IETF Logo Mail Archive

Re: [dns-privacy] WGLC : draft-ietf-dprive-unilateral-probing

Petr Špaček <pspacek@isc.org> Tue, 28 March 2023 07:55 UTC

Return-Path: <pspacek@isc.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9595BC14CE5F for <dns-privacy@ietfa.amsl.com>; Tue, 28 Mar 2023 00:55:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="Oe90+LAP"; dkim=pass (1024-bit key) header.d=isc.org header.b="CBG0EO28"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OOvoJpQ6Bg9Z for <dns-privacy@ietfa.amsl.com>; Tue, 28 Mar 2023 00:54:57 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 299B5C14CF12 for <dns-privacy@ietf.org>; Tue, 28 Mar 2023 00:54:56 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.1.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id D99FB3AB01F for <dns-privacy@ietf.org>; Tue, 28 Mar 2023 07:54:55 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org D99FB3AB01F
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.1.12
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1679990095; cv=none; b=UsN/9Cmn1voZNftbZJwTnelUh+kz7OZK8bffMS6EApJ65Zp/gfaY7e4YlFiZrh17tDd5t53Sv2cIz38yfjuTHpo5iQqZMI4AerCDve7V/8jgNnsvU4NO9rWU16B0iyCsU7u67dTnJZC285WIwPJ/EDC8q8G51GqHyT5LtjhMNKE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1679990095; c=relaxed/relaxed; bh=cFQL9dhpI4C3gQpGhdQPPxqtLx+AkNMFtv71pGVgYeU=; h=DKIM-Signature:DKIM-Signature:Message-ID:Date:MIME-Version: Subject:To:From; b=XhPd1qyESLdGKaKn+XMOkW+Gs90hxKLugILMCyuVxZFzEoWz3HP57opJqTog+KoUqOpGcXCu/KpAGvJgXZVO2HKVa899fWQr/mCLnOiwAusFMSeHayD5tWWR4a7beWMsPAnoslqDZSZMVlk+NnOvtaiRJKTL1ncDLFywbwIozNU=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org D99FB3AB01F
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1679990095; bh=hGzaO6r3DuMwr2vZeG4u8UqxNNHOZsf4wNHP6qwl8t0=; h=Date:Subject:To:References:From:In-Reply-To; b=Oe90+LAPuCxYXHH8wpQYGKc30gtOTqrBCPYPvoXpsEQUGqkU/fDn1R8/RAQ49HQr9 U0vuYIVvGquUWWw1t022XRGYBKcbxf5JximZpC2xULRMI9bcoP8XSNWsSasWshPrxN r1/iusHQuihzBn0WWKzyrP/KWhsZEfVEAAbiSmBo=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id C35A5F29040 for <dns-privacy@ietf.org>; Tue, 28 Mar 2023 07:54:55 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 97BABF29050 for <dns-privacy@ietf.org>; Tue, 28 Mar 2023 07:54:55 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 97BABF29050
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1679990095; bh=cFQL9dhpI4C3gQpGhdQPPxqtLx+AkNMFtv71pGVgYeU=; h=Message-ID:Date:MIME-Version:To:From; b=CBG0EO28/s4RrjKtHS5m5gfzeR7XkzRJLJa9WsuQ24jARHxoWWQI8TtsZuFMadzq/ 2LeQHlgBIFhFy2HlPrZuYMZFbTVQ1N97si3oGFVs0b0Hm3VkwSv1oSCid1vNmckhx1 3MRSi9i4t33s+sso6JAYNoSTIEtiWTXKZzXzRGPQ=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id dEXfA-Q4bwWr for <dns-privacy@ietf.org>; Tue, 28 Mar 2023 07:54:55 +0000 (UTC)
Received: from [192.168.0.158] (ip-86-49-243-194.bb.vodafone.cz [86.49.243.194]) by zimbrang.isc.org (Postfix) with ESMTPSA id C3A78F29040 for <dns-privacy@ietf.org>; Tue, 28 Mar 2023 07:54:54 +0000 (UTC)
Message-ID: <085f2f0a-17d2-2718-c9b0-b7171a4fc367@isc.org>
Date: Tue, 28 Mar 2023 09:54:52 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.9.0
Content-Language: en-US
To: dns-privacy@ietf.org
References: <64e17d73-ea1a-00cb-a8a5-b5cfb39c37ae@innovationslab.net> <m1y1niraw8.fsf@narrans.de>
From: Petr Špaček <pspacek@isc.org>
In-Reply-To: <m1y1niraw8.fsf@narrans.de>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/I8TkCHGP0Lk6Q3CvTxexC_CFQus>
Subject: Re: [dns-privacy] WGLC : draft-ietf-dprive-unilateral-probing
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2023 07:55:02 -0000

