Re: [dns-dir] [tim.polk@nist.gov: DISCUSS: <draft-ietf-behave-dns64-10.txt>]

[Andrew Sullivan <ajs@shinkuro.com>]

Hi Patrik,

Thanks for your detailed review.  The document is now under IESG
control, so I can make some suggestions but I can't actually make any
of these changes yet.  See below inline.

On Thu, Aug 19, 2010 at 11:28:22AM +0200, Patrik Fältström wrote:
> >   of one or more DNS64-enabled name servers.  However, some advanced
> >   features require performing the DNS64 function directly in the end-
> >   hosts themselves.
> 
> I do not like words like "advanced" in texts like these. Why is for example "validation of DNSSEC records in the end host resolver" to be "advanced"?
> 

So if we just remove it, that'd be ok?

> In the non-normative section, the following important information exists:
> 
> >   (NOTE: By IPv6-only hosts we mean hosts running IPv6-only
> >   applications, hosts that can only use IPv6, as well as cases where
> >   only IPv6 connectivity is available to the client.  By IPv4-only
> >   servers we mean servers running IPv4-only applications, servers that
> >   can only use IPv4, as well as cases where only IPv4 connectivity is
> >   available to the server).

We could restate this in the definitions section.  Ok?

> > 3.  Background to DNS64-DNSSEC interaction
> 
> As section 2 explicitly is non-normative, is section 3 normative as it is not say that it is not?

You raise this several times.  I think you're right.  I suggest that
we alter the Introduction and state there explicitly which sections
are normative and which not.  Ok?

> 
> I think personally it would be better to, for each of the alternatives, compare the DNS64 impact on resolver and server than list (again) a more comprehensive DNSSEC behaviour list like this. But that is a personal opinion.
> 

Well, this was intended to be explanatory material for someone who was
implementing this but not familiar with DNSSEC.  Otherwise I was
nervous that the reasoning behind not synthesizing when CD=1 wouldn't
be clear.

> >   1.  A DNS64 (DNSSEC-aware or DNSSEC-oblivious) receives a query with
> >       the DO bit clear.  In this case, DNSSEC is not a concern, because
> >       the querying agent does not understand DNSSEC responses.
> 
> Should not it be mentioned that the DNS64, if being a DNS64 resolver, very well can do validation of the response, and act according to local policy? Similar to a case 5, but with local policy?
> 

We can if you like, sure.

> >   4.  A security-aware and non-validating DNS64 receives a query with
> >       the DO bit set and the CD bit set.  In this case, the resolver is
> 
> What is "resolver" in this sentence? Looks to me that this is written only for the "DNS64 resolver" cases and not the DNS64 server case?
> 

Ugh.  It does look like we have terminological issues here.  I thought
I'd weeded this out in a previous pass, but I think I did it only in
the normative sections, perhaps.  Yuck.

It is indeed supposed to include the DNS64 server case.  For reasons
that are not clear to me, some have insisted that a DNS authoritative
server that is doing DNS64 could do so automatically, without anyone
actually provisioning the AAAA records with the Pref::/64.  I don't
personally get this use case at all, but people have insisted on it so
it's possible.

> Here one say "DNS64 server" and claim that it "modifies" the record. I do not understand what "modifies" implies at an authoritative server, as for me whatever comes from an authoritative server is the authoritative record. There is nothing that is modified. The records (the AAAA records) can in the case of a DNS64 server very well be signed AAAA records that are very stable and never changed. I.e. pre-populated in the zone and not at all something that is synthesized, and signed!
> 

Remember that strictly speaking the DNS64 is a logical function.  So
the name server function in the DNS64 (which is technically speaking
never exposed to anyone) only provides the A record, and the DNS64
function "modifies" it.  I concede that it is a little uncomfortable
to talk like this, but it preserves the logical distinction between an
actual DNS64 server, and a plain DNS server that happens to have in it
AAAA records using the Pref::/64.  Does that make sense?

