Re: [Add] New versions of draft-pp-add-stub-upgrade and draft-pp-add-resinfo
Ben Schwartz <bemasc@google.com> Sat, 16 May 2020 20:09 UTC
Return-Path: <bemasc@google.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9332A3A08D3 for <add@ietfa.amsl.com>; Sat, 16 May 2020 13:09:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.699
X-Spam-Level:
X-Spam-Status: No, score=-15.699 tagged_above=-999 required=5 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3uH_vk9nZ4vA for <add@ietfa.amsl.com>; Sat, 16 May 2020 13:09:23 -0700 (PDT)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99E043A08CA for <add@ietf.org>; Sat, 16 May 2020 13:09:23 -0700 (PDT)
Received: by mail-wr1-x42d.google.com with SMTP id v12so7254396wrp.12 for <add@ietf.org>; Sat, 16 May 2020 13:09:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=T/xpcdvbnkp3qRENiKdUI+jXl2BboixP9mY7wtW9WXI=; b=U4hxDW+lW37JjSTGp+/mrU29WD5ZAr663wFU55Ig3ID8x0MRKxmqcM2Wz9Aq3CCcjL dydUbO1zcd+DP0jCYWrzwXADqGzZWNWEN581dfKnps4fRrWU0zd7CLdlzV/yHk5uWMJH 62GCEknSpEdkcdkTTa6BTTjmv5iNPHn3vrRoCsq7oRMwze4ODq+aO8uPVPJa9gbM3qeU 8gyrVInx5KVWgbQz86T+P2gXSy2bzLCgm2VG/AsEhMSnGXHHoasiNa+xok8QUZZTZBEK s0mMGBClEbFetqTfbhytdQKSntn/jtVyabCJLSt+eiVMlAQD21AxltAp8W61lEwgENzr Z6Cg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=T/xpcdvbnkp3qRENiKdUI+jXl2BboixP9mY7wtW9WXI=; b=OiFMszCThwr3u3cWi7fr6RYFXyCxd1FMjT41ham2sTjQf8QOHUpO+er33t05UbEr4U D6P/xaQvlJkuy5VAuxp+3u+LJWK2/Uk0C5NiyZ2Ez6c+bpzieyTMM4r9jFzprrx+8arj 4sRKTq9MwBZlHQO93OwM2NayeHjEJXhGvU72kMEhSoUs1QI42FoeAKCuICWTDLcmhIJr tvqa8DlfPKgMs1PSA6VsQnZreUJ8onPh+h0s+gHmbobZHfCd6C2I62MbRfpcTLM3b3Lq jDE356nFwhQjBOCS7wd7X7s59+02ZbUtyc3O9dJOHsVfEiLV3KQdmTLxwpe4FSeF6i3x OnWQ==
X-Gm-Message-State: AOAM532bcPQveq/pb7KH9OZSsR4fVvI3jclEfKETnsmgAFmOPU6Sb5hv 01LOX4/iBLYhdeS+6XZfVoBUBQy+h3VasbgSAZwQbg==
X-Google-Smtp-Source: ABdhPJxanbmD4qGqlqFeogHPY3/J5zEIkQZvPTevRloslWNrTKQOaY1pJmXq8mMp2qHD4svzi5AoF2aJ5F6D10qfVvM=
X-Received: by 2002:adf:dcc8:: with SMTP id x8mr10879223wrm.404.1589659761485; Sat, 16 May 2020 13:09:21 -0700 (PDT)
MIME-Version: 1.0
References: <D77E858D-5E06-4E32-919C-B54EAF2DC92D@icann.org>
In-Reply-To: <D77E858D-5E06-4E32-919C-B54EAF2DC92D@icann.org>
From: Ben Schwartz <bemasc@google.com>
Date: Sat, 16 May 2020 16:09:09 -0400
Message-ID: <CAHbrMsAqaXkQJb3+us3vV4p-7N=xkZ0JuzceLxUapeMv2rvWdA@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: ADD Mailing list <add@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000007139ca05a5c9810d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/e9cgI6bqTEFxkBuRlo-LJmDb5MY>
Subject: Re: [Add] New versions of draft-pp-add-stub-upgrade and draft-pp-add-resinfo
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 May 2020 20:09:26 -0000
Thanks; I like this version of RESINFO. Some comments on Section 2: * "... it can use that configuration to actually be authoritative for the addresses on which it responds." -> I don't understand what an "address" is in this sentence. Does it refer to a reverse-IP name? Or to the hostname of the resolver, in cases where the resolver has a known name (e.g. DNS-over-TLS)? * "Any query for the RESINFO RRtype that does not have a QNAME of resolver-info.arpa/IN is meaningless and MUST result in a NODATA or NXDOMAIN response." -> I would