IETF Logo Mail Archive

Re: [Add] [EXTERNAL] Re: Zone ownership in DNS server discovery

Tommy Jensen <Jensen.Thomas@microsoft.com> Fri, 11 September 2020 19:20 UTC

Return-Path: <Jensen.Thomas@microsoft.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 305F53A1692 for <add@ietfa.amsl.com>; Fri, 11 Sep 2020 12:20:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NP-jqnjr1oSl for <add@ietfa.amsl.com>; Fri, 11 Sep 2020 12:20:37 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640110.outbound.protection.outlook.com [40.107.64.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC5AA3A167F for <add@ietf.org>; Fri, 11 Sep 2020 12:20:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=E80bGSuBS2pZJM3h+I5dxPKwLJBtkbcruC0Eehit1nrur1qX5hLTbeowqeI9SnT7dQLr/Ae6I565N7O89aLKbkYsrJ76nTZRr22NELFOm2izyIyBL03jtVG8AMNp5Ha7MjHNVjoB3cvlAA/Yt5oiOXQTVCEjElJwg5TedXo8VJ777NAXrbFS3X0Gvu3mNNCMziQWhADwC28oKpkUJbPv04Fs1yL6RoAzw1SBiedMgPkHilyhYMkvW/Y7LGZp07eIh2W1rEhe5gWkxDAi1TpZ8bHWGTE6P93uJIXr8CK1zPcHn3Dj0J709aWtBJ8aYPc/S1qfaPx4gfnZsy6albrbgw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rZjINf9dOZErBsI14ucyoan7zjQf6rvms3inVMP98YU=; b=lz1J8w8prmxFGCDe28pHEYd8yTwCVpbVpdH1In+M0GEc6J5szcXjpwakx8Mww9KOQK2EddeGUhL7U1oCCO8ncirgGIWDj5tBPuTBIPhHZkj19NbQqtz0Oy1J5UJWW6B47sQmsb3OQYgXWiwc5QpmM8mq0dANX93tuiQNLmkLlDd9cAX8PR5tABnhrmSUVYvywvF2Lk29ru75CLX3wae52OVPUGBZLqadOqiaqHuoTJ0iFKdNq/SkKPNOF29YpnLY/sFyFYKbaOqli/eeJZwjdUY7IY9iWk/1tlmo9eVKEE9EMLd+QP9H+3M3khinJpMg6ROPe2F1MJKzPnSNi2f2Lg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rZjINf9dOZErBsI14ucyoan7zjQf6rvms3inVMP98YU=; b=J1MCMoUlSduzKMmhtoc1N090oRhZOnmmfEqMWomp7UlFm4eL6/35wis0XEYa8br6I9jG3l+CBjHWbkRWZx69wq5pqpAIpNUw17elyAnCX0J6/5IubKah2LZZvO7juPnGCQRDY7iUivIvzEL8vf7KHhodl53YY5nvWgM6NupVNio=
Received: from (2603:10b6:a03:1d8::23) by BY5PR00MB0705.namprd00.prod.outlook.com (2603:10b6:a03:204::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3415.0; Fri, 11 Sep 2020 19:20:29 +0000
Received: from BY5PR00MB0773.namprd00.prod.outlook.com ([fe80::d4bb:a29b:cc69:d69b]) by BY5PR00MB0773.namprd00.prod.outlook.com ([fe80::d4bb:a29b:cc69:d69b%7]) with mapi id 15.20.3416.000; Fri, 11 Sep 2020 19:20:29 +0000
From: Tommy Jensen <Jensen.Thomas@microsoft.com>
To: Joe Abley <jabley@hopcount.ca>
CC: Jim Reid <jim@rfc1035.com>, ADD Mailing list <add@ietf.org>
Thread-Topic: [EXTERNAL] Re: [Add] Zone ownership in DNS server discovery
Thread-Index: AQHWh4/am/h7uaenCkKmRwGY+HOtU6ljPvuAgACHdtA=
Date: Fri, 11 Sep 2020 19:20:29 +0000
Message-ID: <BY5PR00MB07733C7323567CEBD527DFFCFA241@BY5PR00MB0773.namprd00.prod.outlook.com>
References: <DM6PR00MB07815FC428CDA3F393EF7F95FA271@DM6PR00MB0781.namprd00.prod.outlook.com>, <534F994B-65FC-466B-AFBC-F9D65BCF2B27@hopcount.ca>
In-Reply-To: <534F994B-65FC-466B-AFBC-F9D65BCF2B27@hopcount.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-09-11T19:20:28.882Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;
