Reverse DNS Restructuring Project
Dear Colleagues, Below you find a proposal for restructuring of parts of the reverse DNS services. The proposal can also be found on http://www.ripe.net/reverse/proposal.html We would appreciate your feedback on this (ncc-services-wg) list. -- Olaf Kolkman Reverse DNS Restructuring Project. Proposal: Restructuring of the reverse DNS setup. The Reverse DNS Restructuring Project involves a number of changes: - Modification of internal databases so that the RIPE Whois Database becomes the authoritative source for zone file generation. - Change of interface for the creation and maintenance of delegation of reverse domains. <auto-inaddr@ripe.net> will be deprecated while the Whois Database interfaces will be available for reverse database management. - The introduction of a new attribute, "mnt-domains:", in INETNUM and INET6NUM objects to be able to delegate the authority to create new domain objects. - The introduction of 'name' syntax checks for the ip6.arpa and in-addr.arpa domains, only allowing DOMAIN for names that make sense in the address hierarchy i.e. those that represent "reversed" addresses. - A cleanup of inconsistent data so that the who is Database reflects the data that is in the reverse zones. - Once address space has been allocated the reverse delegations can be made. There is no longer the requirement that address space has to be assigned before a reverse delegation is made. - The introduction of an attribute in the domain object used for storing public DNSSec keys. Background and Motivation: There are a number of issues that give rise to these changes. - LIRs must currently use a separate interface for the maintenance of their domain objects. Having a single entry point for the maintenance of all objects in the Whois Database is more efficient for LIRs and the RIPE NCC. - Deployment of DNSSec requires a method for the exchange of public keys. Using the Whois Database as the authoritative source for zone file creation enables the use of the Whois Database authorization mechanisms including the LIR Portal, PGP keys and X.509 certificates, for DNSSec public key exchanges. - Reverse zones are currently maintained though an e-mail robot, <auto-inaddr@ripe.net>, also referred to as 'Marvin'. When DOMAIN objects are submitted Marvin performs a number of DNS checks, updates the Whois database with the submitted object and then updates the zone files. Once a DOMAIN object exists in the Whois database it can be modified using the database interfaces. However changes to it will not end up in the zone file. This allows for the data in the Whois database being inconsistent with the data in the DNS. This leads to confusion and lameness problems in the DNS. - The motivation for introducing the "mnt-domains:" attribute is because the maintenance of the DNS is often done by a different set of people to those that maintain INETNUM objects. With the introduction of this new maintainer attribute and no longer having the restriction that address space is to be assigned before delegations are made, the setup of reverse space is easier and operational delays can be avoided. - The motivation for the 'name syntax check' is because there are currently DOMAIN objects that clearly cannot exist in the address hierarchy (e.g. 666.193.in-addr.arpa). - The Whois Database has several methods to interface with it, moving towards a system where the Whois Database is the authoritative source for reverse delegation information eases the development of web-based tools for zone maintenance. Besides, having uniform interfaces for all RIPE NCC services has benefits for the RIPE NCC and its customers. Details: - Introduction of the MNT-DOMAINS attribute for INETNUM/INET6NUM (INET[6]NUM for short) objects. An INET[6]NUM object can contain multiple instances of the "mnt-domains:" attribute. It is used for authorizing the creation of DOMAIN objects for the reverse DNS namespace to which the INET[6]NUM relates i.e. the smallest less specific range. It protects the creation of DOMAIN objects and allows for fine grained control of who requests a delegation. Once the DOMAIN object is created it is protected through the use of the "mnt-by" attribute. If there is no "mnt-domains:" attribute on a INET[6]NUM the authentication for the creation of a DOMAIN object is passed by the "mnt-lower:" attribute, when this is not available the "mnt-by:" attribute is used. This is a mechanism also used in RPSL and RPSS. - Reverse delegation interface The <auto-inaddr@ripe.net> e-mail interface will be deprecated. Reverse delegations can be maintained by submitting DOMAIN objects to the database. This allows for the use of existing database update interfaces in addition to the e-mail interface (<auto-dbm@ripe.net>). The RIPE NCC will create DNS zone files for the reverse space from the information in the DOMAIN objects. During the creation of the zone files a filter is applied to ensure that: - Reverse zone delegations are only created for address space allocated by the RIPE NCC (this takes into account ERX space). - Once a delegation at a /16 boundary is made the more specific /24 domain objects are ignored. - Delegations are only allowed on /16 and /24 boundaries (note that it remains possible to submit an object of the form 0-9.xxx.yyy.in-addr.arpa that will be expanded in 10 separate DOMAIN objects). RFC 2317 type 'delegations' for PI space smaller than /24 not allocated by a LIR cannot be handled via this interface but will need to be requested via <inaddr@ripe.net>. - Introduction of an attribute for storing DNSSec public key information in DOMAIN objects. When DNSSec is deployed not only the name servers that are authoritative for running a zone need to be registered but also the public key with which those reverse zones are signed. A mechanism is needed to authenticate the exchange of public keys. To avoid the deployment of DNSSec being prohibitively expensive the key exchange should be similar to the procedure used to exchange the information about the authoritative name servers. The authentication methods used during the key exchange should be at least as strong as the authentication methods used for making the actual delegation. Using the Whois Database, in combination with the "mnt-domains:" attribute, the users of address blocks have control over the authentication methods. We expect improved consistency and lower maintenance costs when, during the zone file generation, a single source of data for both DNSSec public keys and name server RRs can be used. - Database consistency and cleanup Currently there is a set of zone files that is the authoritative source for the reverse tree. In addition there are DOMAIN objects in the database. Appendix 1 shows the number and nature of the inconsistencies. The cleanup should not cause existing delegations to change i.e. the zone data has prevalence over Whois database information in case of inconsistencies. A somewhat more detailed cleanup plan will be presented to the DB-WG mailing list. Tentative milestones - A more detailed proposal for the "mnt-domains:" attribute and the cleanup. (October 2003) - Documentation and procedures. (October-November 2003) - Introduction of "mnt_domains:" and reverse delegation processing for <auto-dmb@ripe.net> while still allowing the use of <auto-inaddr@ripe.net> with the current authorization methods. (December 2003). - As soon as <auto-dbm@ripe.net> can handle reverse delegation requests, and the back-end systems have been modified not to introduce new inconsistencies the RIPE NCC will be sending out warnings about inconsistent data (as part of the cleanup process). There will be a 2 months interval to allow users to fix inconsistencies. - Deprecation of the <auto-inaddr@ripe.net> interface, allowing only updates via <auto-dbm@ripe.net>. (Around February 2004, Details to be worked out). - Around February 2004 (shortly after the previous step) the inconsistent data will be cleaned up. $Id: RDNS-Proposal.txt,v 1.8 2003/09/30 07:21:45 olaf Exp olaf $
On Wed, 1 Oct 2003, Olaf M. Kolkman wrote:
Currently there is a set of zone files that is the authoritative source for the reverse tree. In addition there are DOMAIN objects in the database. Appendix 1 shows the number and nature of the inconsistencies.
