Review of: Architectural Considerations on Application Features in
the DNS
I-D: draft-iab-dns-applications-07
Reviewed by: D. Crocker
Review date: 15 March 2013
Summary:
This review follows the one I provided for the -01 draft, on 20
April 2011 and recorded in:
http://trac.tools.ietf.org/group/iab/trac/ticket/35
I recently received a note closing the ticket, with an extended
commentary (contained in the above ticket citation). It asserted that
the concerns of the previous review have been resolved.
The current review was a fresh re-reading of the document.
The current Abstract declares the purpose of the document to be:
This document explores the architectural
consequences of using the DNS to implement certain application
features, and provides guidance to future application designers as to
the limitations of the DNS as a substrate and the situations in which
alternative designs should be considered.
Alas, the -07 version of the document remains fundamentally flawed
in purpose, basic technical details, and writing style. After two years
and 6 rounds of revision, a document that remains so deeply problematic
needs very different handling than it has been getting.
For the Detailed Comments section of a review, I normally delete any
extended passages that have no comments. Given the extent of problems
with this document, I'm leaving in all the text, to ensure proper
context for the comments.
I terminated the review on page 11. It simply is not productive to
provide more detailed review, as I believe the included comments will
make abundantly clear.
My best guess is that the only way to bring this document to a level
of reasonable competence is to start over, with much, much greater care,
starting with much greater clarity about the document's purpose and how
to achieve it.
Detailed Comments:
Abstract
A number of Internet applications rely on the Domain Name System
(DNS) to support their operations. Many applications use the DNS to
locate services for a domain; some for example transform identifiers
other than domain names into formats that the DNS can process, and
then fetch application data or service location data from the DNS.
The text after the semi-colon is completely independent of the DNS. It's
an app function that occurs before the DNS is involved. Given that the
title of the document says "/in/ the DNS" the text actually distracting
to refer to it here.
The phrasing before the semi-colon seems to be trying to say something
distinctive, by virtue of asserting a scope as being "to locate
services" but nothing that follows is really about 'locating'. That
word is a term of art in the IETF and does not refer to a service
provided by the DNS.
In addition, phrasing such as "into formats that the DNS can process" is
clunky, at best, and more likely confusing. If it is meant to mean
"into a domain name" then just say that. If it is meant to mean
something else, I can't even guess what it is. A DNS query is a domain
name. That's a pretty simple, clean and invariable point.
It seems that the text is merely trying to say:
Many applications use the DNS in a context that goes beyond simply
mapping a domain name to an IP Address if a server that supports the
application. Some applications include DNS access to obtain other,
parametric information or as part of a more elaborate location mechanism.
Proposals incorporating sophisticated application behavior using DNS
as a substrate have raised questions about the role of the DNS as an
The proposals have not raised questions; the questions are not /in/ the
proposals. It's possible that you mean that the proposal prompted
others to raise questions. (Yes, I'm hassling you about awkward
sentence construction. The document needs to be very careful about its
assignments of responsibility.)
More generally, this language continues the underlying tone of suspicion
and fear that I noted about the earlier draft.
The document will benefit from simply deleting this sentence. It adds
nothing useful.
application platform. This document explores the architectural
consequences of using the DNS to implement certain application
Actually, it doesn't. It says almost nothing about architectural
consequences. It attempts quite a bit of pedagogy about existing DNS
features, but that's quite a different task.
For the most part, the features discussed in this document are not
'implemented' in the DNS. They are implemented /above/ the DNS. The
document still needs to be significantly more careful with this
distinction. The text explaining the closed tracking ticket item for my
review declared that this distinction was now made in the document; I
still don't see it.
features, and provides guidance to future application designers as to
the limitations of the DNS as a substrate and the situations in which
alternative designs should be considered.
