Implementation questions (digressing from...) / A DNAME issue
John C Klensin
klensin at jck.com
Fri Jan 2 15:46:10 CET 2009
--On Thursday, January 01, 2009 11:12 PM -0500 Andrew Sullivan
<ajs at shinkuro.com> wrote:
> On Thu, Jan 01, 2009 at 08:33:18PM -0500, John C Klensin wrote:
>
>> And, if you think that is clear to a non-specialist, I look
>> forward to IETF Last Call :-(
>
> It's currently a WG I-D, and it hasn't passed from WGLC for
> other reasons. Nevertheless, questions about the draft that
> show up how it is not clear to someone with a passing
> knowledge of DNS would be welcome on the
> namedroppers at ops.ietf.org mailing list.
I will try to read the draft and make suggestions. It may be
that the terminology is defined well enough elsewhere to make
the paragraph clear (it would be a first). Getting me to
subscribe to, and actively follow, the namedroppers list would
be a much harder sell -- been there, done that.
>> If I correctly understand Vaggelis's concern, the problem
>> isn't (only) the A RRs, but the MX RRs and anything else
>> that happens to be lying around the zone apex/ tree location
>> of the DNAME RR itself(SRV, AAAA, NAPTR, etc.).
>
> Sure. But in delegation-centric zones (which is after all
> surely what the DNAME answer is supposed to be addressing)
> most of those record types should be on the other side of the
> zone cut. I hate to say, "Don't do that," but if we're going
> to make the zone operators responsible for significant parts
> of the way things work, then we have to rely on them to tell
> delegated zone operators bad news sometimes.
Let me play devil's advocate for a moment and see if I can state
the counterargument.
IDNs introduce a new issue into the DNS, an issue of perceived
ambiguity of labels. One can look at that issue as visual
confusion (in "sign on the side of the bus" form) or as
confusion caused by operational decisions made elsewhere (e.g.,
mapping all digits to European ones and then viewing digit input
and display as localization matters) but the problem exists
independent of misbehavior (phishing or otherwise) issues and is
not one that can be solved in the general case by anything that
clients can do or by anything registries can to that doesn't
involve aliasing.
This issue exists both within-script (because of encoding
variations with Unicode, including but certainly not limited to
the Greek cases) and between-script (e.g., because of one
language written in multiple scripts or a desire to associate a
"new" IDN with an older Latin-based label).
In reality, we might have had these issues all along, but the
principle that "color" and "colour" weren't going to match was
established long before DNS names became popular among end users
and those trying to sell things to them. With IDNs, we've had
various ICANN-related and other "governance" groups helping us
out by establishing the firm belief that aliasing is possible
and obvious and that it can, should, and does work in the
obvious-to-them way. Whether we need such help or not, we have
it (see below).
All of the important cases turn out to be intra-zone references.
Anything else violates the administrative hierarchy principle by
requiring that separate pieces of the hierarchy be managed in a
coordinated way. The thing we know for sure is that "separate
hierarchy, coordinated management" isn't going to work well for
anything with any complexity, e.g., pairs of zones containing
delegations and sub-delegations. If nothing else, the caching
model and its use of TTLs based on time of record acquisition
virtually guarantees that the trees will become unsynchronized,
to say nothing of the fact that keeping things synchronized when
there are lots of entries (e.g., a traditional zone file,
whether those entries are delegation records, point to
traditional hosts offering services, or otherwise) is an
administrative nightmare.
Most top-level IDN ideas are problematic for exactly that
reason: people conceive of them, not as completely independent
entities with non-ASCII names, but as surrogates for existing
domains. That is especially common in the country-code case,
where the current model essentially requires that surrogate
relationship, regardless of how they are actually managed. But
any real surrogacy relationship requires either aliasing or
somewhat parallel management of separate trees (whether on a
zone-by-zone or delegation-by-delegation within a zone basis).
"Don't do that" (or its traditional variation "just say no" may
very well be the right answer, but, with ICANN's help, that is
not a choice we are going to be able to make or impose at this
point --operational reality has gotten away from us and the only
choices are whether we want an alias type that does the right
thing or or want to encourage an environment in which people get
regularly surprised by the side-effects of people trying to
manage synchronized zones and subtrees. In my devil's advocate
role, I believe the latter is irresponsible. If DNSEXT says
"don't do that and, if you do, it is not our problem", that
ultimately becomes a sign of IETF being out of touch with
operational reality.
It is possible to suggest that, with a different structure than
ICANN's, or even if ICANN had followed its own original
recommendation, we would not be facing this situation, but it is
now part of our reality.
>> nodes only do not apply. If that case is going to be common
>> enough, it is time to invent a third alias type that, for
>> that limited circumstance, does what people keep wanting and
>> expecting DNAME to do.
>
> If people need something that really does alias a whole zone,
> then we need an RRTYPE, yes. But keep in mind that there are
> serious problems with relying on a new RRTYPE for this use
> case, most of which boil down to "we need to replace all the
> resolvers in the part of the Internet we want to reach." If
> we're going to do that, I suggest that IDNA is maybe the wrong
> approach; we maybe need DNS2. That seems like a tall order.
Again playing devil's advocate, I suggest that "I/we don't like
this, therefore it maybe requires DNS2" is spurious. One could
reasonably wish for an aliasing model that would use a single
RRTYPE, not two or three (or for no aliasing requirement at
all), but the type of mechanism I suggest is not inconsistent
with the existing model. Since I had it explained to me eight
or nine years ago, I've perfectly well understood why a
cross-zone, general purpose, alias mechanism needs to work only
on subtrees... and why that was ok for its intended purpose of
aiding transition. But this is a different sort of requirement,
one for permanent aliases within a given zone. And,
incidentally, unless I don't understand your terminology,
whether a zone is "delegation-centric" either has nothing to do
with it or the zones of interest have exactly that property,
with a cluster of names consisting precisely of delegation
records at one node and and one or more alias nodes pointing at
it.
As far as the deployment difficulties are concerned, certainly I
recognize them. But the people who want IDNs, especially at
levels of the tree at which name management is not under the
direct administrative control of the entity "owning" the zone,
are highly motivated to get them to actually work. "If you want
to support surrogate names, then you are going to have to be
sure that the relevant infrastructure is upgraded" is a much
more reasonable story --and one that is more likely to be
heeded-- than "don't do that" or "forget about those
surrogates". After all, we already know the alternative; you
and Vaggelis have explained what is necessary and the
difficulties of maintaining it.
john
More information about the Idna-update
mailing list