From: Ofer Inbar [mailto:cos(_at_)aaaaa(_dot_)org]
"Hallam-Baker, Phillip" <pbaker(_at_)verisign(_dot_)com> wrote:
This thread started with the assertion that DNS is a failure
and needs to be replaced with a new, better protocol; adding
new RRs was part of the evidence.
Yes but I never agued that DNS should be replaced.
On the contrary I argue that the case for replacement of the DNS is based on an
unnecessarily dogmatic and inflexible approach to DNS extension. There are two
potential methods of extending the DNS. People arbitrarily choose the one that
has serious deployment problems over the one that works and then throw up their
hands and say 'its impossible, we must do something new' and they so often
happen to have a proposal ready (Note I am not accusing PAF of this but there
are certainly others guilty of this).
I am arguing to make the DNS the one authoritative source for obtaining the
information necessary to resolve a DNS name. That is I believe the originally
intended purpose.
The argument I have with PAF is essentially a subjective one as to the
importance of certain acknowledged constraints in the legacy DNS system. WGs
consider similar issues all the time.
The point I am making here is that I believe that I have an architecture for
extending the DNS that is just as coherent, just as principled as the one
advanced in CHOICES and that this architecture should be addressed in the
CHOICES draft if people are to be expected to take notice of it.
The prefixed wildcard problem has been solved.
Mark Andrews said that the new RR problem is not valid
evidence, because it has been solved.
Phillip says no, it hasn't been.
But in the original context, Phillip is supporting Mark's point.
If the reason the new RR problem hasn't been solved is that
the solution is so recent (3 years old) that Microsoft hasn't
implemented it yet, obviously this doesn't constitute
evidence that we need to solve the problem again by
developing a new protocol.
I am proposing that we use prefixed records and a simple indirection mechanism
to solve the wildcarding problem and that the CHOICES draft should not be
approved until it at least addresses this particular approach and gives reasons
for why PAF's favored approach with acknowledged deployment issues is superior
to an equally functional approach that works with legacy infrastructure.
There are three positions here:
MINE: We can make the legacy DNS meet all the possible needs of an extension
record using prefixes and prefix pointers
CHOICES: Despite acknowledge deployment issues deploying new RRs is preferable
to the architectural options considered which do not include prefix pointers
NEW DNS: Based on the fact that Phill is arguing that choices should consider
other possibilities we are going to make the claim for our pet scheme to create
a replacement for the DNS.
In other words my position is actually the polar opposite to proposals for a
new DNS. I am proposing evolution, not revolution. In fact I am proposing LESS
change to the DNS protocols than PAF. I am proposing adding one RR and the only
reasons I need that are political.
I believe that PAF and I both agree on the following items:
1) DNS servers should support new RRs
2) People should be encouraged to deploy DNSSEC which by necessity means
deploying support for new RRs.
3) There are costs associated with new RRs (we disagree on the extent and
consequences of those costs but not their existence).
4) There is no need to replace the DNS with an entirely new infrastructure.
We disagree on the following points:
1) PAF refuses to acknowledge the existence of the prefix pointer proposal let
alone address it in the draft.
2) I believe that the administrative constraints associated with the issue of
new RRs are grossly underestimated in the Choices draft. DNSSEC has gone
through many itterations and has required many RRs to be issued over the years.
While this is appropriate for a feature that is intrinsic to the DNS itself I
do not believe that that level of coupling is appropriate for protocols that
are not part of the DNS itself.
3) PAF and others appear to believe that there is some extrinsic value in
issuing a new RR in and of itself. I don't.
4) I believe that text based labels are extrinsically more valuable and
appropriate than numeric RR codes: the namespace is effectively inexhaustible,
the dependency on a central registry is much less critical, the labels are to a
degree self explanatory, issue of an IANA text label for any purpose may be
taken as implictly reserving the use of that label for associated uses as a DNS
prefix (i.e. _pop3 cannot be reasonably assigned to any other use than as a
prefix label associated with the POP3 protocol). The DNS community prefers
numeric identifiers.
5) I believe that the two most important features of a protocol are 1)
deployment and 2) the ability to correct technical mistakes. Empirically PGP
and S/MIME are not very useful as very few people actually use them (most
people have SMIME clients few people use them). SSL 2.0 on the other hand was
botched from the technical perspective as was 802.11b/WEP. Today SSL and WEP
are widely used and most people use secure iterations. So empirically botching
deployment is a much more critical problem than botching the technical issues
even on the heroic scale of WEP.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf