Re: [Add] [EXTERNAL] New Version Notification for draft-jt-add-dns-server-redirection-03.txt
Ben Schwartz <bemasc@meta.com> Tue, 05 March 2024 20:27 UTC
Return-Path: <prvs=879478b896=bemasc@meta.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 093FEC14F695 for <add@ietfa.amsl.com>; Tue, 5 Mar 2024 12:27:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.093
X-Spam-Level:
X-Spam-Status: No, score=-7.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XJNLrfub4poJ for <add@ietfa.amsl.com>; Tue, 5 Mar 2024 12:27:46 -0800 (PST)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB0AAC180B6C for <add@ietf.org>; Tue, 5 Mar 2024 12:27:45 -0800 (PST)
Received: from pps.filterd (m0148461.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 425KIY7X022707; Tue, 5 Mar 2024 12:27:41 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=s2048-2021-q4; bh=5IgsR6Qg/ASZeyfxxzXrpI7sOqW6kPwAEAJ7wr36FiM=; b=QJdFZ7wEJ8fZqE88jY4jTRCqSlwuWvnuIYQhSxr+Oj1luTxcTxwOoGzSwlaFTE5KUv3u onDtIk0S3yiVPp12SLm8NulAFJUcuo+Kdi1J/hQ2nP6OEmf/SDvI06WNW7GqfARXb3cv Z/brusmSZVnoHTlryVotUVObR9Nu7KArZJE5l9ZoAyXU18hr+nEKIfNKwZMYucTuhnkn 0T9n5Mpbae8qQqCZa00Siz9Bybika2QHAWkbCTdYkkiK0Si9igYqB9EtrC5fJYR1c2fE PU6uV2Pyesd2MUFZdumv+QFalfKm0j1aeAIvnI+dlu0lp8B+neccjdEGoGxW88Yo5QXx mA==
Received: from nam11-co1-obe.outbound.protection.outlook.com (mail-co1nam11lp2168.outbound.protection.outlook.com [104.47.56.168]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3wnq92xetk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 05 Mar 2024 12:27:40 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fg8iuxci4rYT5U3FjXg85pIi7Bq2ddP5dGFFVltJ9IwRiA+wavvmhIyzmv0ndva+qYbNjvlNAloWgog558wijbt7nyeqYvXk+qlWRSlUJrwskpb1FQZG0J6lgTNWLYEO1hqsyY7CpyLAhqC+RxGGI3nprmG56q9pxzzreRoGFAfMevSqDBp2U66RpC184w+lFo2e3LjVweAvuWCXLJpfbApouorhhpgVIiMEwmH22Qsvf31TcZqratxMZze2DHrXzcxttY/PV1DWLtfuXa0zDd3PuT3zuF4SEokZttENbJbqYwKg35SdTgoI0qXDk5RV/ZH66Qmz8DbWmtEGU+nouQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3bJSOLsJIwVMdoOQYHP4xH/BOQW2ADDbfl/wZdTMDIM=; b=XPBeqdUAVaBq3o54p49Us9bqS8TA3aa1vaFLrCymgov6yyZvU94A2UYXdUw+PukMSltpQ55EXZ+CVzog1bTIIbu2OANxbbk864KrONtVeoFXHLWxu2mONDs13UF9sgYAtBNPSyldlZXRIyOp/uO51+/+GVopHKWEvwC9RWkwM/MWERa2kOj6FV4l1H86+hpqGM2y8FGdhDdKriAKiB9URlJ+U30dktn0USSm4R2S/qfvrFs3ztN0goTdBO4am45Jpr8agJ6AooOJypqRQzb7UsSJlCW75/l40KMujxakhikgcYCRGBRvKvfX+ygGoEMOpd9gFePeZwCFIL7At3T7WQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from SA1PR15MB4370.namprd15.prod.outlook.com (2603:10b6:806:191::8) by DS0PR15MB6205.namprd15.prod.outlook.com (2603:10b6:8:159::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7339.39; Tue, 5 Mar 2024 20:27:39 +0000
Received: from SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::50:3dc9:3ace:9a3a]) by SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::50:3dc9:3ace:9a3a%5]) with mapi id 15.20.7362.019; Tue, 5 Mar 2024 20:27:39 +0000
From: Ben Schwartz <bemasc@meta.com>
To: Tommy Jensen <Jensen.Thomas=40microsoft.com@dmarc.ietf.org>, "add@ietf.org" <add@ietf.org>
CC: Corey Mosher <cmosher@gmail.com>, John Todd <jtodd@quad9.net>
Thread-Topic: [EXTERNAL] New Version Notification for draft-jt-add-dns-server-redirection-03.txt
Thread-Index: AQHabl+miZQnxlelNUevO8SZQcTx77En4pnXgAG0Sfw=
Date: Tue, 05 Mar 2024 20:27:38 +0000
Message-ID: <SA1PR15MB4370E8BFD5F06C962CAEDF7AB3222@SA1PR15MB4370.namprd15.prod.outlook.com>
References: <170957600067.60766.13917149258665072591@ietfa.amsl.com> <SJ0PR00MB13481A8674998EE0A2FF7739FA232@SJ0PR00MB1348.namprd00.prod.outlook.com>
In-Reply-To: <SJ0PR00MB13481A8674998EE0A2FF7739FA232@SJ0PR00MB1348.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2024-03-04T18:21:37.463Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR15MB4370:EE_|DS0PR15MB6205:EE_
x-ms-office365-filtering-correlation-id: 22bd03a6-8284-43e5-0fdd-08dc3d52b3a1
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: SpORiPmfczoq1UGjw57DoO7TFEWjpKFoJh3gpjqttL4G4LQG+BHQzyEzbiPLYSRZCQ28XrJsLdUdku6MlTy4CCvNZruBdLxSJQGCl2PdoJjgi8qcl99EfwjmXT+S6ufsHrkR7qLveuEvAIBp9+BFlwE2GyKNmsGqDWxJrap4fOSt9OKD/4HjG0IyBHgWljDGQw9JlvrN6kgXdIkMnOadLj9zoA5YVlTzdKHTPUNDFGlGNnX8OjQ8nt9Qjn6LTTw/WlLE5J//ZP/xc+G5+UpoVZpP2fJ/0VeKd99QqP1ZYvpkbwwzORRwabzScLpiXIBIrm8SWoxG0zhi4wv4LEXNPsIZXkJ/hF+2hgGOZQnHIPzAwv/SIKb40GfbQhGqv7bIIKpxOBQCLkHKSlkO0LytGI2HhRz1wSIocVUUM/Lyys07VoCjU2XLbDxxm6w7RvkIbqRb0ETF1XoZU53sFuoW3i9fJ+yrJrbdADtagsbbiw9dR74aow1elTThbODMxbd3asSKDMASsToI2FDqNpLkJvZZ7syAWJ6PioE4HWB2QsSWmXXWKILh6bcEHWVUf4KXh8Jhl12WQKxSMnC/HIGHh4jUbZSbO9lyTriTUdClaETDI7h+0UmkcC/R0WfIhn4Sj9ao3RXNDeg8AbjR9xK+Vtnqaq14itcWaYF5r3GX52g=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:SA1PR15MB4370.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(38070700009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: MyZi9EtjQ92gVU6l2WT1RDsEGpRFif2cSgM7ztLY7JGorvUIuuA0Ii/t1AZY8O5LeqzwxK9hweZcdMocuKnLhseTc9Pgm1D8BQJtOuctzETpJRXrmvimMHLcJzOOkDmRut+xxwECc8qm8a+M7VVug4U/J1ZTb5S+MBk90r6CV+1p2fo9u2mqE2FAX0Majzgqtn1sovA7nHjfAQkQIeLrQGnfrt13HD4d6TeN29Vqtbp0DLBua9O9Jf45YkQp6sbmmWj5R488lu3CvvpxfGXnx2OLE64DPvCPE0um8Ou4TQFz5gfT7+sI/7W0/hr6cFZHoQgLcSGbFia0NHFs+g4SwEgqZibFUO6U7fftmpvylHZxTc5VN8rnB9jg2aWRdmFedoFD7cmKzJ+sT6oqLmFoAjyBo3V2UI54Zht6UmTCL/zSpNYhbM2fkx8OIk8orRiWIY8KOaqVZO/m8z/mZxMKooQZ37fJvR3EesPMhufFwMA3NPUmu2b8AqyEF2tKbHkyB2rnPbk3l0LaFjAHzkWO0uRHuC0t5c3sPOoirM6/3OeudkMaLek9+IonTrtZ8n3DGc03fh81Jiqvuq6eT9+2y/pMs+zCSUgEcfzvLNFJkd69Ijf+0X6PnLqS8M6g32+k9WUsy4CdtNB5Wq9hJHru4avJtHhglENgj3dyJg4xNQpjHzk4D0eyy0jgAXMfJQhkiNXEgKpxNGM90tbQkh2wHvJ8+KfmeSVPyCD+SOzdX/eFjtk4LhOKSLNkGL13TPf34tJ8Mmom5yXIwnFxblJaNPBMzDWNmZRwAyzsw0Cb0jvTHYMqDctTWMgyZ+7CqS4eHOiTtZgA2KOWVHp+ieksgddYB72j7HiuJtlS7+FMSoA77J7tsFvBCOOCOnXmXi8p2/9zG2YYpfFmtXvjXagzGdfGJcZwfCZS8Mu4MwAW2XrEGO2Jzd7ruem7vZpWbBGcu6aBDkIRjfeLiIk6ZbqAXWsE/57+sftq28/zL5AqZFhNcxCR718cAalpE9/W/607ybsggzBtMrJXbgCeANwlwK9xKfuuafVPNQFXi9rNFPExHqxwDrOrHxxR7AD6Bzh8n5QoCSdUPUJSWkXz4CKXVfCp9X4iQs8noHkwDvOhxNQKcxYkZC6M3Up43PTy9WkcuQspK0VTAdg0c6kYDUBvEhjEOP4RqUXT6C6dnyb/rUcXjU+nb3SOVIHHS1iGs1OEhJtRqtWR3KKndFw1Q3bbZe/TsDtxzlLf01HL+9I0qGr6PQnHccyLNqqm25lJwDYPgJf0Klhc83Qwv7vcBmgnpavx96XvaVAfq8RJzchgNv/FJeaWnv9UIstsmtU4mlv6KS2KOHxN2qBXCT65uamLGNbDHkQnwm+8QgkMASlm0pfT/SCyHwDsII0yRMsO/fDDaac3geq3RinZvU+L1Ehl51E20UgtkXUMn5Lf4tmC4OZ8PWPyZbMxzgiQuI6pQ8VgZlviC6998KFtN25ZsYXM+vZwXjjbeOuUf2vWI+YUNoB/rhi8APkALjmQkGOv9yodQyjkexEsOBHFFKgb9sE6e1qr6it1KYrpCjdGzporG67fa5KwxjNARSZ20L2VXnLy
