Re: [Add] Fwd: New Version Notification for draft-schwartz-add-ddr-forwarders-00.txt
Chris Box <chris.box.ietf@gmail.com> Fri, 24 September 2021 17:00 UTC
Return-Path: <chris.box.ietf@gmail.com>
X-Original-To: add@ietfa.amsl.com
Delivered-To: add@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37E7E3A1057 for <add@ietfa.amsl.com>; Fri, 24 Sep 2021 10:00:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.855
X-Spam-Level:
X-Spam-Status: No, score=-0.855 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NUMERIC_HTTP_ADDR=1.242, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GKfysVmyAFtC for <add@ietfa.amsl.com>; Fri, 24 Sep 2021 10:00:22 -0700 (PDT)
Received: from mail-qk1-x735.google.com (mail-qk1-x735.google.com [IPv6:2607:f8b0:4864:20::735]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BCA53A1052 for <add@ietf.org>; Fri, 24 Sep 2021 10:00:22 -0700 (PDT)
Received: by mail-qk1-x735.google.com with SMTP id t4so28579885qkb.9 for <add@ietf.org>; Fri, 24 Sep 2021 10:00:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=VkXSlswORF7+vKGMtqULPH8qMXNCvHbbMHu1BTQNtxw=; b=PbQlzhPQKlJhj8NbSfxHhC10pwBY6W1L+zIgKQHqUVVpZC8rASr905NfiiLAoYlIzY G7rMwdxYpnd0+4otDPvtr+S13G/8Q7I9gQ7+BygjNm5AJrXaojTyfYpFDcFpf2sXGFnD CJ5I/tnbcLzDxHImDaKhCgzjj5WU9R2GOO5lmaRdmVKHjl9pnKqm89pvoFW1BpsoV674 uK9cRTjRs7T7v2+DEK42QCNytFiAQI5lRxcNclPxNeLccAKAY+ss535qXvVtWg9Gv7sS GizFGAnb7cldw3pIzSxfp8oTbU6Mzcd9GWFch89a8UXsDmz/X6KY6wg4kmIb/ShsZboU jCxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=VkXSlswORF7+vKGMtqULPH8qMXNCvHbbMHu1BTQNtxw=; b=XkqXwDLOZZRZ4lXbMSWicpQyzVYcm9gRFBT35ZdVU1Wtq7pPlNyZGcGbVbSxAgpdax 5nBQZjKZYYw7K5RoN8DXgd8PrcsE3HyVzAiCFn2eJc/rRxkOW9Ste6MXDKVDHa5oJhux LDr7v14aLzS1LcSSOJ/41DUiIPMtdAGWXkmXsYqI8D2FRPcOK9BPDEFtc3ZkiUk8Gn12 YBgg9wWfiC//g3/CxZiKwWehbkJGGX4PxFYSpV+V1gJzTq8q3IiyFHZ+K2FqZ4ezqKEI tTfTtljsFS+ZAbJirwO0QdSOfRKl7Lxkyd1CdN2kt46amsnOYiF4NLtZwiZFbzKacI64 FkuA==
X-Gm-Message-State: AOAM530famtsHFU45eiuem6W1I+UAlJ42RiGBqI+FV7uVMtNclCpvkyi E166BUw+oOoB8hRNWyzlN76MXgVfqHt5Kct/BOiYwREc1eU=
X-Google-Smtp-Source: ABdhPJxosZwIa9F/kmbYbLZf0thrdpnBKtOvM9gMXOH05lzers5XxhIKi9rq0Sile4qmAw9l72qRavHFZi0h53xMlFE=
X-Received: by 2002:a05:620a:15cd:: with SMTP id o13mr11674880qkm.223.1632502821290; Fri, 24 Sep 2021 10:00:21 -0700 (PDT)
MIME-Version: 1.0
References: <163223345857.28587.9301450225704997678@ietfa.amsl.com> <CAHbrMsDL-QKF-xn0Pz2FrrDoHHRoqKfBkuDoBkuZucDFh8KSQA@mail.gmail.com> <DM6PR02MB69247B06F32349B37CA9A728C3A49@DM6PR02MB6924.namprd02.prod.outlook.com>
In-Reply-To: <DM6PR02MB69247B06F32349B37CA9A728C3A49@DM6PR02MB6924.namprd02.prod.outlook.com>
From: Chris Box <chris.box.ietf@gmail.com>
Date: Fri, 24 Sep 2021 18:00:10 +0100
Message-ID: <CACJ6M14qV+b-UVTymRFbrQ-HFEQ576qsT1B6gxwBpcrq_rD7rg@mail.gmail.com>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, ADD Mailing list <add@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c2084c05ccc0aef8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/add/hOh4Rn1b71dYbruQyNg_Q8qYUMQ>
Subject: Re: [Add] Fwd: New Version Notification for draft-schwartz-add-ddr-forwarders-00.txt
X-BeenThere: add@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Applications Doing DNS <add.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/add>, <mailto:add-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/add/>
List-Post: <mailto:add@ietf.org>
List-Help: <mailto:add-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/add>, <mailto:add-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2021 17:00:28 -0000
Ben, Thanks for this draft. As Barbara says it's short and readable, and it carefully articulates the issues. In section 3 we could clarify "removes the certificate validation policy". What I mean is to tighten it to clearly refer to the quoted policy in 2.1, not to all types of certificate validation. We still want the client to perform normal TLS validation (e.g. correct chain of trust exists). Section 4 is concerned with the implementation of these features *on the legacy forwarder*. Where they are implemented on the forwarder, I agree the way to continue to support the behaviour is to add resolver.arpa to the blocklist. HOWEVER it would be worth also commenting on the implementation of these same features on the upstream resolver, which I suspect is pretty common. In this latter case, the behaviour is naturally supported as soon as the upstream publishes the SVCB for _dns.resolver.arpa. Caveat: this is only true if the legacy forwarder has no role in the implementation of the features. In networks where both