Re: [dns-privacy] WGLC : draft-ietf-dprive-unilateral-probing
Petr Špaček <pspacek@isc.org> Tue, 28 March 2023 07:55 UTC
Return-Path: <pspacek@isc.org>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9595BC14CE5F for <dns-privacy@ietfa.amsl.com>; Tue, 28 Mar 2023 00:55:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="Oe90+LAP"; dkim=pass (1024-bit key) header.d=isc.org header.b="CBG0EO28"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OOvoJpQ6Bg9Z for <dns-privacy@ietfa.amsl.com>; Tue, 28 Mar 2023 00:54:57 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 299B5C14CF12 for <dns-privacy@ietf.org>; Tue, 28 Mar 2023 00:54:56 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.1.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id D99FB3AB01F for <dns-privacy@ietf.org>; Tue, 28 Mar 2023 07:54:55 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org D99FB3AB01F
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.1.12
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1679990095; cv=none; b=UsN/9Cmn1voZNftbZJwTnelUh+kz7OZK8bffMS6EApJ65Zp/gfaY7e4YlFiZrh17tDd5t53Sv2cIz38yfjuTHpo5iQqZMI4AerCDve7V/8jgNnsvU4NO9rWU16B0iyCsU7u67dTnJZC285WIwPJ/EDC8q8G51GqHyT5LtjhMNKE=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1679990095; c=relaxed/relaxed; bh=cFQL9dhpI4C3gQpGhdQPPxqtLx+AkNMFtv71pGVgYeU=; h=DKIM-Signature:DKIM-Signature:Message-ID:Date:MIME-Version: Subject:To:From; b=XhPd1qyESLdGKaKn+XMOkW+Gs90hxKLugILMCyuVxZFzEoWz3HP57opJqTog+KoUqOpGcXCu/KpAGvJgXZVO2HKVa899fWQr/mCLnOiwAusFMSeHayD5tWWR4a7beWMsPAnoslqDZSZMVlk+NnOvtaiRJKTL1ncDLFywbwIozNU=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org D99FB3AB01F
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1679990095; bh=hGzaO6r3DuMwr2vZeG4u8UqxNNHOZsf4wNHP6qwl8t0=; h=Date:Subject:To:References:From:In-Reply-To; b=Oe90+LAPuCxYXHH8wpQYGKc30gtOTqrBCPYPvoXpsEQUGqkU/fDn1R8/RAQ49HQr9 U0vuYIVvGquUWWw1t022XRGYBKcbxf5JximZpC2xULRMI9bcoP8XSNWsSasWshPrxN r1/iusHQuihzBn0WWKzyrP/KWhsZEfVEAAbiSmBo=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id C35A5F29040 for <dns-privacy@ietf.org>; Tue, 28 Mar 2023 07:54:55 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id 97BABF29050 for <dns-privacy@ietf.org>; Tue, 28 Mar 2023 07:54:55 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org 97BABF29050
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1679990095; bh=cFQL9dhpI4C3gQpGhdQPPxqtLx+AkNMFtv71pGVgYeU=; h=Message-ID:Date:MIME-Version:To:From; b=CBG0EO28/s4RrjKtHS5m5gfzeR7XkzRJLJa9WsuQ24jARHxoWWQI8TtsZuFMadzq/ 2LeQHlgBIFhFy2HlPrZuYMZFbTVQ1N97si3oGFVs0b0Hm3VkwSv1oSCid1vNmckhx1 3MRSi9i4t33s+sso6JAYNoSTIEtiWTXKZzXzRGPQ=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id dEXfA-Q4bwWr for <dns-privacy@ietf.org>; Tue, 28 Mar 2023 07:54:55 +0000 (UTC)
Received: from [192.168.0.158] (ip-86-49-243-194.bb.vodafone.cz [86.49.243.194]) by zimbrang.isc.org (Postfix) with ESMTPSA id C3A78F29040 for <dns-privacy@ietf.org>; Tue, 28 Mar 2023 07:54:54 +0000 (UTC)
Message-ID: <085f2f0a-17d2-2718-c9b0-b7171a4fc367@isc.org>
Date: Tue, 28 Mar 2023 09:54:52 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.9.0
Content-Language: en-US
To: dns-privacy@ietf.org
References: <64e17d73-ea1a-00cb-a8a5-b5cfb39c37ae@innovationslab.net> <m1y1niraw8.fsf@narrans.de>
From: Petr Špaček <pspacek@isc.org>
In-Reply-To: <m1y1niraw8.fsf@narrans.de>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/I8TkCHGP0Lk6Q3CvTxexC_CFQus>
Subject: Re: [dns-privacy] WGLC : draft-ietf-dprive-unilateral-probing
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2023 07:55:02 -0000
On 27. 03. 23 8:00, Florian Obser wrote: > Hi there! > > first, there is a typo in section 4.5: > > The recursive resolver SHOULD keep a record of the state for each > authoritative server it contacts, indexed by the IP address of the > authoritative server and the encrypted transports supported by the > recursive resolver. > > Should be > > The recursive resolver SHOULD keep a record of the state for each > authoritative server it contacts, indexed by the IP address of the > authoritative server and the encrypted transports supported by the > authoritative server. > > i.e. the s/recursive resolver/authoritative server/ in the last line > > Secondly, it has already been noted that it is OPTIONAL for an > authoritative server to implement *this* protocol. I presume *this* > protocol meaning support for unilateral probing. > > However unilateral probing restricts how DoT / DoQ can be deployed. > > This is first hinted at in "3.3. Server Name Indication": > However, such a server MUST NOT serve resource records > that differ based on SNI (or on the lack of SNI) provided by the > client, because a probing recursive resolver that offers SNI might or > might not have used the right server name to get the records it is > looking for. > > And later in "4.2. Maintaining Authoritative State by IP Address": > > In designing a probing strategy, the recursive resolver could record > its knowledge about any given authoritative server with different > strategies, including at least: > > * the authoritative server's IP address, > > * the authoritative server's name (the