Where is Appendix 1?
The cleanup should not cause existing delegations to change i.e. the zone data has prevalence over Whois database information in case of inconsistencies.
A somewhat more detailed cleanup plan will be presented to the DB-WG mailing list.
Shouldn't this proposal: http://www.ripe.net/reverse/proposal.html be linked into the reverse page at: http://www.ripe.net/reverse/ -Hank
On Wed, Oct 01, 2003 at 05:39:28PM +0200, Olaf M. Kolkman wrote:
Below you find a proposal for restructuring of parts of the reverse DNS services.
IMHO, a very good idea.
- Once a delegation at a /16 boundary is made the more specific /24 domain objects are ignored.
Hm. This has to consequences which I can see off-hand: - lesser delegations in the RIPE-operated zone files - higher resolution delays as more indirection is involved Is there something I'm missing? And: you're saying that this is part of a filter between the database and the actual zone file generation. Wouldn't this introduce possible inconsistencies between DNS data and database data? Best regards, Daniel
- lesser delegations in the RIPE-operated zone files
Not really, since a delegation on a /16 boundary even now precludes any further delegation of "names" below that /16 out of the parenting /8. Ignoring the objects is just a consequence of how DNS works. -Peter
On Thu, Oct 02, 2003 at 02:16:46PM +0200, Peter Koch wrote:
- lesser delegations in the RIPE-operated zone files
Not really, since a delegation on a /16 boundary even now precludes any further delegation of "names" below that /16 out of the parenting /8. Ignoring the objects is just a consequence of how DNS works.
You're right of course. No coffee yet. *sigh* Best regards, Daniel
On 02.10 14:19, Daniel Roesen <dr@cluenet.de> wrote: ^^^^^^^
You're right of course. No coffee yet. *sigh*
No coffee -> dormant clue. [sorry, could not resist] Daniel Karrenberg
On Thu, Oct 02, 2003 at 02:43:07PM +0200, Daniel Karrenberg wrote:
On 02.10 14:19, Daniel Roesen <dr@cluenet.de> wrote: ^^^^^^^
You're right of course. No coffee yet. *sigh*
No coffee -> dormant clue.
[sorry, could not resist]
Hehe, fair 'nuff ;-> Best regards, Daniel (night owl)
On Thu, 2 Oct 2003, Daniel Roesen wrote:
On Wed, Oct 01, 2003 at 05:39:28PM +0200, Olaf M. Kolkman wrote:
- Once a delegation at a /16 boundary is made the more specific /24 domain objects are ignored.
Hm. This has to consequences which I can see off-hand: - higher resolution delays as more indirection is involved
In abstract terms, this project merely changes the authoritative data source for the DNS-based data (delegations), moving it from the current zone files, to the RIPE Database. No additional DNS indirection is involved or created by this project. ( Note that the NCC currently secondaries /16-level zones on ns.ripe.net when /16-level delegations are requested, thus cutting out one level of indirection when queries hit ns.ripe.net . No change to this behaviour is introduced by this project )
And: you're saying that this is part of a filter between the database and the actual zone file generation. Wouldn't this introduce possible inconsistencies between DNS data and database data?
The end goal is that the authoritative DNS data is taken from the Database, such that barring the lag time (minimal) between a Database update, and publication of the same data in DNS, there are no inconsistencies between the two data sets. Kind regards, -- Bruce Campbell RIPE Systems/Network Engineer NCC www.ripe.net - PGP562C8B1B Operations/Security
Olaf, On Wed, Oct 01, 2003 at 05:39:28PM +0200, ext Olaf M. Kolkman wrote:
- The introduction of a new attribute, "mnt-domains:", in INETNUM and INET6NUM objects to be able to delegate the authority to create new domain objects.
