IETF Logo Mail Archive

Re: [dns-privacy] WGLC : draft-ietf-dprive-unilateral-probing

Florian Obser <florian+ietf@narrans.de> Mon, 27 March 2023 06:01 UTC

Return-Path: <florian+ietf@narrans.de>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EA70C151B17 for <dns-privacy@ietfa.amsl.com>; Sun, 26 Mar 2023 23:01:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pi6ew7IAxtEI for <dns-privacy@ietfa.amsl.com>; Sun, 26 Mar 2023 23:01:10 -0700 (PDT)
Received: from imap.narrans.de (michelangelo.narrans.de [IPv6:2001:19f0:6c01:821:5400:1ff:fe33:a36d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87441C151B1A for <dns-privacy@ietf.org>; Sun, 26 Mar 2023 23:01:06 -0700 (PDT)
Received: from pinkunicorn (dhcp-81b2.meeting.ietf.org [31.133.129.178]) by michelangelo.narrans.de (OpenSMTPD) with ESMTPSA id 371bee0d (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for <dns-privacy@ietf.org>; Mon, 27 Mar 2023 08:01:00 +0200 (CEST)
From: Florian Obser <florian+ietf@narrans.de>
To: dns-privacy@ietf.org
References: <64e17d73-ea1a-00cb-a8a5-b5cfb39c37ae@innovationslab.net>
Date: Mon, 27 Mar 2023 15:00:55 +0900
In-Reply-To: <64e17d73-ea1a-00cb-a8a5-b5cfb39c37ae@innovationslab.net> (Brian Haberman's message of "Sun, 12 Mar 2023 11:43:06 -0400")
Message-ID: <m1y1niraw8.fsf@narrans.de>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (darwin)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/RexzZPrgNHbdLWteUS7iqnKQeDE>
Subject: Re: [dns-privacy] WGLC : draft-ietf-dprive-unilateral-probing
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2023 06:01:14 -0000

Hi there!

first, there is a typo in section 4.5:

   The recursive resolver SHOULD keep a record of the state for each
   authoritative server it contacts, indexed by the IP address of the
   authoritative server and the encrypted transports supported by the
   recursive resolver.

Should be

   The recursive resolver SHOULD keep a record of the state for each
   authoritative server it contacts, indexed by the IP address of the
   authoritative server and the encrypted transports supported by the
   authoritative server.

i.e. the s/recursive resolver/authoritative server/ in the last line

Secondly, it has already been noted that it is OPTIONAL for an
authoritative server to implement *this* protocol. I presume *this*
protocol meaning support for unilateral probing.

However unilateral probing restricts how DoT / DoQ can be deployed.

This is first hinted at in "3.3.  Server Name Indication":
   However, such a server MUST NOT serve resource records
   that differ based on SNI (or on the lack of SNI) provided by the
   client, because a probing recursive resolver that offers SNI might or
   might not have used the right server name to get the records it is
   looking for.

And later in "4.2. Maintaining Authoritative State by IP Address":

   In designing a probing strategy, the recursive resolver could record
   its knowledge about any given authoritative server with different
   strategies, including at least:

   *  the authoritative server's IP address,

   *  the authoritative server's name (the NS record used), or

   *  the zone that contains the record being looked up.

   This document encourages the first strategy, to minimize timeouts or
   accidental delays.  This document does not describe the other two
   strategies because the first is strongly encouraged.

An authoritative server operator might want to offer DoT/DoQ as a
"premium service" to its customers, this drafts prevents them from doing
so. Or they need to setup dedicated IP addresses for the premium zones.

a.ns.example.net AAAA 2001:db::1:53

Normal zone:
example.org NS a.ns.example.net

Premium zone:
example.com NS a.ns.example.net

Querying a.ns.example.net for example.com SOA on Do53 and DoT will
result in NOERROR, so the recursive resolver will assume that
a.ns.example.net supports unilateral probing.
Querying a.ns.example.net for example.org SOA on DoT however will result
in REFUSED, while querying on Do53 would result in NOERROR.

For the imagined authoritative server operator to be compliant with this
draft they'd need to change their setup to something like this:

a.ns.example.net AAAA 2001:db::1:53
b.ns.example.net AAAA 2001:db::2:53

Normal zone:
example.org NS a.ns.example.net

Premium zone:
example.com NS b.ns.example.net

I have no opinion on whether this is a sensible business strategy but it
feels odd that this document normatively restricts what a DoT / DoQ
authoritative server can do.

At the very least this should be pointed out, e.g. at the end of
3. Guidance for Authoritative Servers:

   An authoritative server implementing DoT or DoQ MUST authoritatively
   server the same zones over all supported transports.

This still makes me feel uneasy though.

-- 
In my defence, I have been left unsupervised.

v2.23.0 | Report a Bug | By Email