proposed algorithm already gives anecdotal evidence at most, but no evidence for the absence of harm. Making the zone cut, an otherwise arbitrary boundary, a central search element, is another huge paradigm shift that I see with great interest. Please don't anyone tell me that's the case with DNSSEC already - the story there is different. Finally, QNAME minimization is providing little gain in the traditional forward tree and already needs kludges in deeper, nested name spaces. Comparing the (little) gain with the unclear risk, I'd rather see work and energy devoted to a long term solution. -Peter There are two places where there is potential impact, by definition: - recursive resolvers - authority servers The case for recursive resolvers is plain: any QUERY below an NXDOMAIN can avoid querying the parental unit of the original NXDOMAIN. The problem being solved is DOS of recursive resolvers. The argument implicit in Peter's message is, there is little or no gain on the authority server side. I would like to illustrate one example case which, however rarely it occurs, can be made moot by QNAME minimization. Here is an example case in bullet form, showing delegations and a change. example.com is administered by one department, and delegates administration of other departments to their respective nameservers. The group that does the administration of example.com is a sub-department of one of the delegates. Now imagine that the sub-department migrates its own zone from the shared nameserver of example.com, to its own separate nameserver. In doing so, imagine an error is made - the zone in question is not removed from the example.com nameserver. (It is like a lame delegation only in reverse.) This already causes operational problems. If QM makes the problems *more* visible then that is a good thing. Failing all the time is better than failing some of the time. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-bortzmeyer-dns-qname-minimisation
+1 for adoption (and at the occasion contribute, review, implement, etc). francis.dup...@fdupont.fr ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-bortzmeyer-dns-qname-minimisation
On Friday, October 10, 2014, Francis Dupont francis.dup...@fdupont.fr wrote: +1 for adoption (and at the occasion contribute, review, implement, etc). francis.dup...@fdupont.fr javascript:; aol Me too! /aol ___ DNSOP mailing list DNSOP@ietf.org javascript:; https://www.ietf.org/mailman/listinfo/dnsop -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-bortzmeyer-dns-qname-minimisation
I support the draft. I will review/contribute. BR, Daniel On Tue, Oct 7, 2014 at 7:08 AM, Olafur Gudmundsson o...@ogud.com wrote: On Oct 7, 2014, at 12:04 AM, Tim Wicinski tjw.i...@gmail.com wrote: Please review this draft to see if you think it is suitable for adoption by DNSOP, and comments to the list, clearly stating your view. Done, will hold off sending edits to editor until after document adoption period. Please also indicate if you are willing to contribute text, review, etc. Will do all above This call for adoption ends Monday 20-October-2014 at 23:59 Strong support for adoption. Olafur ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop -- Daniel Migault Orange Labs -- Security +33 6 70 72 69 58 ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-bortzmeyer-dns-qname-minimisation
no hat On Oct 6, 2014, at 9:04 PM, Tim Wicinski tjw.i...@gmail.com wrote: Please review this draft to see if you think it is suitable for adoption by DNSOP, and comments to the list, clearly stating your view. Yes, it is ready for adoption by DNSOP. Please also indicate if you are willing to contribute text, review, etc. I will. --Paul Hoffman ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-bortzmeyer-dns-qname-minimisation
On Tue, 7 Oct 2014, Tim Wicinski wrote: This starts a Call for Adoption for draft-bortzmeyer-dns-qname-minimisation. The draft is available here: https://datatracker.ietf.org/doc/draft-bortzmeyer-dns-qname-minimisation/ Please review this draft to see if you think it is suitable for adoption by DNSOP, and comments to the list, clearly stating your view. Yes, please adopt. Please also indicate if you are willing to contribute text, review, etc. Willing to review. Paul ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-bortzmeyer-dns-qname-minimisation
On Oct 7, 2014, at 12:04 AM, Tim Wicinski tjw.i...@gmail.commailto:tjw.i...@gmail.com wrote: Please review this draft to see if you think it is suitable for adoption by DNSOP, and comments to the list, clearly stating your view. I support adoption of this draft. Please also indicate if you are willing to contribute text, review, etc. Yes, I will. Regards, Dan -- Dan York Senior Content Strategist, Internet Society y...@isoc.orgmailto:y...@isoc.org +1-802-735-1624 Jabber: y...@jabber.isoc.orgmailto:y...@jabber.isoc.org Skype: danyork http://twitter.com/danyork http://www.internetsociety.org/deploy360/ ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-bortzmeyer-dns-qname-minimisation
Tim Wicinski mailto:tjw.i...@gmail.com Monday, October 06, 2014 9:04 PM ... This starts a Call for Adoption for draft-bortzmeyer-dns-qname-minimisation. The draft is available here: https://datatracker.ietf.org/doc/draft-bortzmeyer-dns-qname-minimisation/ Please review this draft to see if you think it is suitable for adoption by DNSOP, and comments to the list, clearly stating your view. Please also indicate if you are willing to contribute text, review, etc. i favour adoption. i will review, and contribute. -- Paul Vixie ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-bortzmeyer-dns-qname-minimisation
On Oct 6, 2014, at 9:40 PM, Paul Vixie p...@redbarn.org wrote: This starts a Call for Adoption for draft-bortzmeyer-dns-qname-minimisation. i favour adoption. i will review, and contribute. +1 Regards, -drc ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop