Re: [Add] Paul Wouters' Discuss on draft-ietf-add-resolver-info-12: (with DISCUSS)
tirumal reddy <kondtir@gmail.com> Mon, 01 April 2024 12:30 UTC
Return-Path: <kondtir@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 161C2C14F6BF; Mon, 1 Apr 2024 05:30:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LDNwA8b8Z6Sj; Mon, 1 Apr 2024 05:30:52 -0700 (PDT)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FB10C14F6BD; Mon, 1 Apr 2024 05:30:52 -0700 (PDT)
Received: by mail-ed1-x530.google.com with SMTP id 4fb4d7f45d1cf-56bfc6db4ccso207065a12.0; Mon, 01 Apr 2024 05:30:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711974650; x=1712579450; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=I9lAibzzvGCDEkiVPAxSbe4KvSsTos8mACJ7AJSWn3A=; b=iZo6Lo/az6S2WY45tRpGfxErUzch28a4pQQonghZzM3q2Grg7tyeBjE16ZBl6EHlH7 qULrGm9F2mnldkyK6NEQfe1qwfNDWSIGSeP+jCb5oNMuv72Hdldly61M54/2xIYF92yg ue9z6voTBMnmogu9R3S2R30gs/W2+fRyVFYWdsX9w3SZSLw7bogF/sCjP3o/L9xXah+t gdJknOUxEYE/2N80EhdiGJOLfBWxSAdyJrVpe39AYfOp1LceNUJpsoDmq2ekkPhTs1Wh gxmR95QthZbs2mvwmkluN5M40NtF1Fqs3+taXCkGhm7oFVM7sX4dZyxTFIugA4WXFpqb ej8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711974650; x=1712579450; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=I9lAibzzvGCDEkiVPAxSbe4KvSsTos8mACJ7AJSWn3A=; b=UPs9lsKtXcgSg4AWmB+P+Tc1ntVGutZDfxFy5Del0LeSLLqwct1BYWxge3o89bEDMN Fe2h4E4UgvN4UJK78uLSf6ro5uK5i9VQ8YRpnjjfls4O7XY0v0h3f2MyF+qPMyluMVlv KjZa6XtUQOvbcRhhDGxeMW9fXao3NmxuBkUirkgWcyUHP+FVvLo7GNYcGizB3Ep+6mXx qLqilXdsDKddjJScWm+2pl7Z2zLbz7OhtM/tTl3nRlfxFGKLtIDB7AnRcb0Oz/kxR74w zDcrupggpNNJcNZaTjGMu/vWP2Xt2DLNO+WPZ53vARhfFbdMoYDpTVXLj3DTHNtlUp3X 79Aw==
X-Forwarded-Encrypted: i=1; AJvYcCWwulBzXowdaqPEtRI9Lae3/7LK1YgGYv3f0le9KEs3RC11PEKP1bG1VlLn32KXokb/L+lFp6lrZvgyeni2Bp3ooNiSLx2taTGor/wEVh3QoJvC/djY9nOet0DlMZ93fJBoFmJ0wNs6Cfv4QQZz+6Nelh3BxDWgU+k=
X-Gm-Message-State: AOJu0Yyz9HU151x656UoWIUjRQikU8LFaId4+40+xEnj4ASt6ldA/Zy2 TwzgPb0a9VWOUCThvXNl0gs2VmZz0l9dwcpgcmlSTicy3ZWdlOUnIiClYUdQ3HR1f+ecE7nbmnR LNn5s/05n5Qk88gqhsyHmWYuz7Q4+U5Co
X-Google-Smtp-Source: AGHT+IF1WsW/omV0D2hugyJLirWizsOrc7wT6WlSa71mCeHXvgtKaiTNpzPwQdyft1FYd1B2VYjIU9426ceHMyyEZAI=
X-Received: by 2002:aa7:cc17:0:b0:56b:ebe4:203 with SMTP id q23-20020aa7cc17000000b0056bebe40203mr5838209edt.1.1711974650259; Mon, 01 Apr 2024 05:30:50 -0700 (PDT)
MIME-Version: 1.0
References: <171184989711.29383.9811877433419506782@ietfa.amsl.com>
In-Reply-To: <171184989711.29383.9811877433419506782@ietfa.amsl.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Mon, 01 Apr 2024 18:00:13 +0530
Message-ID: <CAFpG3gdGMgv6H=CkVLvwk=EBXQBFWXfwSbbC-M1z0P_kqukF2w@mail.gmail.com>
To: Paul Wouters <paul.wouters@aiven.io>
Cc: The IESG <iesg@ietf.org>, draft-ietf-add-resolver-info@ietf.org, add-chairs@ietf.org, add@ietf.org, tojens@microsoft.com
Content-Type: multipart/alternative; boundary="000000000000e4afff061508287e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/-QcPLXYf1UYzxOdl3uF8cRvoNcw>
Subject: Re: [Add] Paul Wouters' Discuss on draft-ietf-add-resolver-info-12: (with DISCUSS)
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2024 12:30:56 -0000
Hi Paul, Thanks for the review. Please see inline On Sun, 31 Mar 2024 at 07:21, Paul Wouters via Datatracker <noreply@ietf.org> wrote: > Paul Wouters has entered the following ballot position for > draft-ietf-add-resolver-info-12: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to > https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-add-resolver-info/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > > In general, I am not sure what this document wants to achieve. > > It states: > > DNS clients can use the resolver information to identify the > capabilities of DNS resolvers. > > It then defines qnamein, exterr and infourl. The latter should not be used > by the DNS client. So what should a DNS client do with the information > that QNAME Minimalization is used, or that the DNS resolver code base > supports EDE (but EDE might not be in use anyway). What behavioral > change is expected from "DNS Clients" that are targeted by this document? > If no change in behavior is expected, why should a DNS client support and > perform this query? > The specific policy on how the client will use the discovered resolver information is outside the scope of ADD WG charter. Hence, the behavior change expected from DNS clients is not explicitly defined. For instance, the client may give higher precedence to a resolver that offers QNAME minimization versus a resolver that does not support it. Another example, could be the client could notify the end-user that the resolver will perform filtering (e.g., EDE codes 4 and 16). This notification can help to inform the end-user and client