On 27. 03. 23 8:00, Florian Obser wrote:
> Hi there!
> 
> first, there is a typo in section 4.5:
> 
>     The recursive resolver SHOULD keep a record of the state for each
>     authoritative server it contacts, indexed by the IP address of the
>     authoritative server and the encrypted transports supported by the
>     recursive resolver.
> 
> Should be
> 
>     The recursive resolver SHOULD keep a record of the state for each
>     authoritative server it contacts, indexed by the IP address of the
>     authoritative server and the encrypted transports supported by the
>     authoritative server.
> 
> i.e. the s/recursive resolver/authoritative server/ in the last line
> 
> Secondly, it has already been noted that it is OPTIONAL for an
> authoritative server to implement *this* protocol. I presume *this*
> protocol meaning support for unilateral probing.
> 
> However unilateral probing restricts how DoT / DoQ can be deployed.
> 
> This is first hinted at in "3.3.  Server Name Indication":
>     However, such a server MUST NOT serve resource records
>     that differ based on SNI (or on the lack of SNI) provided by the
>     client, because a probing recursive resolver that offers SNI might or
>     might not have used the right server name to get the records it is
>     looking for.
> 
> And later in "4.2. Maintaining Authoritative State by IP Address":
> 
>     In designing a probing strategy, the recursive resolver could record
>     its knowledge about any given authoritative server with different
>     strategies, including at least:
> 
>     *  the authoritative server's IP address,
> 
>     *  the authoritative server's name (the NS record used), or
> 
>     *  the zone that contains the record being looked up.
> 
>     This document encourages the first strategy, to minimize timeouts or
>     accidental delays.  This document does not describe the other two
>     strategies because the first is strongly encouraged.
> 
> An authoritative server operator might want to offer DoT/DoQ as a
> "premium service" to its customers, this drafts prevents them from doing
> so. Or they need to setup dedicated IP addresses for the premium zones.
> 
> a.ns.example.net AAAA 2001:db::1:53
> 
> Normal zone:
> example.org NS a.ns.example.net
> 
> Premium zone:
> example.com NS a.ns.example.net
> 
> Querying a.ns.example.net for example.com SOA on Do53 and DoT will
> result in NOERROR, so the recursive resolver will assume that
> a.ns.example.net supports unilateral probing.
> Querying a.ns.example.net for example.org SOA on DoT however will result
> in REFUSED, while querying on Do53 would result in NOERROR.
> 
> For the imagined authoritative server operator to be compliant with this
> draft they'd need to change their setup to something like this:
> 
> a.ns.example.net AAAA 2001:db::1:53
> b.ns.example.net AAAA 2001:db::2:53
> 
> Normal zone:
> example.org NS a.ns.example.net
> 
> Premium zone:
> example.com NS b.ns.example.net
> 
> I have no opinion on whether this is a sensible business strategy but it
> feels odd that this document normatively restricts what a DoT / DoQ
> authoritative server can do.
> 
> At the very least this should be pointed out, e.g. at the end of
> 3. Guidance for Authoritative Servers:
> 
>     An authoritative server implementing DoT or DoQ MUST authoritatively
>     server the same zones over all supported transports.
> 
> This still makes me feel uneasy though.

TL;DR: From my point of view the text is good as it is.

I would feel really uneasy in the opposite case, i.e. if the requirement 
was dropped.

Doing probing **per zone** adds lots of state and attempts. Right now 
most transport-level state in BIND is currently tied to peer's IP 
address (as opposed to [IP, zone] combination) and I don't see 
compelling reason to change that.

-- 
Petr Špaček
Internet Systems Consortium

v2.23.0 | Report a Bug | By Email