Table of Contents
1. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Overview of DNS Application Usages . . . . . . . . . . . . . . 6
2.1. Locating Services in a Domain . . . . . . . . . . . . . . 6
2.2. NAPTR and DDDS . . . . . . . . . . . . . . . . . . . . . . 8
2.3. Arbitrary Data in the DNS . . . . . . . . . . . . . . . . 9
3. Challenges for the DNS . . . . . . . . . . . . . . . . . . . . 12
3.1. Compound Queries . . . . . . . . . . . . . . . . . . . . . 12
3.1.1. Responses Tailored to the Originator . . . . . . . . . 14
3.2. Using DNS as a Generic Database . . . . . . . . . . . . . 16
3.2.1. Large Data in the DNS . . . . . . . . . . . . . . . . 16
3.3. Administrative Structures Misaligned with the DNS . . . . 18
3.3.1. Metadata about Tree Structure . . . . . . . . . . . . 19
3.4. Domain Redirection . . . . . . . . . . . . . . . . . . . . 21
4. Private DNS and Split Horizon . . . . . . . . . . . . . . . . 24
5. Principles and Guidance . . . . . . . . . . . . . . . . . . . 27
6. Security Considerations . . . . . . . . . . . . . . . . . . . 29
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30
8. IAB Members at Time of Approval . . . . . . . . . . . . . . . 31
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 32
10. Informative References . . . . . . . . . . . . . . . . . . . . 33
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 37
Peterson, et al. Expires August 30, 2013 [Page 3]
�
Internet-Draft Application Features in DNS February 2013
1. Motivation
The Domain Name System (DNS) has long provided a general means of
translating domain names into Internet Protocol addresses, which
makes the Internet easier to use by providing a valuable layer of
indirection between names and lower-layer protocol elements.
This is oddly phrased. For one thing, it seems to imply that there were
domain names before there was the DNS, which of course is incorrect. I
think you mean to be saying:
The DNS provides a basic mechanism for mapping domain names to
Internet Addresses, which makes the Internet easier to use. The names
are considerably more human-friendly than IP Addresses.
[RFC0974] documented a further use of the DNS: to manage application
'manage'? not really. Few, if any, "uses of the DNS" manage applications.
This sentence appears to be saying that this added email to the use; and
of course, it didn't.
services operating in a domain with the Mail Exchange (MX) resource
record, which helped email addressed to the domain to find a mail
service for the domain sanctioned by the zone administrator.
Again, not quite correct.
So perhaps:
[RFC0974] added special semantics when mapping from a domain name
to an IP Address, by indicating a specific service supported at the
host, namely email, through the use of a purpose-built RR, the Mail
Exchange (MX) resource record.
The seminal MX record served as a prototype for other DNS resource
records that supported applications associated with a domain name.
MX is a direct prototype for SRV. I do not understand how it qualifies
as a prototype for the other RRs that followed, since they have no
semantic or structural similarity.
The SRV resource record [RFC2052] provided a more general mechanism
provided -> provides
It's still in use.
for locating services in a domain, complete with a weighting system
Generally, "locating" is probably not a very good vocabulary choice,
since it tends to be taken to mean 'searching', which of course the DNS
doesn't do. Again, "mapping to" is the more careful and typical
language for describing the DNS' basic function.
For reference, the tutorial nature of this document and the audiences
that are likely to need to read this really do warrant considerably more
care in the document's language.
and selection among transports. The Naming Authority Pointer (NAPTR,
originally [RFC2168]) resource record, especially as it evolved into
the more general Dynamic Delegation Discovery System (DDDS,
[RFC3401]) framework, added a generic mechanism for storing
application data in the DNS. Primarily, this involved a client-side
algorithm for transforming a string into a domain name, which might
then be resolved by the DNS to find NAPTR records. This enabled the
resolution of identifiers that do not have traditional host
components through the DNS; the best-known examples of this are
telephone numbers, as resolved by the DDDS application ENUM. Recent
work such as Domain Keys Identified Mail (DKIM, [RFC6376]) has
enabled security features of applications to be advertised through
the DNS, via the TXT resource record.
The scope of application usage of the DNS has thus increased over
time. Applications in many environments require features such as
confidentiality, and as the contexts in which applications rely on
the DNS have increased, some application protocols have looked to
oh? This needs a citation and an explanation for the type of
confidentiality that was proposed, relative to the DNS, making clear how
it would have modified the DNS.
extend the DNS to include these sorts of capabilities. However, some
proposed usages of, and extensions to, the DNS have become misaligned
'become'? The proposals underwent a change?