authentication-results: hopcount.ca; dkim=none (message not signed) header.d=none;hopcount.ca; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.35.64.46]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 01e1d15c-5b91-40f5-29a1-08d85687beae
x-ms-traffictypediagnostic: BY5PR00MB0705:
x-microsoft-antispam-prvs: <BY5PR00MB0705042B6AFC7A025CB216CFFA241@BY5PR00MB0705.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: y+4Gq8+c3+CXnP5PPtdEUVZZHfnyew5wsOqnW2J+8vSlW/hpylsdkWS+RIl/hKscMZ/HT2sLMjo4LFiwP2FjQDAcZk4EVnuKXXeT+QEImoN1Um4TxBF/2WqFWI5QIGKuPY+9CFJUoMbZcpnp3GlXC8ckrSpcpm6YyN193KrcnpLV3JEoGGMg6fXbWMe3fKtjFQvyZYW/XLwaUoRJP+ZbDKzfeW1EM+51+MiUHylfbUWv8po89FR8U5CtVI8XyZMd9+iavY24n4AOC14YXnh7A5gYajorJ32M9X0Zu0gjPkdCezdxJOfKKpSZbStalBREepLqtEvDq6YkJtvxh7EdV1HHb+xqjNaIDS3UJ8fD7n5GhDq/BB01Jjb7k7uyAmCTVoG2WNxOi4cILgTRtG+f6w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR00MB0773.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(396003)(39860400002)(376002)(136003)(366004)(316002)(7696005)(478600001)(10290500003)(6916009)(33656002)(19627405001)(166002)(26005)(4326008)(186003)(83380400001)(66574015)(82950400001)(82960400001)(54906003)(8676002)(53546011)(66446008)(86362001)(66946007)(966005)(52536014)(6506007)(76116006)(8936002)(66556008)(2906002)(9686003)(55016002)(5660300002)(8990500004)(66476007)(71200400001)(91956017)(64756008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: sy1OPS0S1Evzimgcy2QvMaqNz0M0nBvL6xvEKNCbABSbwif4CVRz30+antL8kW2sGfNvUXyLp5tGq253Xp/17jwbYYrbpCU4vncvoeCbfTbt0SCexj9h34yyKQ3Q0VD9f6/zDlTU6I9jjbKPMUYL0DEBLgHnOm6724YOv/15Mm7tNIAvmsaYvidvNLSLvtDEAscCNjU8qmiALSj15eOaTuqBWQkkl4TcWjPMeP3oa57+mE3QyiZd5q1/aUt08089ebQEHjP/okUEUrZTaTjY/LA9VSOZVoqBO04Z9ZqY3zdYKtwhHEhiH8PyzoeJ/d78eMM2xvdviN0a2xl2fb0glw++Z2SgsQPqflWvlJhXDPrlk+uR9QvjhMuCVxkapx/Y4JoG5FHazX4l8T00xiTQaTp29yr/tfu9iVSv5IA9VEXcakxPOVgCmqGPADMfdZ21s3We3cuh5MOvTBXoJejMCfJ0j9x5UdNdpnSzmhpgftIC5cLLcVrUMp4jhNlEzQQZBGA2TNj3jlPwDpKtW9yDD5BFxutZI997hxGD8txtIh+tBcFNDQGZ9jy9O7E0EGAVyTfam59+iPVg+abdSVZDtKuwtTAOCQUAc2vp5ZhCPLmSuN7xqcQG7nX0Py3giY9HaQu33g6uKCP41WYf0bsJ5g==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_BY5PR00MB07733C7323567CEBD527DFFCFA241BY5PR00MB0773namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR00MB0773.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 01e1d15c-5b91-40f5-29a1-08d85687beae
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Sep 2020 19:20:29.1667 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Z0q/P66NZ92YQugz5yFl62bLR4eENlJTFeMa3jg3aUIDbvF0xjuTu+HOHYQgS+2XWjBzv0sZYSKa+wsjWedA4w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR00MB0705
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/7RSd0py1oa_2PIrLOXl_fCFExig>
Subject: Re: [Add] [EXTERNAL] Re: Zone ownership in DNS server discovery
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Sep 2020 19:20:41 -0000