the forwarder and the upstream need to co-operate (e.g. forwarder assists the upstream in communicating the type of service required for this user), then it can only continue if we block resolver.arpa. Chris On Fri, 24 Sept 2021 at 14:51, STARK, BARBARA H <bs7652@att.com> wrote: > Hi Ben, > > I really like the idea presented in this draft. I think it could be very > helpful to many end users – allowing automated upgrade to DoH for people > behind DNS proxies who aren’t using any filtering in those DNS proxies. > > > > I have just a few comments. > > I think there needs to be a more complete definition of “non-public IP > address” (or perhaps a more refined and specific set IP addresses of where > this relaxed validation might be considered). I’m thinking it might be good > to restrict to an IPv4 address on the same subnet, an IPv6 address in an > on-link prefix, or 127.0.0.0/8. This latter would be for clients that > make use of stub resolvers. Note that an IPv4 subnet and IPv6 on-link > prefix could be comprised of globally routable addresses – so not > necessarily “non-public” as some people might understand that word. > > But since we’re all trying to head for IPv6, I think it’s good to > recognize that the IPv6 address being advertised for DNS proxies tends to > be from the delegated prefix and not ULAs. And it might be good if we could > support this case. > > > > I’m not too sure about the 6.1.1 mitigation solution related to > implementing DNR. It’s not that it’s necessarily wrong -- it’s just not > really a part of DDR-based discovery and there’s no rules around how DDR > and DNR interact. > > > > I think the 6.1.2 and 6.1.3 mitigations should somehow be strongly > recommended in conjunction with this technique. Though I understand the > desire to avoid normative language, I still think it would be beneficial to > use some lowercase recommending words. > > > > BTW, I really like how short and readable the draft is. 😊 > > Thx, > > Barbara > > > > > > *From:* Add <add-bounces@ietf.org> *On Behalf Of *Ben Schwartz > *Sent:* Tuesday, September 21, 2021 9:25 AM > *To:* ADD Mailing list <add@ietf.org> > *Subject:* [Add] Fwd: New Version Notification for > draft-schwartz-add-ddr-forwarders-00.txt > > > > Hi ADD, > > > > I've written a new draft regarding DDR and legacy DNS forwarders ("the 85% > problem"). This replaces my previous proposed changes to the DDR draft. > > > > Note that this draft's "intended status" is currently "Informational", on > the theory that we are more likely to reach consensus (and stay within the > charter) if we aren't trying to make normative rules about client policy > details. > > > > --Ben > > ---------- Forwarded message --------- > From: <internet-drafts@ietf.org> > Date: Tue, Sep 21, 2021 at 10:10 AM > Subject: New Version Notification for > draft-schwartz-add-ddr-forwarders-00.txt > To: Benjamin Schwartz <bemasc@google.com> > > > > > A new version of I-D, draft-schwartz-add-ddr-forwarders-00.txt > has been successfully submitted by Benjamin Schwartz and posted to the > IETF repository. > > Name: draft-schwartz-add-ddr-forwarders > Revision: 00 > Title: Discovery of Designated Resolvers in the Presence of > Legacy Forwarders > Document date: 2021-09-21 > Group: Individual Submission > Pages: 9 > URL: > https://www.ietf.org/archive/id/draft-schwartz-add-ddr-forwarders-00.txt > Status: > https://datatracker.ietf.org/doc/draft-schwartz-add-ddr-forwarders/ > Html: > https://www.ietf.org/archive/id/draft-schwartz-add-ddr-forwarders-00.html > Htmlized: > https://datatracker.ietf.org/doc/html/draft-schwartz-add-ddr-forwarders > > > Abstract: > This draft describes how the Discovery of Designated Resolvers (DDR) > standard interacts with legacy DNS forwarders, including potential > incompatibilities and relevant mitigations. > > Discussion Venues > > This note is to be removed before publishing as an RFC. > > Discussion of this document takes place on the mailing list > (add@ietf.org), which is archived at > https://mailarchive.ietf.org/arch/browse/add/. > > Source for this draft and an issue tracker can be found at > https://github.com/bemasc/ddr-forwarders. > > > > > The IETF Secretariat > > -- > Add mailing list > Add@ietf.org > https://www.ietf.org/mailman/listinfo/add >
- [Add] Fwd: New Version Notification for draft-sch… Ben Schwartz
- Re: [Add] Fwd: New Version Notification for draft… STARK, BARBARA H
- Re: [Add] Fwd: New Version Notification for draft… Chris Box
- Re: [Add] Fwd: New Version Notification for draft… Ben Schwartz