Ray Bellis <r...@isc.org> writes: > This new draft describes a way for clients and servers to exchange a > limited amount of information where the semantics of that information > are completely unspecified, and therefore determined by bi-lateral > agreement between the client and server operators.
Hmmm.. very interesting idea, but I'm having a hard time seeing how this will be used in the real world in a scalable and interoperable way. Let's take an example from the draft (which is a good/interesting one, btw): o client-controlled selection of a DNS-based security filter So, my client knows the upstream resolver has published two flags/bits for this: 0x01 - don't filter out malware 0x02 - please filter out ad servers This is all well and good if the client knows what it's talking to. How does it know which resolvers support it? This has to be custom config in clients I assume? So let's assume the (roaming) client has a pre-configured list of IP addresses that know how to send or interpret particular tags. What happens when the upstream software changes? Or the upstream server is taken over by a new company that deploys entirely new semantics? How is that change communicated to all the clients? What if the new bits mean something entirely different, potentially the exact opposite? How are conflicts like this handled? There are cases for this type of behavior already, and they do work. As an example, BGP communities distribute routing policies in a fairly similar way. But BGP connections are small in number, contracts or MOUs at the least are put in place to ensure communication can happen, etc. The problem with a generic mechanism like this for DNS is that the number of clients per server are potentially gigantic. And there is often not a documented relationship or even a known contact mechanism to signal changes taking place. This all makes communication of agreed upon semantics of bits not exactly impossible, but likely between difficult to extremely difficult. And misconfiguration could be potentially be dangerous, depending on the meaning of the bits. Imagine if the new bit for some flipped software suddenly switched to "I trust MD5, go ahead and believe MD5 DS records". But maybe, and hopefully, I'm just misunderstanding how this will be used safely in deployments. -- Wes Hardaker USC/ISI _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