like this to be relaxed (see proposal below). I have more problems with the "Upgrade" draft: Section 2.1: * "dot-ports" -> I think this should be "dot-addresses" in hostname:port syntax, to enable authentication. The "hostname" part can be optional to indicate "same IP, unauthenticated". * "The host part of the URI template MUST be an IP address." -> I think this is exactly wrong. IP address certificates provide less security than named certificates, and are also dramatically more difficult to acquire. I would remove this requirement, and also change the examples to use named URLs. Section 3: * "upgradeNoAuth" -> I think this should be removed. If the resolver claims a name, we should always validate, and fail hard if validation fails. * "start TLS session on resIP port 443" -> I don't understand the intent of this algorithm, but it does not support HTTP/3, nor URLs with non-default ports. It also seems to imply that the DoH server must run on the same IP address as the Do53 server, which is not true for many major deployments. I would replace this entire section with "Do DoH". * This section is missing "just try TLS on port 853", which is the status quo for DoT upgrade. Proposal: DNSSEC-authenticated RESINFO for named resolvers Most resolvers are known to the client by their IP (learned via DHCP, etc.). However, there are some systems (e.g. Android) that allow the user to identify a preferred resolver by hostname. I propose that any resolver that is known to its clients by hostname (currently only DoT resolvers) MUST additionally publish its RESINFO record on its hostname, and clients MAY query $hostname/IN/RESINFO instead of resolver-info.arpa/IN/RESINFO. This would enable authentication of RESINFO for clients who perform DNSSEC validation and have a resolver identified by hostname. Possible use cases: * Authenticated DoH to named resolvers without also having to implement DoT (and without requiring the user to provide the full DoH URI template). * Authentication and non-repudiability of (TBD) non-upgrade-related metadata in RESINFO. On Thu, May 14, 2020 at 1:15 PM Paul Hoffman <paul.hoffman@icann.org> wrote: > Greetings again. Puneet and I have made fairly major changes to > draft-pp-add-stub-upgrade and draft-pp-add-resinfo based on the traffic > from the WG earlier. The drafts are now focused on the much-more-common use > case of a stub having an IP address that it got over an unauthenticated > channel such as DHCP, and we thus removed getting the information over > HTTPS. The new drafts are at: > > https://www.ietf.org/internet-drafts/draft-pp-add-stub-upgrade-01.txt > https://www.ietf.org/internet-drafts/draft-pp-add-resinfo-01.txt > > If folks like the new focus, we can ask the WG chairs to adopt them. We > know that much of the interest in the WG is on discovery, not this simple > upgrade process, so we figured we could get these done more quickly while > the bigger discussions are happening. > > --Paul Hoffman-- > Add mailing list > Add@ietf.org > https://www.ietf.org/mailman/listinfo/add >
- [Add] New versions of draft-pp-add-stub-upgrade a… Paul Hoffman
- Re: [Add] New versions of draft-pp-add-stub-upgra… Ben Schwartz
- Re: [Add] [Ext] New versions of draft-pp-add-stub… Paul Hoffman