On Mon, Jul 17, 2023 at 11:05 AM John R Levine <jo...@taugh.com> wrote:
> >>> TCP, you already have worse problems, like DNSSEC doesn't work. > > > > Triggering TCP is still not good, even if it all works. It is still > > better avoiding by not stuffing the APEX. So I think we still want > > to leave something in there. > > In view of the wide use of DNSSEC and DoT and DoH, I think the argument > that triggering TCP is bad stopped being persuasive a while ago. (Don't > we hope people sign the DNS responses with the tokens?) > Hi, John, I believe you've conflated two different things here. DoT and DoH are (for the most part) used in client-recursive communications. (I have no comment on those vis a vis TCP). TCP being triggered on resolver-auth is much more of concern, particularly when the underlying cause (large RRsets) is preventable. DNSSEC impact is mitigated largely by migration to algorithms that are sufficiently small in RRSIG and DNSKEY sizes to avoid triggering TCP, such as alg 13. As an auth operator (at scale), TCP being bad is very obvious (to us), and I'd hope persuasive without having to provide detailed stats whenever this question is raised. Endorsing this (verification techniques draft) would likely result in the eventual migration of such validation records out of the apex, i.e. un-stuffing the apex (in multiple senses). At a minimum it would "stop the bleeding" prior to actually stitching the wound(s), figuratively speaking. > > The only somewhat plausible argument I see against stuffing the apex is > that if people are sloppy, they might invent tokens that could be confused > with each other. > The technical term would be "collision" rather than "confusion". One harm of collision is the impact on automation. Whether at the apex or in underscore prefixes, the collision "space" suffers from the "birthday paradox" scaling problem. It isn't whether a particular token collides, it is whether any two (or more) tokens collide. That situation won't occur everywhere, but if it occurs anywhere (possibly well after the token authors have used it for a lot of issued tokens), it becomes a real operational issue for the domain owners. The first collision might not happen for a while, and after it does, the fix would require one or more of the token issuers to change what they are using. That in turn, would not be a pleasant situation to sort out. Consider the impact if the token issuers are similar in size, or if both are "large" for some value of large. (Moving the name of the token to part of the name rather than the TXT content doesn't actually change the collision situation, but the other recommendations on selection of token do improve it.) > > But people have been putting tokens at the apex for years and I have > never, ever, heard of token confusion. > You are looking for anecdotes (or claim to not have any). IMNSHO, what you should be looking for is statistics. Or you could just ignore this whole thing. I don't think it impacts you at all, either way, but does impact lots of other folks. Respectfully, Brian
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