Does this mean that the 'rev-srv:' attribute will be retired too ?!? This proposal also means that one has to submit for example 16 reverse delegation objects to do a reverse delegation of a single /20. I was the one who wrote the first 'reverse delegation checking tool' for the RIPE NCC a long time ago and we used the 'domain:' object approach because that was 'the way it was always done' but it still doesn't make a lot of sense to me. Would it not be more customer friendly to find a way to allow people to request for the reverse delegation of a block of IP addresses, no matter what the size of the block actually is ?!? Unfortunately, reverse delegations are (generally) done on 8 bit boundaries but I don't see much reason why we should expose this kludge to the user (and neither do ISPs who use a good configuration system for their DNS servers). Adding a couple of 'rev-srv:' attributes to one 'inetnum:' object seems so much easier to me. In fact, there is actually very little use for doing the whole thing in the RIPE database in the first place. I haver never found any use at all for looking up one of the in-addr.arpa objects in the database. Maybe we should even think about retiring the 'domain:' objects and 'rev-srv:' attributes altogether and offer a simple secure web or mail user interface for submitting reverse delegations. David K. ---
Hi, On Fri, Oct 03, 2003 at 04:27:41PM -0700, David Kessens wrote:
In fact, there is actually very little use for doing the whole thing in the RIPE database in the first place. I haver never found any use at all for looking up one of the in-addr.arpa objects in the database. Maybe we should even think about retiring the 'domain:' objects and 'rev-srv:' attributes altogether and offer a simple secure web or mail user interface for submitting reverse delegations.
While I agree with the first half of your comments (do away with domain: and do it with the inetnum:) I disagree here. Users know how to access and modify the RIPE database - so please don't introduce yet another interface just for the reverse DNS. Gert Doering -- NetMaster -- Total number of prefixes smaller than registry allocations: 56883 (56833) SpaceNet AG Mail: netmaster@Space.Net Joseph-Dollinger-Bogen 14 Tel : +49-89-32356-0 80807 Muenchen Fax : +49-89-32356-299
David and others, I've put comments in-line. On Fri, 3 Oct 2003 16:27:41 -0700 David Kessens <david@iprg.nokia.com> wrote:
Olaf,
On Wed, Oct 01, 2003 at 05:39:28PM +0200, ext Olaf M. Kolkman wrote:
- The introduction of a new attribute, "mnt-domains:", in INETNUM and INET6NUM objects to be able to delegate the authority to create new domain objects.
Does this mean that the 'rev-srv:' attribute will be retired too ?!?
the "rev-srv:" attribute has been retired for the purpose of requesting reverse delegation. E.g see: http://www.ripe.net/ripencc/faq/reverse/qa2.html#14: What are those "rev-srv" lines in an inetnum object for? Previously, delegation requests could be made using either an inetnum object or a domain object. We discovered several problems with this, one being inconsistency of the two possible sources. Requests are now only accepted via domain objects, so you must register your reverse servers only in the domain object. If you're changing a reverse delegation and find rev-srv lines in the corresponding inetnum object in the RIPE DB, you must create a domain object and you should delete the rev-srv lines from the inetnum. (...)
This proposal also means that one has to submit for example 16 reverse delegation objects to do a reverse delegation of a single /20.
To request delegation ranges you can use the "y-x.z.w.in-addr.arpa" notation. This only works for "3rd" octets and there are problems when using this update method in combination with PGP (will be fixed during the migration to the WHOIS interface). Documentation on the range-update feature cannot be found on the web. It used to be part of the documentation, but fell through a crack at some point. We will be reviewing the documentation as part of the project but will fix this omission soon. In the mean time, this is the relevant piece of documentation: http://www.ripe.net/reverse/howtoreverse.html#ranged-domain The range-update is also part of the LIR training curriculum: http://www.ripe.net/training/lir/material/slides/page97.htm (...)
In fact, there is actually very little use for doing the whole thing in the RIPE database in the first place. I haver never found any use at all for looking up one of the in-addr.arpa objects in the database. Maybe we should even think about retiring the 'domain:' objects and 'rev-srv:' attributes altogether and offer a simple secure web or mail user interface for submitting reverse delegations.
We need an interface to 'transport' reverse zone information; now only nameserver attributes but in the future also DNSSec key attributes. Our "philosophy" when drawing this proposal is to provide our customers with uniform interfaces to deal with the RIPE NCC. By having one data-store, that comes with authorization mechanisms and a well defined API we are able to develop multiple interfaces to it; currently we have a mail and a network interface to the WHOIS database, web-portal functionality is being extended. Outside of the scope of this project, but this project enabling it, is the idea of a web-interface to reverse delegation management. Which includes easier management for simultaneous updating of "y-x.z.w.in-addr.arpa" objects (e.g. the same contact info, ns, etc.). I hope this addresses you question and comments. -- Olaf ---------------------------------| Olaf M. Kolkman ---------------------------------| RIPE NCC
Olaf, On Mon, Oct 06, 2003 at 03:58:13PM +0200, Olaf M. Kolkman wrote:
On Wed, Oct 01, 2003 at 05:39:28PM +0200, ext Olaf M. Kolkman wrote:
- The introduction of a new attribute, "mnt-domains:", in INETNUM and INET6NUM objects to be able to delegate the authority to create new domain objects.
Does this mean that the 'rev-srv:' attribute will be retired too ?!?
the "rev-srv:" attribute has been retired for the purpose of requesting reverse delegation. E.g see: http://www.ripe.net/ripencc/faq/reverse/qa2.html#14:
What are those "rev-srv" lines in an inetnum object for?
Previously, delegation requests could be made using either an inetnum object or a domain object. We discovered several problems with this, one being inconsistency of the two possible sources. Requests are now only accepted via domain objects, so you must register your reverse servers only in the domain object. If you're changing a reverse delegation and find rev-srv lines in the corresponding inetnum object in the RIPE DB, you must create a domain object and you should delete the rev-srv lines from the inetnum.
As you saw from my previous mail, if we decide to go the 'domain:' object way, let's get rid of the 'rev-srv:' attribute at the same time. I would like that to be part of the proposal. This whole 'rev-srv:' versus 'domain:' confusion has already lasted for such a long time that it is time to clear it up.
(...)
This proposal also means that one has to submit for example 16 reverse delegation objects to do a reverse delegation of a single /20.
To request delegation ranges you can use the "y-x.z.w.in-addr.arpa" notation. This only works for "3rd" octets and there are problems when using this update method in combination with PGP (will be fixed during the migration to the WHOIS interface).
Documentation on the range-update feature cannot be found on the web. It used to be part of the documentation, but fell through a crack at some point. We will be reviewing the documentation as part of the project but will fix this omission soon.
In the mean time, this is the relevant piece of documentation:
http://www.ripe.net/reverse/howtoreverse.html#ranged-domain
The range-update is also part of the LIR training curriculum:
Ok, but as you mentioned this gives problems with PGP. This is in my opinion a serious problem since this is the only real secure way to enter data in the database. Security is even more important if we use the data for actual operational purposes instead of informational purposes in contrast to all other registry data (with the exception of the routing registry part of the database). It is a real change from current procedures to use something from the RIR database for real operational purposes. It is also a departure of our policy of not rewriting users data. I am not sure whether that is a good thing. Rewriting and making a small correction to users input is one thing, expanding from one object to 16 or even more different objects is quite another. Don't be surprised if users are getting confused why they cannot find the range notation objects that they thought they just entered in the database.
In fact, there is actually very little use for doing the whole thing in the RIPE database in the first place. I haver never found any use at all for looking up one of the in-addr.arpa objects in the database. Maybe we should even think about retiring the 'domain:' objects and 'rev-srv:' attributes altogether and offer a simple secure web or mail user interface for submitting reverse delegations.
We need an interface to 'transport' reverse zone information; now only nameserver attributes but in the future also DNSSec key attributes.
This is a very good point. However, I am not sure whether it is a good idea to overengineer a solution for a thing that we possibly might be doing in the future. I can probably be convinced if there is actually a concrete project plan that we can discuss for adding DNSsec.
Our "philosophy" when drawing this proposal is to provide our customers with uniform interfaces to deal with the RIPE NCC. By having one data-store, that comes with authorization mechanisms and a well defined API we are able to develop multiple interfaces to it; currently we have a mail and a network interface to the WHOIS database, web-portal functionality is being extended.
I think myself that using the database is probably the right way to do it but I am not really sure either. I do think that a bit more discussion on this list will help to determine that this is really the case. Doing a reverse delegation is a relatively easy transaction and the proposal that is currently on the table adds a tremendous amount of extra complexity to the database and the request process. I am not convinced that there are no alternate ways to make the life of the users easier (that can or cannot include the database). Doing the reverse delegation over a secure webinterface where one only has to choose for which allocation the reverse delegation has to be changed and entering a couple of servers comes to mind. I am afraid, despite my fondness for the database, that it will only get into the way of people doing their job. I have seen too many companies deciding that they wanted to have a uniform way of dealing with their company systems and they end up with this beautiful all encompassing SAP (or whatever other vendors) system and people have to become an expert in the system before being able to do relatively easy transactions. For example, simply using the 'rev-srv:' attributes and retiring the 'domain:' objects seems a lot easier for the user. Yes, there is the disadvantage of different administative responsibilities inside larger local registries that could make this more difficult in certain cases, but this should balanced against the much greater ease of use. In addition, there are solutions possible that can address this fairly easily like adding a 'mnt-rev-srv:' attribute that allows the 'mntner:' to only change the 'rev-srv:' lines and nothing else. And the good thing is that this is completely optional so it doesn't interfere with people who want to do it the easy way. David K. ---
David and others, David wrote:
As you saw from my previous mail, if we decide to go the 'domain:' object way, let's get rid of the 'rev-srv:' attribute at the same time. I would like that to be part of the proposal.
This whole 'rev-srv:' versus 'domain:' confusion has already lasted for such a long time that it is time to clear it up.
I agree "Clarity good, Confusion bad". I have not yet had the change to study all implications of getting rid of the "rev-srv:". But we'll look at this and get back on this issue; probably in the clean-up proposal that is to follow or in a separate proposal. David wrote:
Ok, but as you mentioned this gives problems with PGP. This is in my opinion a serious problem since this is the only real secure way to enter data in the database. Security is even more important if we use the data for actual operational purposes instead of informational purposes in contrast to all other registry data (with the exception of the routing registry part of the database). It is a real change from current procedures to use something from the RIR database for real operational purposes.
I may not have explicitly mentioned this but in the new system PGP will work in combination with the "range" update. (Technical detail, now the authorization checks are done after the objects have been split and individually processed, in the future the authorization check will be done first and then the objects are split to to further checks). Note also that not only PGP will work with the proposed setup but users will be able to use the consistent authorization model of the RIPE DB. As for using WHOIS directly to generate zone information, you hit the nail on the head, this is a real change. However, we currently use the domain objects to maintain reverse delegations. Those domain objects do end up in the database while simultaneously updating zone files. So if everybody would use the proper interface to update domain objects than we would have full consistency. So when implementing the proposal we loose the ambiguity in the update path, we get consistent WHOIS and ZONE data. Besides we gain access, and use of new authorization mechanism that become available to the database (e.g. X509).
