In message <df9d8d34-6005-6b61-e9d1-397d915aa...@redhat.com>, Petr Spacek write s: > Hello, > > I would like to draw attention of dnsop WG to discussion about new service > discovery method for Kerberos: > > Please see > http://www.ietf.org/mail-archive/web/kitten/current/msg06044.html > and its continuation > http://mailman.mit.edu/pipermail/krbdev/2016-May/012588.html > > > Main arguments for using TXT instead of URI RR type are: > ... > > We had been planning to use the URI record type, but after a recent > > round of discussion, we don't think it's likely that popular DNS hosting > > providers will allow customers to create URI records (since it seems > > like no one else is using them). Some middle-boxes would also block DNS > > queries for URI records. That problem would be even worse if we create > > a new record type. So, we are planning to use the TXT record type. It > > seems unlikely that we can standardize on a TXT record through the IETF > > (except perhaps as an informational RFC), but it seems like the only > > deployable option for individuals and small organizations > ... > > Could someone validate these assumptions?
Well you have idiots with firewalls that think that anything new needs to be blocked be it types, flags, options or versions depite none of that being a actual security threat. The only way to fix this is to force them to upgrade. This is possible. Just start using a feature that is being block and it will be corrected. That being said dropping queries based on qtype is rare. That said we are pushing ahead with deploy DNS COOKIES (RFC 7873) by default. There are more firewalls that block unknown EDNS options than those that block based on type. There are also plenty of nameservers that do not implement EDNS correctly and fail to ignore unknown EDNS options. For the most part that just slows down resolution but there are corner cases where things break. e.g. a validating resolver trying to retrieve records from a signed zone where the server doesn't implement EDNS correctly, misconfigured loadbalancers where the backing zone is missing necessary fallback records to handle the queries that fall through to it. Yes, we have had bug reports over lookup failures due to DNS COOKIES and when that is the issue we complain to the DNS operator. Most modern nameservers handle new records types and unknown record types. There are a few that return NOTIMP rather than NOERROR to unimplemented types. Similarly there are a few that return REFUSED. When you discover one contact the operator and complain. The hardest part is DNS hosters that fail to update their web interfaces to handle new types. Deciding to not use a new type due to this is a case of the tail wagging the dog. We should not go there. You can alway open support tickets to get records added. Adding new types is easy to do and should be something that is expected to be done by all parts of the ecosystem. It's not like we haven't been adding new types every year for the last 20 odd years. We shouldn't be letting substandard operators be holding up DNS developments. There is absolutely nothing stopping anyone that wants to deploy a new type from doing so other than FEAR. You can always host your own servers if you have to. Mark > I do not like TXT but I'm not in position to judge validity of these argument > s. > > Thank you for your time. > > -- > Petr Spacek @ Red Hat > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop