[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Large Zone and DNSSEC

To: "Nathan Jones" <njones@connect.com.au>
Subject: Re: Large Zone and DNSSEC
From: "James Seng/Personal" <jseng@pobox.org.sg>
Date: Fri, 15 Dec 2000 15:10:39 +0800
Cc: <namedroppers@ops.ietf.org>
Delivery-date: Fri, 15 Dec 2000 00:00:25 -0800
Envelope-to: namedroppers-data@psg.com

> Just as DNSSEC may be beyond understanding for many, I think the idea
> of silently introducing hierarchy by transforming abc.com to a.b.c.com
> is difficult to understand without some notes on how it will work.
>
> In the example, abc.com would still need to exist in the DNS in order
> to provide a translation to a.b.c.com, so the large zone (com) is not
> reduced in size anyway.

Example,

1. Client send abc.com in DNS/EDNS packet to server.

2. Server receive abc.com from DNS packet, do internal process and
   break it do a.b.c.com.

3. Server do its normal DNS magic on a.b.c.com and then return answer
   to Client, with a.b.c.com readjusted back as abc.com.

4. Repeat for every recursion (i.e. .COM server need patch, abc.com server
   also need patch etc).

So no, you dont have abc.com in your zone file. Instead, you have a.b.c.com.
We are effectively breaking up a flat level name into hierarchy. And instead
of dealing with one large zone, you can then deal with multiple zones.

Once again, i need to remind everyone that transforming abc.com into a.b.c.com
is probably too simplicity and wont work. We need more exotic transformation
which will work with sub-delegation etc.

Incidently, you notice that there wouldnt be any changes in the DNS clients or
resolver/caching server. The changes only occurs for server side, and only for
servers which wants to break their large zone.

> If the intention is to change the protocol and the software that
> implements it such that resolvers just know to try a.b.c.com, then how
> would you orchestrate the change; and for what real benefit?

No, DNS protocol dont change (at least not the wire format). Only software
implementation. I would say it is an architecture change.

> Trying to get my head around your comments, I had a look through the
> IDN discussion (http://www.imc.org/idn/mail-archive/) where you said
> things like: "Lets go for a truely distributed structure with no
> centralized registry model." Does this mean there should be no unique
> namespace?
>
> I understand that you are referring to a next generation of DNS, but
> it reminded me of "RFC2826 - IAB Technical Comment on the Unique DNS
> Root" in which similar proposals were labelled technically naive.
>
> Perhaps some explanatory notes on how you see this "DNSng" working
> would help people better understand your suggestions.

I was discussing this offline with some folk. But the general idea is if we
were to do DNSng, and we got a chance to start all over again, Do we want to
design a system which creates a monopolistic hierarchical structure again?

I am not saying unique root is bad or suggesting alternative root. I am
suggesting "NO ROOT". (Okay, I like to come up with bad ideas :-P).

-James Seng



to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

Prev by Date: Re: Large Zone and DNSSEC
Next by Date: Security comments re draft-ietf-dnsext-unknown-rrs-00.txt
Prev by thread: Re: Large Zone and DNSSEC
Next by thread: Power Point Slides of New DNS MIB Presentation
Index(es):
- Date
- Thread