Worse is that this goes back to the tone of fear and criticism. Given
the nature of this document, it should provide careful documentation of
inappropriate proposals and explanations that justify claiming they
were/are inappropriate.
What is especially important is to distinguish between stray crazy ideas
from random people, versus serious efforts that were problematic. The
former are mere noise and should be ignored; they do not justify the
tone of suspicion in this document. The latter are (potentially) the
real danger, if any can be documented.
with both the DNS architecture and the DNS protocol. Taking the
example of confidentiality: In the global public DNS, the resolution
of domain names to IP addresses is public information with no
expectation of confidentiality, and thus the underlying query/
response protocol has no encryption mechanism - typically, any
security required by an application or service is invoked after the
DNS query, when the resolved service has been contacted. Only in
private DNS environments (including split horizon DNS) where the
identity of the querier is assured through some external policy can
the DNS maintain confidential records, by providing distinct answers
to the private and public users of the DNS. In support of load
balancing or other optimizations, a DNS server may return different
addresses in response to queries from different sources, or even no
Peterson, et al. Expires August 30, 2013 [Page 4]
�
Internet-Draft Application Features in DNS February 2013
response at all, which is discussed further in Section 3.1.1.
The above paragraph offers confidentiality as an example, presumably as
an inappropriate goal for the DNS, but then the text merely says that's
not what's typically done. There's no real substance in the text for
this purported example.
For example, would it be inappropriate to have the resolver/server DNS
exchange be encrypted against wiretapping (for some types of traffic
analysis)? If yes, why? Is it inappropriate to consider /any/ security
mechanisms for client/server DNS exchanges? What about server/server? Why?
For load balancing, there really is literally no substance provided
here. No sense of how it qualifies as problematic, or whatever the
point that is intended; and I can't tell what that point is.
This document provides guidance to application designers, and
application protocol designers, looking to use the DNS to support
features in their applications. It provides an overview of past
application usage of the DNS, as well as reviewing proposed new
usages. It identifies concerns and trade-offs and provides guidance
on the question, "Should I store this information in the DNS, or use
some other means?" when that question arises during protocol
development. These guidelines remind application protocol designers
of the strengths and weaknesses of the DNS in order to make it easier
for designers to decide what features the DNS should provide for
their application.
The guidance in this document complements the guidance on extending
the DNS given in [RFC5507]. Whereas [RFC5507] considers the
preferred ways to add new information to the underlying syntax of the
DNS (such as defining new resource records or adding prefixes or
suffixes to labels), the current document considers broader
implications of applications that rely on the DNS for the
implementation of certain features, be it through extending the DNS
or simply reusing existing protocol capabilities - implications that
may concern the invocation of the resolver by applications, the
behavior of name servers, resolvers or caches, extensions to the
underlying DNS protocol, the operational responsibilities of zone
administrators, security, or the overall architecture of names. When
The purpose of the above sentence looks good. The sentence itself
doesn't. Too long and convoluted. Break a sequence of shorter, simpler
sentences.
existing DNS protocol fields are used in ways that their designers
did not intend to handle new applications, those applications may
demand further changes and extensions that are fundamentally at odds
with the strengths of the DNS.
Remove the silliness about intent. Nevermind that you probably are
wrong, it doesn't matter. Again, the tone of the above sentence is
focused on the fear rather than on any concrete technical or operational
substance.
The technical reality is that the DNS design permits a range of
extensibilities, albeit within constraints. The other reality is that
the modern DNS is used in a variety of application contexts. A document
like this needs to use these technical and operational realities as its
starting point.
With respect to cautions, what matters is distortions of the DNS that
actually break functionality, performance or administration. For
example, things like overloading a field have classic risks, since they
create ambiguity.
Peterson, et al. Expires August 30, 2013 [Page 5]
�
Internet-Draft Application Features in DNS February 2013
2. Overview of DNS Application Usages
[RFC0882] identifies the original and fundamental connection between
identifies the original and fundamental -> specifies the
{ it's inventing something, not uncovering it }
the DNS and applications. It begins by describing how the
interdomain scope of applications creates "formidable problems when
Hmmm. RFC882 doesn't use the term "interdomain". It also doesn't use
the word "scope".
Given the actual language in the RFC that precedes the portion quoted
here, I suggest:
It establishes its basis by noting the scale and diversity of
resources on the network, which creates "...
we wish to create consistent methods for referencing particular
resources that are similar but scattered throughout the environment."
This motivated transitioning the "mapping between host names... and
ARPA Internet addresses" from a global table (the original "hosts"
file) to a "distributed database that performs the same function."
[RFC0882] also envisioned some ways to find the resources associated
with mailboxes in a domain: without these extensions, a user trying
to send mail to a foreign domain lacked a discovery mechanism to
locate the right host in the remote domain to which to connect.
While a special-purpose service discovery mechanism could be built
for each such application protocol that needed this functionality,
the universal support for the DNS encourages installing these
features into its public tree rather than inventing something new.
Thus, over time, several other applications leveraged DNS resource
records for locating services in a domain or for storing application
data associated with a domain in the DNS. This section gives
examples of various types of DNS usage by applications to date.
2.1. Locating Services in a Domain
The MX resource record provides the simplest example of an
application advertising its domain-level resources in the Domain Name
System. The MX resource record contains the domain name of a server
that receives mail on behalf of the administrative domain in
question; that domain name must itself be resolved to one or more IP
addresses through the DNS in order to reach the mail server. While
naming conventions for applications might serve a similar purpose (a
host might be named "mail.example.com" for example), approaching
service location through the creation of a new resource record yields
important benefits. For example, one can put multiple MX records
under the same name, in order to designate backup resources or to
load balance across several such servers (see [RFC1794]); these
properties could not easily be captured by naming conventions (see
[RFC4367], though more recently, DNS-SD
([I-D.cheshire-dnsext-dns-sd]) codifies service instance naming
conventions for use across applications to locate services in a
domain).
While the MX record represents a substantial improvement over naming
conventions as a means of service location, it remains specific to a
it remains -> it is
There have been no forces attempting to change it.
single application. Thus, the general approach of the MX record was
adapted to fit a broader class of applications through the Service
Peterson, et al. Expires August 30, 2013 [Page 6]
�
Internet-Draft Application Features in DNS February 2013
(SRV) resource record (originally [RFC2052]). The SRV record allows
DNS resolvers to query for particular services and underlying
transports (for example, HTTP running over TLS, see [RFC2818]) and to
learn a host name and port where that service resides in a given
domain. It also provides a weighting mechanism to allow load
balancing across several instances of a service.
The reliance of applications on the existence of MX and SRV records
has important implications for the way that applications manage
identifiers, and the way that applications pass domain names to
This is an interesting observation. I was under the impression that
applications pass domain names to resolvers in a consistent manner that
does not depend on the type or nature of RR being sought. Please
document this odd bit of contingent API behavior.
resolvers. Email identifiers of the form "user@domain" rely on MX
'A' records are still legal and still used for routing to email servers.
MX might dominate but is not required. The language here implies that
only MX is used.
In addition, email addresses don't 'rely' on anything other than
uniqueness and validity of their two fields. And they can be resolved
to addresses without the DNS, such as internal configuration tables. My
point is that this paragraph is entirely muddled in terms of premise and
technical details.
records to provide the convenience of simply specifying a "domain"
component rather than requiring an application to guess which
particular host handles mail on behalf of the domain. While for
The idea that a host would do guessing about IP Addresses, or that they
ever have, is silly and it's counterproductive to offer such statements.
applications like web browsing, naming conventions continue to abound
For what other applications do naming conventions 'abound'? I'm not
asking whether "some" configurations use such naming conventions, but
where they "abound".
("www.example.com"), SRV records allow applications to query for an
to query for an -> query for support of an
application-specific protocol and transport in the domain. For LDAP,
the SRV service name corresponds to the URL scheme of the identifier
invoked by the application (e.g., when "ldap://example.com"; is the
identifier, the SRV query passed to the resolver is for
"_ldap._tcp.example.com"); for other applications, the SRV service
name that the application passes to the resolver may be implicit in
huh? What does this mean and how does it work?
the identifier rather than explicit. In either case, the application
delivers the service name to the DNS to find the location of the host
1. The resolver delivers the name to the DNS
2. In terms of DNS semantics, it is not delivering a service name to the
DNS. Rather, an overlay convention encodes service name in the DNS
name, transparently to the DNS.