NS record used), or > > * the zone that contains the record being looked up. > > This document encourages the first strategy, to minimize timeouts or > accidental delays. This document does not describe the other two > strategies because the first is strongly encouraged. > > An authoritative server operator might want to offer DoT/DoQ as a > "premium service" to its customers, this drafts prevents them from doing > so. Or they need to setup dedicated IP addresses for the premium zones. > > a.ns.example.net AAAA 2001:db::1:53 > > Normal zone: > example.org NS a.ns.example.net > > Premium zone: > example.com NS a.ns.example.net > > Querying a.ns.example.net for example.com SOA on Do53 and DoT will > result in NOERROR, so the recursive resolver will assume that > a.ns.example.net supports unilateral probing. > Querying a.ns.example.net for example.org SOA on DoT however will result > in REFUSED, while querying on Do53 would result in NOERROR. > > For the imagined authoritative server operator to be compliant with this > draft they'd need to change their setup to something like this: > > a.ns.example.net AAAA 2001:db::1:53 > b.ns.example.net AAAA 2001:db::2:53 > > Normal zone: > example.org NS a.ns.example.net > > Premium zone: > example.com NS b.ns.example.net > > I have no opinion on whether this is a sensible business strategy but it > feels odd that this document normatively restricts what a DoT / DoQ > authoritative server can do. > > At the very least this should be pointed out, e.g. at the end of > 3. Guidance for Authoritative Servers: > > An authoritative server implementing DoT or DoQ MUST authoritatively > server the same zones over all supported transports. > > This still makes me feel uneasy though. TL;DR: From my point of view the text is good as it is. I would feel really uneasy in the opposite case, i.e. if the requirement was dropped. Doing probing **per zone** adds lots of state and attempts. Right now most transport-level state in BIND is currently tied to peer's IP address (as opposed to [IP, zone] combination) and I don't see compelling reason to change that. -- Petr Špaček Internet Systems Consortium
- [dns-privacy] WGLC : draft-ietf-dprive-unilateral… Brian Haberman
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Joey Salazar
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Hollenbeck, Scott
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Brian Haberman
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Wessels, Duane
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Brian Haberman
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Florian Obser
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Stephane Bortzmeyer
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Stephane Bortzmeyer
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Petr Špaček
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Florian Obser
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Ralf Weber
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Stephane Bortzmeyer
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Florian Obser
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Ralf Weber
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… George (Yorgos) Thessalonikefs
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Brian Haberman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Tim Wicinski
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… George (Yorgos) Thessalonikefs
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Tim Wicinski
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Brian Haberman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Rob Sayre
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Philip Homburg
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Rob Sayre
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Philip Homburg
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… George (Yorgos) Thessalonikefs
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… George (Yorgos) Thessalonikefs
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Florian Obser
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Philip Homburg
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Rob Sayre
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Rob Sayre
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Tim Wicinski
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Philip Homburg
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Florian Obser
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Florian Obser
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Florian Obser
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [dnsdir] [Ext] WGLC : draft-iet… Peter van Dijk
- Re: [dns-privacy] [dnsdir] [Ext] WGLC : draft-iet… Peter van Dijk
- Re: [dns-privacy] [dnsdir] [Ext] WGLC : draft-iet… Paul Hoffman
- Re: [dns-privacy] [dnsdir] [Ext] WGLC : draft-iet… Florian Obser
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Brian Haberman
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Eric Vyncke (evyncke)
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… joeygsal