Re: [dns-privacy] WGLC : draft-ietf-dprive-unilateral-probing
"George (Yorgos) Thessalonikefs" <george@nlnetlabs.nl> Fri, 07 April 2023 12:56 UTC
Return-Path: <george@nlnetlabs.nl>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 432A5C15171B for <dns-privacy@ietfa.amsl.com>; Fri, 7 Apr 2023 05:56:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rRGX-zsGUrcG for <dns-privacy@ietfa.amsl.com>; Fri, 7 Apr 2023 05:56:17 -0700 (PDT)
Received: from mail-ej1-x636.google.com (mail-ej1-x636.google.com [IPv6:2a00:1450:4864:20::636]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22260C151539 for <dns-privacy@ietf.org>; Fri, 7 Apr 2023 05:56:16 -0700 (PDT)
Received: by mail-ej1-x636.google.com with SMTP id l15so8208233ejq.10 for <dns-privacy@ietf.org>; Fri, 07 Apr 2023 05:56:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nlnetlabs.nl; s=google; t=1680872175; h=content-transfer-encoding:subject:in-reply-to:content-language :references:to:from:user-agent:mime-version:date:message-id:from:to :cc:subject:date:message-id:reply-to; bh=7g9IlX8RdnjECwe3Nd8kU+TSqNHEI/u0m5DUyd4Hc2g=; b=J2wu5TqqHyq8acLWLWVzNkzmvJRrl42Mt+cpnZchrmJgXOevjBzVQnNx28NzaQ7F86 muLlJ0NtTMb+4WwGJxe6invhFiMaiawo4YrG/RBEgFNdb1HQyv6n5pNFHR1G35QHCjsy oCWTcKnMVfeL5p1V4q+oR+3DGX+MOtye2+ssEnXVHFFSWooU3DaCPAf7FE9f8PpYdUJl tpOvmeX5zsIt5Ar9NDreD1c4POtH5UZxbkRq0SVNz5j0E0AioUvBDMqyvgyGiVZbZMb5 wkGlS/swMgVH4dsQXqmRxdEbIO9UUvbfTLF+Rh3lsb8YOC/htyPe+0TRmcCBXvMLsDIE rlZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680872175; h=content-transfer-encoding:subject:in-reply-to:content-language :references:to:from:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=7g9IlX8RdnjECwe3Nd8kU+TSqNHEI/u0m5DUyd4Hc2g=; b=ZYw0/R+3hNX/YbjJSNOF1KZUToED7GWi+76Ato9TGMKuabx8XtCeNljk3MUUChlN0L RsJrg0z2uAdunskgrDyUPANzSBJ4eAxJEJk1/PiteWJJDzE0uEgeDIO8WyKnEUXQfrzj 3kxMOTojvrU+M/L0AqBnAJcAY2Fvky99EtsX1kb57a4570NYaqKphXc675Mkgd8lSyJc G7z0WYoDQQbN8eR/r7NU0ZkByoR5/4gVds049Pvv+wdkn9j5+P7wKJmfDI3xsvf5vjN/ v22eWqhbOBWpB2LMenUBOSQxicusWgZeltvoKF0u+kYdaTkVcFHVhE/OGG+F1nvUGQpv RcjA==
X-Gm-Message-State: AAQBX9c5YT44MfuRkMbPrZ96SXTJoLy5ME7hfhbharTkxYX3hF84SyUP 07D10HiISYyS2/PCmAZk1hRbiZ3/CofP+6a7i+s=
X-Google-Smtp-Source: AKy350ZNSlhMMo6iX+yehINbvMZ6SDu3J/kSaswfmzqJPcCFD3Tnm8PoZ7R832r42NASiZrHeDCMXw==
X-Received: by 2002:a17:907:76fa:b0:92f:de0c:c914 with SMTP id kg26-20020a17090776fa00b0092fde0cc914mr2345047ejc.28.1680872174635; Fri, 07 Apr 2023 05:56:14 -0700 (PDT)
Received: from ?IPV6:2a02:a465:9fdd:1:dd3b:33a8:76b7:8446? (2a02-a465-9fdd-1-dd3b-33a8-76b7-8446.fixed6.kpn.net. [2a02:a465:9fdd:1:dd3b:33a8:76b7:8446]) by smtp.gmail.com with ESMTPSA id lf11-20020a170907174b00b0092b546b57casm2003043ejc.195.2023.04.07.05.56.13 for <dns-privacy@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 07 Apr 2023 05:56:14 -0700 (PDT)
Message-ID: <aad1b9d8-9594-5ae7-2760-8356755b4599@nlnetlabs.nl>
Date: Fri, 07 Apr 2023 14:56:12 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0
From: "George (Yorgos) Thessalonikefs" <george@nlnetlabs.nl>
To: dns-privacy@ietf.org
References: <64e17d73-ea1a-00cb-a8a5-b5cfb39c37ae@innovationslab.net> <CAEhLrahR43992NYmz05F+3YsOeAkOLbY0PSzKC_iuhPSr=3oEg@mail.gmail.com> <ZCFS03zuj0ZDu/FO@laperouse.bortzmeyer.org>
Content-Language: en-US
In-Reply-To: <ZCFS03zuj0ZDu/FO@laperouse.bortzmeyer.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/U63a-sl9SfZDPp8aqcasNGNYDUI>
Subject: Re: [dns-privacy] WGLC : draft-ietf-dprive-unilateral-probing
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Apr 2023 12:56:21 -0000