This is not a small point of quibbling; it's fundamental to the nature
of these kinds of enhancements. The current language could easily lead
a reader to believe that DNS query semantics are tailored to service name.
Everything being discussed here is specific to the internals of the SRV
record and the conventions of its use, not any other aspect of the DNS.
The text should make sure that the reader understands this difference
and should attribute the semantics being discussed to the details of the
SRV RR specification.
of that service for the domain, the port where the service resides on
that host, additional locations or ports for load balancing and fault
tolerance, and related application features.
Locating specific services for a domain was the first major function
for which applications started using the DNS beyond simple name
resolution. SRV broadened and generalized the precedent of MX to
make service location available to any application, rather than just
to mail. As applications that acquire MX (or SRV) records might need
to perform further queries or transformations in order to arrive at
an eventual domain name that will resolve to the IP addresses for the
service, [RFC1034] allowed that the Additional Data section of DNS
allowed -> allows.
It still allows it!
This text implies that the additional data feature is restricted to MX
and SRV. It isn't.
responses may contain the corresponding address records for the names
responses may contain the corresponding
->
response. These can contain information, such as the corresponding
of services designated by the MX record; this optimization, which
record; this optimization, which
->
record. This efficiency mechanism, which requires
requires support in the authoritative server and the resolver, is an
initial example of how support for application features requires
changes to DNS operation. At the same time this is an example of an
extension of the DNS that cannot be universally relied on: Many DNS
resolver implementations will ignore the addresses in the additional
section of the DNS answers because of the trustworthiness issues
described in [RFC2181].
However the cost of non-support is merely additional queries.
Peterson, et al. Expires August 30, 2013 [Page 7]
�
Internet-Draft Application Features in DNS February 2013
2.2. NAPTR and DDDS
The NAPTR resource record evolved to fulfill a need in the transition
from Uniform Resource Locators (URLs) to the more mature URI
[RFC3986] framework, which incorporated Uniform Resource Names
I thought the RR was core to URN support in the DNS, and is not
dependent on a transition process. That is, "a need in transition"
seems to focus on a frankly irrelevant point.
(URNs). Unlike URLs, URNs typically do not convey enough semantics
internally to resolve them through the DNS, and consequently a
separate URI-transformation mechanism is required to convert these
types of URIs into domain names. This allows identifiers with no
recognizable domain component to be treated as domain names for the
purpose of name resolution. Once these transformations result in a
domain name, applications can retrieve NAPTR records under that name
in the DNS. NAPTR records contain a far more rich and complex
structure than MX or SRV resource records. A NAPTR record contains
two different weighting mechanisms ("order" and "preference"), a
"service" field to designate the application that the NAPTR record
describes, and then two fields that can contain translations: a
"replacement" or "regular expression" field, only one of which
appears in given NAPTR record. A "replacement," like NAPTR's
ancestor the PTR record, simply designates another domain name where
one would look for records associated with this service in the
domain. The "regexp," on the other hand, allows regular expression
transformations on the original URI intended to turn it into an
identifier that the DNS can resolve.
This is missing an "architectural" technical summary, such as:
So, URI support represents an integrated design consisting partly
of an overlay to the DNS and partly a new RR, but no change to basic DNS
mechanisms. The overlay performs mapping between a URI name and a
domain name, and the retrieved RR then provides a rich encoding
environment for specifying the "meaning" of the URI.
{ I might have the "meaning" phrasing wrong. }
As the Abstract of [RFC2915] says, "This allows the DNS to be used to
lookup services for a wide variety of resource names (including URIs)
which are not in domain name syntax." Any sort of hierarchical
identifier can potentially be encoded as a domain name, and thus
historically the DNS has often been used to resolve identifiers that
were never devised as a name for an Internet host. A prominent early
example is found in the in-addr domain [RFC0882], in which IPv4
addresses are encoded as domain names by applying a string
preparation algorithm that required reversing the octets and treating
each individual octet as a label in a domain name - thus, for
example, the address 192.0.2.1 became 1.2.0.192.in-addr.arpa. This
allowed resolvers to query the DNS to learn name(s) associated with
an IPv4 address. The same mechanism has been applied to IPv6
addresses [RFC3596] and other sorts of identifiers that lack a domain
component. Eventually, this idea connected with activities to create
a system for resolving telephone numbers on the Internet, which
became known as ENUM (originally [RFC2916]). ENUM borrowed from an
earlier proposal, the "tpc.int" domain [RFC1530], which provided a
means for encoding telephone numbers as domain names by applying a
string preparation algorithm that required reversing the digits and
treating each individual digit as a label in a domain name - thus,
for example, the number +15714345400 became
0.0.4.5.4.3.4.1.7.5.1.tpc.int. In the ENUM system, in place of
Peterson, et al. Expires August 30, 2013 [Page 8]
�
Internet-Draft Application Features in DNS February 2013
"tpc.int" the special domain "e164.arpa" was reserved for use.
In the more mature form of the NAPTR standard, in the Dynamic
In what way is it "more mature"? What does that mean? It's more
complex. It might even be more powerful. But more "mature"???
Delegation and Discovery Service (DDDS) ([RFC3401] passim) framework,
the initial transformation of an identifier (such as a telephone
number) to a domain name was called the "First Well Known Rule." The
capability to define a "First Well Known Rule" for each application
of NAPTR generalizes the address-reversing mechanism used in-
addr.arpa. Its flexibility has inspired a number of proposals beyond
ENUM to encode and resolve unorthodox identifiers in the DNS.
"unorthodox"? I think you just mean "other" identifiers into domain names.
in the DNS -> into domain names
Provided that the identifiers transformed by the "First Well Known
Rule" have some meaningful structure and are not overly lengthy,
virtually anything can serve as an input for the DDDS structure: for
This flexibility in naming is not specific to DDDS usage. That's the
important lesson of the TPC/ENum approach. The language here is
unnecessarily tied to DDDS.
example, civic addresses. Though [RFC3402] stipulates of the
identifier that "the lexical structure of this string must imply a
unique delegation path," there is no requirement that the identifier
be hierarchical, nor that the points of delegation in the domain name
created by the "First Well Known Rule" correspond to any points of
administrative delegation inherent in the structure of the
identifier.
So? It sounds like an important point. Explain it and/or its implications.
While this ability to look up names "which are not in the domain name
syntax" does not change the underlying DNS protocol - the names
generated by the DDDS algorithm are still just domain names - it does
change the context in which applications pass name to resolvers, and
can potentially require very different operational practices of zone
administrators (see Section 3.3). In terms of the results of a DNS
???? If that section contains statements specific to the point being
made here, refer to them explicitly. If it doesn't, then explain the
concern here.
In it current general form, this raises yet another vague fear without
making it concrete enough to be actionable.
query, the presence of the "regexp" field of NAPTR records enabled
It still enables.
unprecedented flexibility in the types of identifiers that
Drop 'unprecedented'. Again, it's unnecessarily dramatic.
But generally this sentence seems to be redundant with earlier statements.
applications could resolve with the DNS. Since the output of the
regular expression frequently took the form of a URI (in ENUM
Took? Past tense? It doesn't work anymore?
resolution, for example, a telephone number might be converted into a
SIP URI [RFC3261]), anything that could be encoded as a URI might be
the result of resolving a NAPTR record - which, as the next section
explores, essentially means arbitrary data.
Very awkward sentence form.