It is also a departure of our policy of not rewriting users data. I am not sure whether that is a good thing. Rewriting and making a small correction to users input is one thing, expanding from one object to 16 or even more different objects is quite another. Don't be surprised if users are getting confused why they cannot find the range notation objects that they thought they just entered in the database.
I am not in the position to judge if this will be a problem. I hope and think the mechanism of the range update is documented well enough that users will know that the range update is "synthesizing multiple updates". Olaf wrote:
We need an interface to 'transport' reverse zone information; now only nameserver attributes but in the future also DNSSec key attributes.
David replied:
This is a very good point. However, I am not sure whether it is a good idea to overengineer a solution for a thing that we possibly might be doing in the future. I can probably be convinced if there is actually a concrete project plan that we can discuss for adding DNSsec.
The proposal as such stands on its own. Ideas on DNSSEC deployment are a motivation to go this way but are not the main driving force behind it. Having said this, here are the requirements for DNSSec key-exchanges. - Initial key exchange needs to happen out of band. - The authorization mechanisms use during the key exchange will need to be as strong as the authorization used for the exchange of nameserver attributes. A less strict requirement: - There is a preference to maintain a database with key information. (A hash over the key ends up in the parent zone, during trouble shooting it may be handy to figure out what the key material was used to generate the hash). All these requirements are fulfilled when we use the domain object to store key information and adding DNSSEC capabilities to our provisioning system will be a matter of weeks, allowing for rollout soon after standards have been completed. Note that we will still be able to deploy DNSSEC with a key-attribute in a domain object and using auto-inaddr/Marvin (Marvin is the robot in the back-end) however with the in-addr robot and the WHOIS database not being tightly integrated we will get more and more inconsistencies. The proposal is to make sure there is one update path for domain objects that leads to consistent zone information; that is independent of deployment of DNSSEC or not. David wrote:
I think myself that using the database is probably the right way to do it but I am not really sure either. I do think that a bit more discussion on this list will help to determine that this is really the case.
Reading and open to suggestions see however the next point.
Doing a reverse delegation is a relatively easy transaction and the proposal that is currently on the table adds a tremendous amount of extra complexity to the database and the request process. I am not convinced that there are no alternate ways to make the life of the users easier (that can or cannot include the database).
There might be other mechanisms. But our requirements for the current proposal were minimal changes to the end-user and minimizing the amount of different back-end databases we have to maintain. It is hard to put hard numbers on these things but less complicated systems lead to less costs.
Doing the reverse delegation over a secure web interface where one only has to choose for which allocation the reverse delegation has to be changed and entering a couple of servers comes to mind.
As said above and in the previous mail, the DB group is developing various interfaces to the WHOIS database. Piggy-backing on those developments that kind of interface becomes real close.
I am afraid, despite my fondness for the database, that it will only get into the way of people doing their job. I have seen too many companies deciding that they wanted to have a uniform way of dealing with their company systems and they end up with this beautiful all encompassing SAP (or whatever other vendors) system and people have to become an expert in the system before being able to do relatively easy transactions.
For example, simply using the 'rev-srv:' attributes and retiring the 'domain:' objects seems a lot easier for the user. Yes, there is the disadvantage of different administative responsibilities inside larger local registries that could make this more difficult in certain cases, but this should balanced against the much greater ease of use. In addition, there are solutions possible that can address this fairly easily like adding a 'mnt-rev-srv:' attribute that allows the 'mntner:' to only change the 'rev-srv:' lines and nothing else. And the good thing is that this is completely optional so it doesn't interfere with people who want to do it the easy way.
It strikes me that this example as remarkable similarity to the current proposal. Both use the DB for storage of reverse information and both use a new attribute to delegate authorization for updating specific information. Most users have been using domain objects for years. I am not sure if deprecating those in favor of reviving "rev-srv:" is something those users are waiting for. -- Olaf ---------------------------------| Olaf M. Kolkman ---------------------------------| RIPE NCC
Olaf, On Wed, Oct 08, 2003 at 11:50:56AM +0200, Olaf M. Kolkman wrote:
David wrote:
As you saw from my previous mail, if we decide to go the 'domain:' object way, let's get rid of the 'rev-srv:' attribute at the same time. I would like that to be part of the proposal.
This whole 'rev-srv:' versus 'domain:' confusion has already lasted for such a long time that it is time to clear it up.
I agree "Clarity good, Confusion bad". I have not yet had the change to study all implications of getting rid of the "rev-srv:". But we'll look at this and get back on this issue; probably in the clean-up proposal that is to follow or in a separate proposal.
very good.
I may not have explicitly mentioned this but in the new system PGP will work in combination with the "range" update. (Technical detail, now the authorization checks are done after the objects have been split and individually processed, in the future the authorization check will be done first and then the objects are split to to further checks). Note also that not only PGP will work with the proposed setup but users will be able to use the consistent authorization model of the RIPE DB.
That is exactly why I think the RIPE database might be a good place. However, if we use 'rev-srv:' attributes instead of 'domain:' objects, we can still use this model without the need to rewrite users data.
As for using WHOIS directly to generate zone information, you hit the nail on the head, this is a real change.
And an important one. Not all database security mechanisms in use are good enough for this new purpose. They might be good enough for publishing data for informational purposes, they are not good enough to make actual changes to configurations.
However, we currently use the domain objects to maintain reverse delegations. Those domain objects do end up in the database while simultaneously updating zone files. So if everybody would use the proper interface to update domain objects than we would have full consistency. So when implementing the proposal we loose the ambiguity in the update path, we get consistent WHOIS and ZONE data. Besides we gain access, and use of new authorization mechanism that become available to the database (e.g. X509).