Content-Type: multipart/alternative; boundary="_000_SA1PR15MB4370E8BFD5F06C962CAEDF7AB3222SA1PR15MB4370namp_"
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR15MB4370.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 22bd03a6-8284-43e5-0fdd-08dc3d52b3a1
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2024 20:27:38.9533 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6QZoQioUKNVgfVBrpVa4gcBCSGfR8ofIGd+AVWryHEn75nGoomRm0tW1u5ucMOKw
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR15MB6205
X-Proofpoint-GUID: 9Urr4i6pm4eTJ6ML8mzk7OBEscmAjBCq
X-Proofpoint-ORIG-GUID: 9Urr4i6pm4eTJ6ML8mzk7OBEscmAjBCq
X-Proofpoint-UnRewURL: 10 URL's were un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-03-05_17,2024-03-05_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/Q74fms-R0rFDp1-xgvtbEuFEivY>
Subject: Re: [Add] [EXTERNAL] New Version Notification for draft-jt-add-dns-server-redirection-03.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 20:27:49 -0000
Thanks, I think this draft is a good starting point and close to adoption-ready. I do still see some issues: Section 3.1.1: "Using this method, if the returned SVCB record indicates a server with a different domain name than the current encrypted DNS connection, the redirection MUST NOT be followed by the client." -> SVCB records don't indicate a domain name in the sense used here. The SVCB TargetName is similar to a CNAME target: it does not alter the TLS handshake in any way. Thus, the client can follow any SVCB record, but the SVCB record does not affect the TLS SNI or the certificate validation procedure. "The destination server MAY use delegated credentials [RFC9345]." -> This seems to imply that any client who could somehow end up pointed to this destination server MUST offer support for delegated credentials. Otherwise, current DDR clients that don't support delegated credentials would run into a handshake failure. We need to be clearer about the expectations about client support for delegated credentials. Section 3.1.2: "When clients use Strict Origin redirection discovery with a DDR discovered resolver, the only difference is that the destination server it was redirected to MUST be able to claim the IP address of the previous server in its SAN field." -> I'm not sure that's the only difference. There's also the problem that you can't put an IP address in the TLS SNI, so the SNI has to be omitted, which means any covered IP addresses must all share a single certificate. Section 3.4: "Clients SHOULD however cap this value to some minimum value at their discretion to avoid frequent redirection checking when latency plus an incidentally low TTL along the chain results in near-zero effective TTLs." -> This is recommending a form of TTL stretching. I think a more formally correct approach would be to ignore redirections whose TTL falls below the client's configured minimum. --Ben ________________________________ From: Add <add-bounces@ietf.org> on