2.3. Arbitrary Data in the DNS
URI encoding has ways of encapsulating basically arbitrary data: the
most extreme example is data URL [RFC2397]. Thus, resolving a NAPTR
Domain names are resolved. The returned RR is not. Therefore:
Thus, resolving a NAPTR
record might result in an output other than an identifier that would
->
Thus, the returned NAPTR record might be interpreted to produce
output other than a domain name that ...
record might result in an output other than an identifier that would
subsequently be resolved to IP addresses and contacted for a
particular application - it could give a literal result which would
This two-sentence sequence appears to be a non-sequitor, since the
syntactic issue of 'encapsulation', in the first sentence, is quite a
different issue from data semantics, stated in the second.
be consumed by the application. Originally, in [RFC2168], the
intended applicability of the regular expression field in NAPTR was
narrower: the regexp field contained a "substitution expression that
is applied to the original URI in order to construct the next domain
name to lookup," in order to "change the host that is contacted to
Peterson, et al. Expires August 30, 2013 [Page 9]
�
Internet-Draft Application Features in DNS February 2013
resolve a URI" or as a way of "changing the path or host once the URL
has been assigned." The regular expression tools available to NAPTR
record authors, however, grant much broader powers to alter the input
I doubt that author tools grant the power. I suspect that the NAPTR
specification document grants the power... The tools might exploit that
power, but that's a very different matter.
string, and thus applications began to rely on NAPTR to perform more
radical transformations that did not serve any of those
aforementioned needs. By [RFC3402], the output of DDDS is wholly
DDDS is an overlay capability. NAPTR is a DNS RR. The text here moves
between the layers without distinguishing where actual changes have
taken place. My guess is that the intended meaning is that the DDDS
overlay service was specified to exploit the underlying power of NAPTR,
with application-specific conventions.
application-specific: "the Application must determine what the
expected output of the Terminal Rule should be," and the example
given in the document is one of identifying automobile parts by
inputting a part number and receiving at the end of the process
information about the manufacturer.
Historically speaking, NAPTR did not pioneer the storage of arbitrary
data in the DNS. At the start, [RFC0882] observed that "it is
unlikely that all users of domain names will be able to agree on the
set of resources or resource information that names will be used to
retrieve," and consequently places little restriction on the
information that DNS records might carry: it might be "host
addresses, mailbox data, and other as yet undetermined information."
FWIW, note that this makes clear that the author of the DNS did not
'intend' only name-to-address mapping, as was earlier clamed, and that
he did envision a broader range of uses...
[RFC1035] defined the TXT record, a means to store arbitrary strings
in the DNS; [RFC1034] specifically stipulates that a TXT contains
"descriptive text" and that "the semantics of the text depends on the
domain where it is found." The existence of TXT records has long
provided new applications with a rapid way of storing data associated
with a domain name in the DNS, as adding data in this fashion
requires no registration process. [RFC1464] experimented with a
means of incorporating name/value pairs to the TXT record structure,
which allowed applications to differentiate different chunks of data
stored in a TXT record - surely not just "descriptive text" as the
TXT originally specified. In this fashion, an application that wants
to store additional data in the DNS can do so without registering a
new resource record type - though [RFC5507] points out that it is
"difficult to reliably distinguish one application's record from
others, and for its parser to avoid problems when it encounters other
TXT records."
While open policies surrounding the use of the TXT record have
resulted in a checkered past for standardizing application usage of
TXT, TXT has been used as a technical solution for many applications,
It's not the vague drama of a "checkered past" but the inherent,
technical ambiguity created by overloading the record with multiple,
uncoordinated uses that can't be readily distinguished.
most recently for DKIM [RFC6376] to store necessary information about
the security of email in DNS, though within a narrow naming
convention (records stored under "_domainkey" subdomains). Storing
This phrasing entirely misses the way that the underscore name component
restricts the TXT record to an unambiguous usage.
I suggest:
many applications. Recently a number of applications, such as
DKIM [RFC6376], have resolved the problem of TXT ambiguity by storing it
under a specialized DNS naming structure that includes the component
("_domainkeys"), which serves to restrict the scope of the TXT solely to
DKIM use.
keys in the DNS became the preferred solution for DKIM for several
reasons: notably, because email applications already queried the DNS
in their ordinary operations, because the public keys associated with
email required wide public distribution, and because email
identifiers contain a domain component that applications can easily
use to consult the DNS. If the application had to negotiate support
This implies that there have been other solutions. There hasn't.
