[NCAP-Discuss] Comparison of Proposed Alerting and Data Collection Techniques

Casey Deccio casey at deccio.net
Wed Nov 9 17:52:24 UTC 2022 

> On Nov 9, 2022, at 10:24 AM, Matt Larson <matt.larson at icann.org> wrote:
> 
> 
> 
>> On Nov 9, 2022, at 10:09 AM, Jeff Schmidt via NCAP-Discuss <ncap-discuss at icann.org <mailto:ncap-discuss at icann.org>> wrote:
>> 
>> Hia – I was referring to the technical conversation on the dns-operations list circa this past spring where both standards compliant and non-standards-compliant technical approaches were being debated. There are plusses and minuses. The NCAP document and Casey’s document don’t contain sufficient detail to determine the exact implementation variety currently being promoted (or if they do I missed it).
>>  
>> It sounds like the current thinking is a properly formatted empty zone with COTS authoritative server software (no server modification changes required) hosting a proper and complete empty zone. The root delegation would be typical. I think there would be a change in behavior wrt NXD vs NODATA in some narrow cases, but yeah it seems that would be standards compliant. If you could post the template of the actual zone you’re proposing be hosted that would be illustrative.
> 
> The PCA configuration is not clear based on the current text in the Study 2 draft <https://docs.google.com/document/d/1oPmy0MVRcqkjOzh-OvJRMomYc76TYxvQSXjbEG8LV9w/edit>. On p. 31:
> 
>> With PCA, each applied-for string will be delegated in the root and point, with all appropriate glue records, to an authoritative name server for that TLD. The authoritative name server will return NXDOMAIN wherever possible and log the DNS queries.
> 
> And a bit later:
> 
>> This new TLD delegation and empty zone configuration is intended […]
> 
> So maybe one could infer an empty zone from the current text, but it’s not obvious. Jeff’s point that different options for implementing PCA were discussed is entirely valid.
> 
> On a related note, I remain concerned that PCA and especially ACA are not well specified in the document. There is nowhere near sufficient detail. For ACA, the report needs to specify exactly which ports will allow connections, and the exact semantics of each protocol that is offered on those ports. Client applications can be expected to behave differently, potentially significantly differently, depending on how the ACA server behaves.
> 
> This group cannot reasonably propose PCA and ACA without a rigorous description of exactly how they would be implemented, or it will be impossible for someone to evaluate their potential impact.


I completely agree with this assessment.  And to be clear (and as I mentioned previously) the comparison doc does not attempt to *specify*--at least not as its primary purpose.  However, in some places (e.g., passive collision assessment) it clearly makes some assumptions, which might or might not be correct.  In other places, it makes no assumptions.  For example, with active collision assessment, it discusses user experience and security issues with various ports and applications.

Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/ncap-discuss/attachments/20221109/b1739757/attachment.html>

More information about the NCAP-Discuss mailing list