Hey Joe,

I don't think "a resolver that cannot perform all resolution itself" is equivalent to "it has no per-name behavior at all". Stub resolvers such as the one in my product will have a set of resolvers for the general case as well as rules per domain indicating different servers should be used. Examples include names that can only be routed internally ("*.<my-employer>.com") and querying different servers to enable lower cost content loading ("*.<foo-streaming-service>.com", "*.<my-carrier-billing>.com"). I don't think this not-fully-recursive behavior disqualifies client from being stubs.

So to reiterate, I think discovering a DNS server is designated for a set of names is DNS resolver information, and we're chartered to "Define a mechanism that allows communication of DNS resolver information to clients for use in selection decisions". I don't think the definition of "clients" need be as rigid as you claim. I do think the use case discussion is more urgent however so I'll shut up about this for now.

To Vittorio's comments: I think your concern is more related to the policy of implementations, which is not in scope. My point is simply an encrypted DNS server may have name ownership or designation as a property and since clients do use name-based routing logic today already, would find it useful to discover this information. Unlike policy-specific information (ex: "server filters content"), this infromation can be securely defined using existing mechanisms (PKI).

Thanks,
Tommy

================================================

The latest in Windows Internet Protocols:

  Native gRPC support: https://aka.ms/grpcblogpost

  DNS over HTTPS: https://aka.ms/dohblogpost

________________________________
From: Joe Abley <jabley@hopcount.ca>
Sent: Friday, September 11, 2020 3:33 AM
To: Tommy Jensen <Jensen.Thomas@microsoft.com>
Cc: Jim Reid <jim@rfc1035.com>; ADD Mailing list <add@ietf.org>
Subject: [EXTERNAL] Re: [Add] Zone ownership in DNS server discovery

Hi Tommy,

On Sep 10, 2020, at 18:32, Tommy Jensen <Jensen.Thomas=40microsoft.com@dmarc.ietf.org> wrote:

Changing subject line to avoid the noise on Martin's single use case. This is a separate topic.

>From the WG charter:

> Define a mechanism that allows communication of DNS resolver
> information to clients for use in selection decisions. This could be
> part of the mechanism used for discovery, above

If I know "doh.example.com" is authoritative for "foo.example.com", I may prefer to take *.foo.example.com queries directly to it instead of using an intermediary recursive.

In the taxonomy described in RFC 8499, "clients" in the ADD charter refers to "stub resolver" -- "a resolver that cannot perform all resolution itself". The phrase "resolver information" in the charter refers to information about "recursive resolvers" -- resolvers that operate in "recursive mode".

What you are describing above is a hybrid entity that behaves like a stub resolver in some cases but like a recursive resolver in others. The opportunistic choice of transport between this new entity and a particular authoritative server is by definition not communication between stub resolver and recursive resolver (as defined in RFC 8499) or between client and resolver (as described in the ADD charter).

This might be an interesting discussion to start in DNSOP, perhaps as part of a larger discussion about capabilities negotiation between authoritative servers and their clients, but I think it's out of scope for ADD.


Joe

v2.23.0 | Report a Bug | By Email