behalf of Tommy Jensen <Jensen.Thomas=40microsoft.com@dmarc.ietf.org> Sent: Monday, March 4, 2024 1:21 PM To: add@ietf.org <add@ietf.org> Cc: Corey Mosher <cmosher@gmail.com>; John Todd <jtodd@quad9.net> Subject: [Add] Fw: [EXTERNAL] New Version Notification for draft-jt-add-dns-server-redirection-03.txt Good day add WG, We have submitted the -03 of EDSR for IETF 119 discussion. The only major change (and it's a big one) is to remove the controversial SOR mode, so that the draft only supports redirections to other servers with the same domain ZjQcmQRYFpfptBannerStart This Message Is From an External Sender ZjQcmQRYFpfptBannerEnd Good day add WG, We have submitted the -03 of EDSR for IETF 119 discussion. The only major change (and it's a big one) is to remove the controversial SOR mode, so that the draft only supports redirections to other servers with the same domain name. This addresses what we believe to be the main pushback on the draft. Let us know what you think of the new text. Thanks, Tommy ________________________________ From: internet-drafts@ietf.org <internet-drafts@ietf.org> Sent: Monday, March 4, 2024 10:13 AM To: C. Mosher <cmosher@gmail.com>; J. Todd <jtodd@quad9.net>; Tommy Jensen <Jensen.Thomas@microsoft.com>; Corey Mosher <cmosher@gmail.com>; John Todd <jtodd@quad9.net>; Tommy Jensen <Jensen.Thomas@microsoft.com> Subject: [EXTERNAL] New Version Notification for draft-jt-add-dns-server-redirection-03.txt A new version of Internet-Draft draft-jt-add-dns-server-redirection-03.txt has been successfully submitted by T. Jensen and posted to the IETF repository. Name: draft-jt-add-dns-server-redirection Revision: 03 Title: Handling Encrypted DNS Server Redirection Date: 2024-03-04 Group: add Pages: 12 URL: https://www.ietf.org/archive/id/draft-jt-add-dns-server-redirection-03.txt<https://www.ietf.org/archive/id/draft-jt-add-dns-server-redirection-03.txt> Status: https://datatracker.ietf.org/doc/draft-jt-add-dns-server-redirection/<https://datatracker.ietf.org/doc/draft-jt-add-dns-server-redirection/> HTML: https://www.ietf.org/archive/id/draft-jt-add-dns-server-redirection-03.html<https://www.ietf.org/archive/id/draft-jt-add-dns-server-redirection-03.html> HTMLized: https://datatracker.ietf.org/doc/html/draft-jt-add-dns-server-redirection<https://datatracker.ietf.org/doc/html/draft-jt-add-dns-server-redirection> Diff: https://author-tools.ietf.org/iddiff?url2=draft-jt-add-dns-server-redirection-03<https://author-tools.ietf.org/iddiff?url2=draft-jt-add-dns-server-redirection-03> Abstract: This document defines Encrypted DNS Server Redirection (EDSR), a mechanism for encrypted DNS servers to redirect clients to other encrypted DNS servers. This enables dynamic routing to geo-located or otherwise more desirable encrypted DNS servers without modifying DNS client endpoint configurations or the use of anycast by the DNS server. The IETF Secretariat
- [Add] Fw: [EXTERNAL] New Version Notification for… Tommy Jensen
- Re: [Add] [EXTERNAL] New Version Notification for… Ben Schwartz
- Re: [Add] Fw: [EXTERNAL] New Version Notification… Manu Bretelle