Yes, that is certainly useful. However, we would also get full consistency if we got rid of both 'domain:' and 'rev-srv:' attributes and use a simple specialized interface to do reverse delegations. The DNS is already a fully public database. There is no need to keep the data in yet another backend database or publish it in more than one place. I think the focus should be on the people who use the interface: we need to choose the most simple and easy way for the user to get the job done. The goal is not to make a complicated interface and declare victory because we have reached data consistency!
It is also a departure of our policy of not rewriting users data. I am not sure whether that is a good thing. Rewriting and making a small correction to users input is one thing, expanding from one object to 16 or even more different objects is quite another. Don't be surprised if users are getting confused why they cannot find the range notation objects that they thought they just entered in the database.
I am not in the position to judge if this will be a problem. I hope and think the mechanism of the range update is documented well enough that users will know that the range update is "synthesizing multiple updates".
Rewriting users data is messy and should be avoided if there is other alternatives available. There is all kind of possible problems that one can come up with and you will find more when you start doing this in practise. To give another example: - Somebody sends in: 3-10.193.in-addr.arpa - Next, requests a change to: 4.193.in-addr.arpa - Next, somebody requests a deletion of: 3-10.193.in-addr.arpa Should the deletion fail since 3-10.193.in-addr.arpa is actually many different objects and one of them is not the same anymore so in fact there is really two sets of different objects ?!? This kind of things can be solved by applying (or implying) more rules and this will result in making life more difficult for the casual database user because one has to go first to a three week training class before one is able to interact properly with the RIPE database.
David wrote:
I think myself that using the database is probably the right way to do it but I am not really sure either. I do think that a bit more discussion on this list will help to determine that this is really the case.
Reading and open to suggestions see however the next point.
Doing a reverse delegation is a relatively easy transaction and the proposal that is currently on the table adds a tremendous amount of extra complexity to the database and the request process. I am not convinced that there are no alternate ways to make the life of the users easier (that can or cannot include the database).
There might be other mechanisms. But our requirements for the current proposal were minimal changes to the end-user and minimizing the amount of different back-end databases we have to maintain. It is hard to put hard numbers on these things but less complicated systems lead to less costs.
And that is exactly my problem with it. I don't think that the 'minimal changes to the end-user' is the right requirement. The right requirement is to make things as easy as possible for your customers. Doing reverse delagations with 'rev-srv:' attributes seems a lot easier to me (I prefer this option). There is no need to rewrite objects. And one can reverse delegate whole blocks at once by doing a single simple submission without a need to learn any complications like 'range' notations for domain objects. But as an alternative, I think not using the RIPE database at all can possibly be even easier (and there is no need to have multiple backend databases either, the DNS works just fine for that). And there are pretty good arguments for this too: the database allows one to submit objects that are lower in the delegation tree and they will be ignored because there are already delegations in another part of the tree. This points in the direction that neither 'inetnum:' objects or 'domain:' objects are the right datamodel to this. Again, this can solved by adding rules, but it adds complexity and in the mean time, the user will be confused because the user didn't read the 50 page database manual before requesting the reverse delegation.
For example, simply using the 'rev-srv:' attributes and retiring the 'domain:' objects seems a lot easier for the user. Yes, there is the disadvantage of different administative responsibilities inside larger local registries that could make this more difficult in certain cases, but this should balanced against the much greater ease of use. In addition, there are solutions possible that can address this fairly easily like adding a 'mnt-rev-srv:' attribute that allows the 'mntner:' to only change the 'rev-srv:' lines and nothing else. And the good thing is that this is completely optional so it doesn't interfere with people who want to do it the easy way.
It strikes me that this example as remarkable similarity to the current proposal. Both use the DB for storage of reverse information and both use a new attribute to delegate authorization for updating specific information.
Of course there is a lot of similarity because they are trying to accomplish the same thing. But only one of the proposals is the easiest and least complicated to use.
Most users have been using domain objects for years. I am not sure if deprecating those in favor of reviving "rev-srv:" is something those users are waiting for.
Yes, but did they have a choice ?!? They had to submit 'domain:' objects to get their reverse delegations done. No wonder they are more up to date (but still far from correct) than the 'rev-srv:' attributes. Again, the requirement is what works easiest for your customer, it is not: 'let's keep doing it the old way because people are used to it'. I think it is time for me now to take a step back and watch what other people like as the best solution. David K. ---
In article <20031008145711.C7178@iprg.nokia.com>, David Kessens <david@iprg.nokia.com> wrote:
[...]
However, we currently use the domain objects to maintain reverse delegations. Those domain objects do end up in the database while simultaneously updating zone files. So if everybody would use the proper interface to update domain objects than we would have full consistency. So when implementing the proposal we loose the ambiguity in the update path, we get consistent WHOIS and ZONE data. Besides we gain access, and use of new authorization mechanism that become available to the database (e.g. X509).
Yes, that is certainly useful. However, we would also get full consistency if we got rid of both 'domain:' and 'rev-srv:' attributes and use a simple specialized interface to do reverse delegations. The DNS is already a fully public database. There is no need to keep the data in yet another backend database or publish it in more than one place.