about the resolver's error handling capability. > > > Furthermore, none of the answers can be trusted without some form of > enterprise provisioning. > No, browsers can be pre-configured with trusted recursive resolvers offered by ISPs. > Why inform the resolver is using qname minimalization? What makes this > optional special, compared to other things like 0x20 support, the infra-rr > hardering support, DNSSEC support? Why is it not providing keywords for > DoH or DoT or DoQ support? Why not show what normally would be in the > CHAOS version.bind data like dns implementation name and version? > The WG has agreed on the three attributes and a registry is added with specification required as the registry procedure to add new attributes in future specifications. > > If the DNS client would behave differently based on the setting of > qnamein, what would it be and how would it determine the security of > the returned value (eg why wouldn't the target DNS resolver just lie to > cause the DNS Client to do whatever behavior it does differently when > it sees qnamein?). If this is meant only for administrators doing DNS > diagnostics, why not ONLY return an infourl and have qnamein and exterr > contained in infourl, or even more keywords based on a DNS yang model > list of keywords? > > What is the DNS Client expected to do with the exterr values returned? > What does "supported" mean, eg versus "configured". It means the DNS server is configured to return the exterr values. we will replace "supported" with "configured" for clarity. > What different > DNS Client behavior is expected based on this value? > > The "infourl" seems a bit risky. While the documents tries to limit > the impact, I don't understand its approach. > The "infourl" is typically meant for IT staff for troubleshooting purposes. > > Why insist on "https" ? It's a public API that anyone that can query > the nameserver can presumably retrieve anyway? That is, I assume such > a infourl would not require HTTP level authentication. I don't see why > it should be forced over https. > Yes, HTTP level authentication is not required. HTTPS was explicitly mentioned to avoid providing the information over insecure HTTP. > > Why is the information presented a text/html and not plaintext ? Or > json? Or yang? This would avoid various risks of exposure to the enduser > which are not meant to consume this anyway according to the document. > > The URL SHOULD be treated only as diagnostic > > Why is that not the case for qnamein and exterr? > Why is that not a MUST? > > A DNS client MAY choose to display the URL to the end user > > Why is this not a MUST NOT ? > > if and only if the encrypted resolver has sufficient reputation > > This is not something an implementer can write code for reading the RFC. > It further more pushes centralization towards "reputable DNS resolvers". > How does the DNS client get updates about the reputable status of a DNS > resolver? > DNS clients, such as web browsers, typically update their trusted recursive resolvers (TRR). The process of updating the TRR can happen through software updates or other automated mechanisms. -Tiru > > I feel just like "captive portals", that this can/will be misused and be > used > for advertisement or other non-DNS purposes. Forcing this to be text/plain > or json/yang would make this "less consumable" to endusers and thus make > them > more safe against abuse. > > In Section 7 it states: > > 1. Establish an authenticated secure connection to the DNS > resolver. > > [...] > > It is important to note that, of these two measures, only the > first one can apply to queries for 'resolver.arpa' > > How can anyone establish a secure authenticated connection to > "resolver.arpa"? > No, the above text is referring to DNR (and not DDR). Cheers, -Tiru > > If they do, either the client has to authenticate it is the real > "resolver.arpa" but then its contents cannot apply (it's something on > the internet, not local) or it authenticates to "something else", in > which case how can that be secure, or if it is secure but populated with > information that validates "starbucks", how meaningful is "authentication" > in this context? > > The section contains another set of "weasel wording" on determining > reputation of the resolver that is not really implementable in code. > > > > > >
- [Add] Paul Wouters' Discuss on draft-ietf-add-res… Paul Wouters via Datatracker
- Re: [Add] Paul Wouters' Discuss on draft-ietf-add… tirumal reddy
- Re: [Add] Paul Wouters' Discuss on draft-ietf-add… mohamed.boucadair
- Re: [Add] Paul Wouters' Discuss on draft-ietf-add… Paul Wouters
- Re: [Add] Paul Wouters' Discuss on draft-ietf-add… tirumal reddy