> >   5.  A security-aware and validating DNS64 node receives a query with
> 
> Here is a new term, DNS64 node. Is that the same as "a DNS64" earlier, i.e. one of the three cases? I think in reality it is one of the "DNS64 resolver" cases one talk about here, and not "DNS64 server".
> 

Yeah, it's a resolver.  (A DNS64 authority server never validates.)
We'll have to go through and fix up the terminology to be consistent
with the terminology section.
 
> >   Authoritative server:  A DNS server that can answer authoritatively a
> >      given DNS question.
> 
> Is "question" the correct term? I ask...
> 
> I try to say "Respond authoritatively to a DNS request" but I also know that some people do think it is a good thing to say query/answer when it explicitly is a query we talk about.
> 

If only the DNS geeks had a consistent set of terms, eh?  Oh, wait.
I'm also ok with request.

> >   DNS64:  A logical function that synthesizes DNS resource records (e.g
> >      AAAA records containing IPv6 addresses) from DNS resource records
> >      actually contained in the DNS (e.g., A records containing IPv4
> >      addresses).
> 
> Does it have to be synthesized? Also if it is a DNS64 server?

Yes.

> >   DNS64 recursor:  A recursive resolver that provides the DNS64
> >      functionality as part of its operation.  This is the same thing as
> >      "DNS64 in recursive resolver mode".
> 
> Above, in the non-normative section, this was called "DNS64 resolver" as well. Is "DNS64 recursor" a subset of "DNS resolver"? If it is, should not "DNS64 stub" also be defined?

I don't think we have anywhere in the document where we really needed
a DNS64 stub definition, so I removed it.  But I'm happy to add it
back if you think it helps.  Dave Thaler in particular was keen that
we not define additional terms we don't strictly need.

> >   DNS64 resolver:  Any resolver (stub resolver or recursive resolver)
> >      that provides the DNS64 function.
> > 
> >   DNS64 server:  Any server providing the DNS64 function.
> 
> Authoritative server, or also resolvers?

Any server.  So it could be a recursive resolver, yes.  This means
that such a beast would be both a DNS64 server and a DNS64 resolver.
That's consistent with the dual name of recursive servers/recursive
resolvers in plain DNS, though, no?

> >   Recursive resolver:  A DNS server that accepts requests from one
> >      resolver, and asks another server (of some description) for the
> >      answer on behalf of the first resolver.
> 
> Is this the same definition as in other documents?

Ha!  If only 1034 actually defined this.  RFC 4033 has this, which is
as close to a definition as we have:

   Security-Aware Recursive Name Server: An entity that acts in both the
      security-aware name server and security-aware resolver roles.  A
      more cumbersome but equivalent phrase would be "a security-aware
      name server that offers recursive service".

We could follow the same convention, and define recursive resolver as
a system that acts in both name server and resolver modes, and then
we'd need to define name server and resolver.  Name server is kind of
defined in 1034 Sec 2.4., as is resolver.  The text in 1034 is
sufficiently poor that many people seem to forget that recursive name
servers can end up cached (sometimes without people knowing it), and I
was trying to draw that information out.  But maybe this is a poor
place to do so.

> >   Synthetic RR:  A DNS resource record (RR) that is not contained in
> >      any zone data file, but has been synthesized from other RRs.  An
> >      example is a synthetic AAAA record created from an A record.
> 
> Mumble, is "zone data file" a good wording? Should one not talk about "generated on request" instead? Maybe it is the best wording? Although some records might be in a database, and not at all in a file.
> 

Yeah, I originally had just "any zone data", and someone insisted that
wasn't good enough because the synthetic RR could be in a cache
somewhere.  (For the same reason, "generated on request" won't exactly
work either.)  What about this:

    Synthetic RR: A DNS resource record (RR) that is not contained in
      the authoritative servers' zone data, but which is instead
      sythesized from other RRs in the same zone.  An example is a
      synthetic AAAA record created from an A record.

?

> >   DNS64 is a logical function that synthesizes AAAA records from A
> >   records.  The DNS64 function may be implemented in a stub resolver,
> >   in a recursive resolver, or in an authoritative name server.
> 
> In an authoritative server they do not have to be synthesized.