I beg to differ. The redundancy in the database is needed for us operators. If you were right, we could drop all the IRR databases, sice the bgp table is a fully public database. That's fine as long as no errors happen, but error do happen so we need some out-of-band method to know how it should look like and whom to cantact if it doesn't. A quick example: let's assume that the nameservers for iprg.nokia.com and nokia.com are all lame delegations. Who'e the right contact to fix this? Since they are all lame, I can't retrieve the RNAME in the SOA. I guess I could get the RNAME of .com, but contacting nstld@verisign-grs.com would certainly not solve the problem.
I think the focus should be on the people who use the interface: we need to choose the most simple and easy way for the user to get the job done. The goal is not to make a complicated interface and declare victory because we have reached data consistency!
It's not getting more complicated. You already have to submit a domain object to get a reverse delegation. In fact it's getting easyer since you don't have to remember that this object has go to auto-inaddr@ripe.net. It's an ripe database object, so auto-dbm@ripe.net seems to be the natural choice.
[...] To give another example:
- Somebody sends in: 3-10.193.in-addr.arpa - Next, requests a change to: 4.193.in-addr.arpa - Next, somebody requests a deletion of: 3-10.193.in-addr.arpa
Should the deletion fail since 3-10.193.in-addr.arpa is actually many different objects and one of them is not the same anymore so in fact there is really two sets of different objects ?!?
Try again, this time with inetnums and rev-srv. What's the meaning of rev-srv on a /20 followed by a more specific /24 followed by the less specific /20? The problem space is exactly the same. Joerg
Joerg, On Thu, Oct 09, 2003 at 01:56:29AM +0000, Joerg Schumacher wrote:
Yes, that is certainly useful. However, we would also get full consistency if we got rid of both 'domain:' and 'rev-srv:' attributes and use a simple specialized interface to do reverse delegations. The DNS is already a fully public database. There is no need to keep the data in yet another backend database or publish it in more than one place.
I beg to differ. The redundancy in the database is needed for us operators. If you were right, we could drop all the IRR databases, sice the bgp table is a fully public database.
I happen to be an operator too :-). I very carefully talked about the reverse delegation 'domain:' and 'rev-srv:' data only. I never said that IRR databases should be dropped. When the DNS is unable to provide you with a contact, the 'inetnum:' objects are still there and it gives you quite a few contacts to talk to in case of problems. If people feel that that is not enough, you could always introduce a 'reverse-contact:' attribute. Note that my preferred solution is to use 'rev-srv:' attributes which actually keeps all the reverse information in the database. I just wanted to point out that there are other alternatives that could also be considered. When changing the systems anyways, it is always a good idea to take a step back and look with an open mind whether the current process actually accomplishes the goal in the most efficient way. Of course we can make incremental improvements but sometimes a lot of the problems with the current process go away by taking a different direction.
That's fine as long as no errors happen, but error do happen so we need some out-of-band method to know how it should look like and whom to cantact if it doesn't.
A quick example: let's assume that the nameservers for iprg.nokia.com and nokia.com are all lame delegations. Who'e the right contact to fix this? Since they are all lame, I can't retrieve the RNAME in the SOA. I guess I could get the RNAME of .com, but contacting nstld@verisign-grs.com would certainly not solve the problem.
This example is not about reverse domains. As said before, there are still plenty of contacts to be found in the 'inetnum:' object in the RIPE database and additional contact information could be added if people wish so.
I think the focus should be on the people who use the interface: we need to choose the most simple and easy way for the user to get the job done. The goal is not to make a complicated interface and declare victory because we have reached data consistency!
It's not getting more complicated. You already have to submit a domain object to get a reverse delegation. In fact it's getting easyer since you don't have to remember that this object has go to auto-inaddr@ripe.net. It's an ripe database object, so auto-dbm@ripe.net seems to be the natural choice.
I agree. I think overall it is preferrable to use the 'auto-dbm@ripe.net' interface. But I do think that the process would work a lot better if we used 'rev-srv:' attributes instead of 'domain:' objects. At the same time, I think it is good to mention and study some other alternatives in order to get a better understanding of the problem that needs to be solved.
Should the deletion fail since 3-10.193.in-addr.arpa is actually many different objects and one of them is not the same anymore so in fact there is really two sets of different objects ?!?
Try again, this time with inetnums and rev-srv. What's the meaning of rev-srv on a /20 followed by a more specific /24 followed by the less specific /20? The problem space is exactly the same.
No, the drawback that I was talking about was an example of how rewriting of user data is eventually going to cause confusion because it is not clear anymore whether the 'range' notation object that the user submitted is the real object or the objects that eventually get written in the database. You talk about another drawback with objects lower in the tree that get ignored and are confusing to the user. I actually already mentioned that drawback in my previous mail and it is indeed the same for 'rev-srv:' or 'domain:' based solutions but non-existant for solutions that don't use the RIPE database. Some more intelligence in the database software could probably help here too. Thanks for your comments - I do think this discussion helps people to better understand the disadvantages and advantages of the different approaches. David K. ---
In article <20031006121932.A4658@iprg.nokia.com>, David Kessens <david@iprg.nokia.com> wrote:
On Mon, Oct 06, 2003 at 03:58:13PM +0200, Olaf M. Kolkman wrote:
[...] the "rev-srv:" attribute has been retired for the purpose of requesting reverse delegation. E.g see: http://www.ripe.net/ripencc/faq/reverse/qa2.html#14: [...]
As you saw from my previous mail, if we decide to go the 'domain:' object way, let's get rid of the 'rev-srv:' attribute at the same time. I would like that to be part of the proposal.
Seconded.
This whole 'rev-srv:' versus 'domain:' confusion has already lasted for such a long time that it is time to clear it up.
IIRC, Marvin only accepts domain objects for the last couple of years. The FAQ asks kindly to remove the rev-srv lines, but I guess no one really cares. Let's get rid of them in the cleanup process. Regards, Joerg
In article <20031006121932.A4658@iprg.nokia.com>, David Kessens <david@iprg.nokia.com> wrote:
[...] For example, simply using the 'rev-srv:' attributes and retiring the 'domain:' objects seems a lot easier for the user. [...]
The RIPE NCC delegates reverse domains on /24 and /16 boundaries only so they don't match inetnum objects very well. The 'rev-srv' might seem to be easier, but thats only true for /16 allocs. rev-srv on e.g. a /29 are meaningless and should go away. Same holds true for a rev-srv on a /24 within a /16. Regards, Joerg
In article <20031006121932.A4658@iprg.nokia.com>, David Kessens <david@iprg.nokia.com> wrote:
[...] I think myself that using the database is probably the right way to do it but I am not really sure either. I do think that a bit more discussion on this list will help to determine that this is really the case.
Doing a reverse delegation is a relatively easy transaction and the proposal that is currently on the table adds a tremendous amount of extra complexity to the database and the request process. I am not convinced that there are no alternate ways to make the life of the users easier (that can or cannot include the database).
Doing the reverse delegation over a secure webinterface where one only has to choose for which allocation the reverse delegation has to be changed and entering a couple of servers comes to mind.
I am afraid, despite my fondness for the database, that it will only get into the way of people doing their job. I have seen too many companies deciding that they wanted to have a uniform way of dealing with their company systems and they end up with this beautiful all encompassing SAP (or whatever other vendors) system and people have to become an expert in the system before being able to do relatively easy transactions. [...]
I think David has a valid point here: We should discuss the differnent possible interfaces to the RIPE NCC services. IMHO we have to camps: 1) the webinterface folks 2) the mailinterface folks I think that RIPE NCC should support both camps. The occasional user of the services will certainly welcome a simple webinterface. The LIR Portal (https://lirportal.ripe.net/) could be extended for this camp. Reverse delegations are certainly an example of only occasionally needed services. The regular user won't be happy with a webinterface, since automation isn't as easy as with the mailinterface. An example for a regular task is the "Provider Aggregatable (PA) Assignment Request Form". While the LIR Portal already reflects the current ripe-283, I don't see a new autohm in ftp://ftp.ripe.net/ripe/tools/ Supporting two different interfaces to the same service doesn't come for free, but I think it's worth the trouble (and money). Regards, Joerg
Hi!
IMHO we have to camps:
1) the webinterface folks 2) the mailinterface folks
I think that RIPE NCC should support both camps. [...] Supporting two different interfaces to the same service doesn't come for free, but I think it's worth the trouble (and money).
From what I learned, supporting two different interfaces allows for very subtle bugs and annoyances, which ultimatly lead to effects like "you can do this only with that interface" or "If you do this with that interface, something different will happen compared to that other interface".
Having *one* way, and having this way consistently, is far easier to support. I vote for mail. -- MfG/Best regards, Kurt Jaeger 17 years to go ! LF.net GmbH fon +49 711 90074-23 pi@LF.net Ruppmannstr. 27 fax +49 711 90074-33 D-70565 Stuttgart mob +49 171 3101372
Summary of the discussion on the Reverse DNS Restructuring Project proposal. Wednesday October 1, We posted a message [1] requesting feedback on a proposal for restructuring our reverse DNS setup [2]. During the discussion a few minor technical details where raised and clarified. The main focus was on the use of the INETNUM's 'rev-serv:' attribute to carry the information about to which servers reverse zones need to be delegated. The rev-serv: attribute in the INETNUM object has historically been the method to express reverse delegation information. However, delegation information has been carried through the DOMAIN object since 199?. The request to investigate the use for "rev-serv:" for carrying reverse delegation information has been dully noted. Both approaches were analyzed and both have pros and cons depending on a use case. Also we have seen little to no support for the request to use "rev-serv:" and since we feel that the changes to the system should have a minimal effect on the day-to-day operations of our customers we have chosen to go forward with the DOMAIN object to carry delegation information. The existence of both a "rev-serv:" and a DOMAIN object is seen as confusing. Because of the historic use of the "rev-serv:" attribute there will be consequences during the "cleanup" phase of the project. This is because some data in the reverse zones has existed for years and there are no DOMAIN object for these delegations while there are "rev-serv:" attributes for the corresponding INETNUM. Bruce Campel [3] did some research on the "cleanup" effort and from his analysis it is clear that most of the data in the DNS zone files is covered by DOMAIN objects, but that some effort is needed to deal with 'old' delegations that only have a "rev-serv:" attribute. We are continuing our efforts on this project. A proposal for the MNT_DOMAIN authorization method, a proposal for cleanup and a proposal to deprecate "rev-serv:" are forthcoming. We would like to thank those who provided feed-back on the proposal. --Olaf ---------------------------------| Olaf M. Kolkman ---------------------------------| RIPE NCC References: [1] Original announcement: http://www.ripe.net/ripe/mail-archives/ncc-services-wg/2003/msg00312.html [2] The proposal http://www.ripe.net/reverse/proposal.html [3]:http://www.ripe.net/ripe/mail-archives/ncc-services-wg/2003/msg00348.html
participants (10)
-
Bruce Campbell -
Daniel Karrenberg -
Daniel Roesen -
David Kessens -
Gert Doering -
Hank Nussbacher -
Kurt Jaeger -
Olaf M. Kolkman -
Peter Koch -
schuma@gaertner.de