[dns-operations] EDNS and TLDs

Mark Andrews marka at isc.org
Thu Nov 17 04:30:06 UTC 2016 

In message <CAAiTEH9zGMp3Wb43tmGKMm65tLdMQuSUo_Fk51pX_tmpa9+ymg at mail.gmail.com>
, Matthew Pounsett writes:
> On 17 November 2016 at 12:28, Mark Andrews <marka at isc.org> wrote:
> 
> >
> > In message <CAAiTEH9UCNw5hdWAW7brmT1eVL20+WqH25m2NWf3RzV5i4Nv4Q at mail.
> > gmail.com>
> > , Matthew Pounsett writes:
> > > On 17 November 2016 at 11:49, Matthew Pounsett <matt at conundrum.com>
> > wrote:
> > >
> > > >
> > > >  I've always been a little annoyed that no "do not send updates" signal
> > > > was never considered when the UPDATE mechanism was codified.
> > > >
> > > > "... was ever considered..."
> >
> > Well Apple registered a SRV record for UPDATE so that UPDATEs don't
> > need to go to the NS's.  In theory if the update client supports
> > the SRV record (there is a ticket to add this feature to nsupdate)
> > then there is a way to signal this.
> >
> > dns-update is the registered string.
> >
> > http://www.iana.org/assignments/service-names-port-numbers/service-names-
> > port-numbers.xhtml?search=53&page=4
> 
> 
> Do you know how the patch is to be implemented?  If absence of the relevant
> SRV record indicates fallback to MNAME then it doesn't solve the problem.

SRV defines "." in the server field as "no service".

e.g.
	_dns-update._tcp.tld. SRV 0 0 0 .

Note also the SOA MNAME is only supposed to be used if it matches
a NS record name.  Updates are supposed to be able to go to any
nameserver for the zone.

As far as I can see there was no RFC issued with this assignment.

I would suggest doing a RFC2136bis which incorporates this along
with SIG(0)/TSIG/GSS-TSIG as securing mechanisms.  RFC2137 is
currently mentioned in the security considerations and is very much
out of date.  SIG(0) and TSIG are forwardable though you have to
preserve the ID field when forwarding SIG(0) signed updates.

Mark

> > Mark
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> >
> 
> --94eb2c1905da13469205417716a3
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
> 
> <div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><div class=3D"gmail_quo=
> te">On 17 November 2016 at 12:28, Mark Andrews <span dir=3D"ltr"><<a hre=
> f=3D"mailto:marka at isc.org" target=3D"_blank">marka at isc.org</a>></span> w=
> rote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;borde=
> r-left:1px #ccc solid;padding-left:1ex"><br>
> In message <<a href=3D"mailto:CAAiTEH9UCNw5hdWAW7brmT1eVL20%2BWqH25m2NWf=
> 3RzV5i4Nv4Q at mail.gmail.com">CAAiTEH9UCNw5hdWAW7brmT1eVL20<wbr>+WqH25m2NWf3R=
> zV5i4Nv4Q at mail.<wbr>gmail.com</a>><br>
> <div><div class=3D"h5">, Matthew Pounsett writes:<br>
> > On 17 November 2016 at 11:49, Matthew Pounsett <<a href=3D"mailto:m=
> att at conundrum.com">matt at conundrum.com</a>> wrote:<br>
> ><br>
> > ><br>
> > >=C2=A0 I've always been a little annoyed that no "do not =
> send updates" signal<br>
> > > was never considered when the UPDATE mechanism was codified.<br>
> > ><br>
> > > "... was ever considered..."<br>
> <br>
> </div></div>Well Apple registered a SRV record for UPDATE so that UPDATEs d=
> on't<br>
> need to go to the NS's.=C2=A0 In theory if the update client supports<b=
> r>
> the SRV record (there is a ticket to add this feature to nsupdate)<br>
> then there is a way to signal this.<br>
> <br>
> dns-update is the registered string.<br>
> <br>
> <a href=3D"http://www.iana.org/assignments/service-names-port-numbers/servi=
> ce-names-port-numbers.xhtml?search=3D53&page=3D4" rel=3D"noreferrer" ta=
> rget=3D"_blank">http://www.iana.org/<wbr>assignments/service-names-<wbr>por=
> t-numbers/service-names-<wbr>port-numbers.xhtml?search=3D53&<wbr>page=
> =3D4</a></blockquote><div><br></div><div>Do you know how the patch is to be=
>  implemented?=C2=A0 If absence of the relevant SRV record indicates fallbac=
> k to MNAME then it doesn't solve the problem.</div><div>=C2=A0</div><bl=
> ockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #=
> ccc solid;padding-left:1ex"><br>
> <span class=3D"HOEnZb"><font color=3D"#888888"><br>
> Mark<br>
> </font></span><div class=3D"HOEnZb"><div class=3D"h5">--<br>
> Mark Andrews, ISC<br>
> 1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
> PHONE: +61 2 9871 4742=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
> =A0 =C2=A0INTERNET: <a href=3D"mailto:marka at isc.org">marka at isc.org</a><br>
> </div></div></blockquote></div><br></div></div>
> 
> --94eb2c1905da13469205417716a3--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list