In that case, it's not DNS64.  We actually suggest later in the
document that you should not use DNS64 on the authoritative server,
and that you should instead populate the real zone with the relevant
records if you're planning to use NAT64.  Is this not clear?

> > 5.1.2.  The answer when there is an error
> > 
> 
> Maybe a reference to 5.1.6/5.1.7 (see below) here.

Ok.

> > 5.1.4.  Special exclusion set for AAAA records
> 
> This section is confusing, as other 5.1.* sections are alternatives. I.e. "issue an AAAA query, and do the following if this happens". Specifically as 5.1.4 is before 5.1.6 which is another alternative parallel to for example 5.1.2.
> 
> I.e. I think it would be better if the document was like this (not critical though):
> 
> 5. Behaviour
> 
> 5.1. Queries for AAAA
> 
> Issue a query for AAAA, and behave like the following:
> 
> 5.1.1. A non-empty answer section, where the AAAA is not in the special range
> 
> 5.1.2. A non-empty answer section, where the AAAA is in the special range
> 
> 5.1.3. A non-empty answer section, with CNAME or DNAME
> 
> 5.1.4. An answer with Errcode 3
> 
> 5.1.5. Other errcodes
> 
> I.e. like a flowchart. One of the subsections matches. That makes it easier to know what to do and how to implement.

Ok.  To do this, I think, we'd need to take it back to the WG and
through LC again, no?  That's a pretty significant change.

> 
> > 5.1.6.  Data for the answer when performing synthesis
> :
> > 5.1.7.  Performing the synthesis
> 
> 5.1.6 and 5.1.7 should really be merged, and the section should be "errcode != 3 and an empty answer section"
> 

Why?  These are strictly speaking distinct steps.  After all, if you
wanted to populate your authoritative zone with DNS data that would
cause a NAT64 to be used, you'd want the output from 5.1.6 but not
5.1.7, right?

> >   o  The TTL field is set to the minimum of the TTL of the original A
> >      RR and the SOA RR for the queried domain.  (Note that in order to
> >      obtain the TTL of the SOA RR, the DNS64 does not need to perform a
> >      new query, but it can remember the TTL from the SOA RR in the
> >      negative response to the AAAA query.  If the SOA RR was not
> >      delivered with the negative response to the AAAA query, then the
> >      DNS64 SHOULD use a default value of 600 seconds.
> 
> Not really...it should be the smallest of 600 and the TTL for the A, right?

Oh, good catch.

> 
> >      It is possible
> >      instead to query explicitly for the SOA RR and use the result of
> >      that query, but this will increase query load and time to
> >      resolution for little additional benefit.)  This is in keeping
> >      with the approach used in negative caching ([RFC2308]
> 
> Why not just stop after saying it should be the smallest of the TTL of the A and the SOA, and then let the rest be up to the implementor? I am nervous over more "fixed default values" for negative caching. If the SOA was not returned, then the DNS64 have to query for it.
> 

I felt the same way, but the WG (and Mark Andrews in particular) was
quite sure we needed a default.

> >   o  The RDLENGTH field is set to 16
> > 
> >   o  The RDATA field is set to the IPv6 representation of the IPv4
> >      address from the RDATA field of the A record.  The DNS64 SHOULD
> >      check each A RR against configured IPv4 address ranges and select
> >      the corresponding IPv6 prefix to use in synthesizing the AAAA RR.
> 
> Why only a SHOULD? And, is this not an implementation issue?

Someone wanted to be able to short-circuit this check if there's only
one address range configured. 

> > 5.1.8.  Querying in parallel
> > 
> >   The DNS64 MAY perform the query for the AAAA RR and for the A RR in
> >   parallel, in order to minimize the delay.  However, this would result
> >   in performing unnecessary A RR queries in the case where no AAAA RR
> >   synthesis is required.
> 
> Why is this "however" listed in a normative specification?

Well, I think the entire option for querying in parallel ought not to
be allowed, on DNS performance grounds, but the web people keep
insisting that they need this to achieve acceptable speed.  I'm
willing to tear it out, but I'd actually like to recommend against
such parallel querying.