Hence:
For DKIM, the choice of storing keys in the DNS, rather than
specifying a new and independent key distribution service, takes
advantage of the existing, Internet-wide installed base of DNS software
and operations. Email applications already queried the DNS in their
ordinary operations and the public keys associated with email require
wide public distribution.
The last clause: "and email identifiers contain a domain component that
applications can easily use to consult the DNS" doesn't make much sense
to me and doesn't appear relevant to the reasons I am aware of for
choosing the DNS as a key distribution mechanism. Given that I've been
involved with DKIM since the Yahoo Domainkeys effort, I'd have expected
to hear of that reason...
If the application had to negotiate support
for the DKIM mechanism with mail servers, it would give rise to bid-
down attacks (where attackers misrepresent that DKIM is unsupported
in the domain) that are not possible if the DNS delivers the keys
I'm pretty sure that this analysis is wrong. DKIM is a cooperative
service. It requires that the signer and the verifier cooperate to
achieve a validated identifier. A receiving server can simply choose to
ignore DKIM if it wants. It doesn't need to play games. A sending
server can do the same.
So what is the exact scenario that is is being hypothesized here?
(provided that DNSSEC [RFC4033] guarantees authenticity of the data).
The benefit of using DNSSEC is that the DNS response cannot be spoofed.
That's entirely different from -- or, at least, much broader than -- a
bid-down attack.
And DKIM does not rely on the presence of DNSSEC. If DNSSec is to be
cited with DKIM, it needs to be as a combinatorial enhancement that goes
beyond either mechanism independently. And it needs to be made clear
that it is a future benefit, since it does not yet have extensive
deployment. It's an appealing combination and will no doubt eventually
dominate as DNSSec use grows, but it hasn't happened yet and DKIM has
never relied on its happening, except in very generic terms, by way of
deferring reasonable concerns that the storage of DKIM keys could be
compromised.
However, there are potential issues with storing large data in the
This raises a valid point, but in a confusing manner. Perhaps:
The size of public keys, encoded as text, along with other
parameters used by DKIM, pushes towards the maximum number of characters
that can be stored in a TXT RR, as discussed in Section 3.2.1. In
addition, the domain naming convention used by DKIM and other services
limits the ability to use DNS wildcards.
(For reference, the DKIM does not 'prevent' the use of wildcards; it
limits their utility and can introduce some other surprises. But
wildcards are sometimes still possible to use effectively.)
DNS, as discussed in Section 3.2.1 as well as with the DKIM namespace
conventions that prevent the use of DNS wildcards (as discussed in
section 6.1.2 of [RFC6376] and in more general terms in [RFC5507]).
If prefixes are used to identify TXT records used by an application,
potentially the use of wildcards may furthermore cause leakages that
other applications will need to detect.
Huh? What 'leakages' are you talking about? I have no idea what this
bit of fear is about.
Peterson, et al. Expires August 30, 2013 [Page 11]
�
Internet-Draft Application Features in DNS February 2013
3. Challenges for the DNS
The methods discussed in the previous section for transforming
arbitrary identifiers into domain names, and for returning arbitrary
data in response to DNS queries, both represent significant
departures from the basic function of translating host names to IP
Sorry, but this persists in confusing dominant use with basic
architecture, even with the ending clause of the sentence.
The "basic function" of the DNS doesn't know or care that some RRs carry
IP Addresses and others don't, and it never has. And TXT records have
been used for rather too long a time to refer to them as a "departure"...
addresses, yet neither fundamentally alters the underlying semantics
Does it alter it a little bit? No. So the implication of
"fundamentally" is wrong.
of the DNS. When we consider, however, that the URIs returned by
DDDS might be base 64 encoded binary data in a data URL, the DNS
What is a "data" URL? Do you mean RFC 2397? If so, cite it.
could effectively implement the entire application feature set of any
simple query-response protocol. Effectively, the DDDS framework
considers the DNS a generic database - indeed, the DDDS framework was
No it doesn't. It considers it an indexed storage engine. That's
rather simpler than a "database", which implies richer functionality,
such as searching and content-based indexes that the DNS doesn't have.
It's frankly surprising that an IAB draft would refer to the DNS as a
database...
{review terminated }
d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net