> 
> There is nothing in 5.1 (what to do when querying for AAAA records) about the additional or authoritative section.

No, because that's dealt with in 5.3.  Why should it be in 5.1?

> > 5.2.  Generation of the IPv6 representations of IPv4 addresses
> 
> Should not queries for other RR Types be in 5.2, and this be part of the "synthesizing responses" above, or some other section?
> 

Why?

> > 5.3.  Handling other Resource Records and the Additional Section
> > 
> > 5.3.1.  PTR Resource Record
> > 
> >   If a DNS64 server receives a PTR query for a record in the IP6.ARPA
> >   domain, it MUST strip the IP6.ARPA labels from the QNAME, reverse the
> >   address portion of the QNAME according to the encoding scheme
> >   outlined in section 2.5 of [RFC3596], and examine the resulting
> >   address to see whether its prefix matches any of the locally-
> >   configured Pref64::/n.
> 
> ...or the default well known prefix (that was not to be configured).

Good catch, thanks.

> 
> >   There are two alternatives for a DNS64 server
> 
> What about DNS64 resolvers that receive PTR queries?

Hrm.  Yes, I guess that needs to be "There are two alternatives for DNS64 to. . ."
 
> >   2.  The second option is for the DNS64 nameserver to synthesize a
> >       CNAME mapping the IP6.ARPA namespace to the corresponding IN-
> >       ADDR.ARPA name.
> 
> Is this safe? I.e. it is clear no other RR Type than PTR exists with this owner?
> 
> See Apple Bonjour for example.

I agree.  This option is only there because Mark Andrews insisted it
be.  I think the whole thing is a bad idea: you should follow option
1, which is the only safe response IMO.  But the WG seemed to want
option 2 as well.

> A query for a PTR record might not have owner in the IP6.ARPA, so 5.3.1 is really for PTR records in the IP6.ARPA domain. What about other PTR queries?
> 
> I guess the answer is here:
> 
> >   If the address prefix does not match any Pref64::/n, then the DNS64
> >   server MUST process the query as though it were any other query; i.e.
> >   a recursive nameserver MUST attempt to resolve the query as though it
> >   were any other (non-A/AAAA) query, and an authoritative server MUST
> >   respond authoritatively or with a referral, as appropriate.

Yes.

> No other RR Types need special treatment?

No other RR types need treatment like PTRs do. 

> I.e. the flow is weird here as well in the document. Because other RR Types comes as 5.3.3.

Do you want us to swap that with 5.3.2?

> 
> > 5.3.2.  Handling the additional section
> > 
> >   DNS64 synthesis MUST NOT be performed on any records in the
> >   additional section of synthesized answers.  The DNS64 MUST pass the
> >   additional section unchanged.
> 
> The normative part of 5.3.2 should stop here. Remove the rest or move to non-normative section of this document.
> 

Ok.

> > 5.4.  Assembling a synthesized response to a AAAA query
> 
> Here we have some text on how to do synthesis again?

No, this is not how to do synthesis.  This is how to assemble the
response (i.e. the thing you're going to ship back).  The _synthesis_,
strictly speaking, was just the creation of the AAAA record from the
A, and that goes into an answer section.  That answer section is now
one of the pieces assembled to make a DNS response packet.

> > 5.5.  DNSSEC processing: DNS64 in recursive resolver mode
> > 
> >   We consider the case where a recursive resolver that is performing
> >   DNS64 also has a local policy to validate the answers according to
> >   the procedures outlined in [RFC4035] Section 5.  We call this general
> >   case vDNS64.
> 
> Then this is really:
> 
> 5.5. DNSSEC processing: DNS64 in validating recursive resolver

Oh, good catch.  Thanks.

> >   2.  If CD is not set and DO is set, then vDNS64 SHOULD perform
> >       validation.  Whenever vDNS64 performs validation, it MUST
> >       validate the negative answer for AAAA queries before proceeding
> >       to query for A records for the same name, in order to be sure
> >       that there is not a legitimate AAAA record on the Internet.
> >       Failing to observe this step would allow an attacker to use DNS64
> >       as a mechanism to circumvent DNSSEC.  If the negative response
> >       validates, and the response to the A query validates, then the
> >       vDNS64 MAY perform synthesis and SHOULD set the AD bit in the
> >       answer to the client.  This is acceptable, because [RFC4035],
> >       section 3.2.3 says that the AD bit is set by the name server side
> >       of a security-aware recursive name server if and only if it
> >       considers all the RRSets in the Answer and Authority sections to
> >       be authentic.  In this case, the name server has reason to
> >       believe the RRSets are all authentic, so it SHOULD set the AD
> >       bit.  If the data does not validate, the vDNS64 MUST respond with
> >       RCODE=2 (Server failure).
> >       A security-aware end point might take the presence of the AD bit
> >       as an indication that the data is valid, and may pass the DNS
> >       (and DNSSEC) data to an application.  If the application attempts
> >       to validate the synthesized data, of course, the validation will
> >       fail.  One could argue therefore that this approach is not
> >       desirable, but security aware stub resolvers must not place any
> >       reliance on data received from resolvers and validated on their
> >       behalf without certain criteria established by [RFC4035], section
> >       4.9.3.  An application that wants to perform validation on its
> >       own should use the CD bit.
> 
> Too much discussion. And (for example) last sentence have "should" in lower case. What does that imply?
>

It implies that different people have read DNSSECbis and come to
different conclusions about whether the AD bit means anything.  Rob
Austein and some of the other document editors, as well as several
other people, are sure that the _only_ way to trust the answer is to
set CD and check yourself.  But one of the largest vendors out there
seems to have decided that the AD bit is significant and useful.  This
text was the compromise we were able to come up with.

I think the "too much discussion" is a suggestion that the second
paragraph be moved to a non-normative section?  (I'm just trying to be
sure what you thought was discussion there.)
 
> >   3.  If the CD bit is set and DO is set, then vDNS64 MAY perform
> >       validation, but MUST NOT perform synthesis.  It MUST return the
> >       data to the query initiator, just like a regular recursive
> >       resolver, and depend on the client to do the validation and the
> >       synthesis itself.
> >       The disadvantage to this approach is that an end point that is
> >       translation-oblivious but security-aware and validating will not
> >       be able to use the DNS64 functionality.  In this case, the end
> >       point will not have the desired benefit of NAT64.  In effect,
> >       this strategy means that any end point that wishes to do
> >       validation in a NAT64 context must be upgraded to be translation-
> >       aware as well.
> 
> (Re)move second paragraph.

Ok.  But you agree with this approach?  This point is in fact exactly
what the DISCUSS on this draft was about: the document assumes that a
validating resolver knows how to do DNS64 or else DNS64 just doesn't
work for that host.  You don't think that's impractical?  (That was
the question.)

> > 8.  Security Considerations
> > 
> >   DNS64 operates in combination with the DNS, and is therefore subject
> >   to whatever security considerations are appropriate to the DNS mode
> >   in which the DNS64 is operating (i.e. authoritative, recursive, or
> >   stub resolver mode).
> > 
> >   DNS64 has the potential to interfere with the functioning of DNSSEC,
> >   because DNS64 modifies DNS answers, and DNSSEC is designed to detect
> >   such modification and to treat modified answers as bogus.  See the
> >   discussion above in Section 3, Section 5.5, and Section 6.2.
> 
> It should be noted what might happen if the translator between IPv4 and IPv6 is not in sync with this box.
> 

You mean, if the DNS64 has the wrong Pref::/64 configured, like?

> Additionally:
> 
> There is no text on how to handle the query and additional section of the request/response.

Sure there is.  Section 5.3.2 explicitly says that you may not muck
with the additional section, and section 5.4 says you copy the
question from the original query.  The additional and authority
sections are similarly copied from the real DNS answer.  Or am I
missing something you'd like to see?

Thanks for the review!

A

-- 
Andrew Sullivan
ajs@shinkuro.com
Shinkuro, Inc.