Hi all, On 27/03/2023 10:24, Stephane Bortzmeyer wrote: > * Unbound implementation is not ready, but I let Yorgos elaborate on > this point. The Unbound implementation is far from ready but the hackathon time was well spent to identify needed changes to Unbound to cleanly support unilateral probing and to look closely at the draft. I will continue with the development in the future and report back here with the results. Some initial notes for that if you are interested: - The feature is going to be off by default; - When turned on, the default further probing configuration will be to actively probe new servers in an attempt to ease testing; - Retaining data across reset as per section 4.5 will not be included, at least in the initial implementation. Now on with my comments for the draft, sorry for the wall of text :) ## A - ALPN In section 4.4 there is mention of ALPN for the resolver (a MUST if I read it correctly) but there is no mention of ALPN for the authoritative side in the document. ## B - Resolver source IP Section 4.5.1 describes keeping state based on the resolver's own source IP. This is to support the guidance from section 3.1 where it says: To avoid incurring additional minor timeouts for such a recursive resolver, the pool operator SHOULD either: * ensure that all members of the pool enable the same encrypted transport(s) within the span of a few seconds, or * ensure that the load balancer maps client requests to pool members based on client IP addresses. My interpretation of this text is that the first bullet point is for offering the same transport service with a slight hiccup during update, whereas the second bullet point is for offering different transport services on individual servers of the pool. The worst case for the former is that the pool is going to be labeled as supporting encryption at most 1 day (damping variable) later, based on which servers are reached from the pool. This looks fine for me and no extra state keeping (i.e., resolver own source IP) is needed. I find trying to keep extra state per resolver source IP for the latter case particularly challenging. Especially if the resolver is not configured with explicit outgoing interfaces, thus default route, and needs to observe its own source address from the reply, which may not be available next time around thus giving bind()/send() errors and introducing retry code paths. All this while the measure does not guarantee to solve the different-transport-service-behind-a-single-IP case as it depends heavily on the network. I understand that partial rollout is meant to test the waters for an authoritative operator but I believe using a separate IP for enabling DoT and/or DoQ for testing would make things simpler for both sides. I don't have an operator's hat but is a pool with variable transport services something that we actively want to support? ## C - Failure identification There is mention in the draft about successful and unsuccessful DNS replies. SERVFAIL is used as an example of an unsuccessful DNS reply. Following the pseudo code in the draft, a SERVFAIL answer in all the transports, which IMHO is an already usable DNS answer for the resolver, will make the resolver to wait for all the transport replies before considering using the SERVFAIL as the final answer. My opinion is that any RCODE in the reply is a successful DNS answer (of course with matching ID, qname, etc). Otherwise we introduce something like a healthcheck per transport, see which transport replies "better" and use that. I believe this aligns with Stephane's observation during the hackathon about different answers on 53 and 853 and needs addressing in section 3 to clearly state that a nameserver's reply to a given query must be the same regardless of the transport used (maybe not the best text if TC is also to be considered but I hope I get my message across :) Maybe also define an unsuccessful "reply" as timeout/connection shutdown instead of non-preferable RCODEs? There is already logic in resolvers to handle different RCODEs. What I am trying to say is to not base the usability of the encrypted transport on the DNS replies themselves. IMHO as long as there are DNS replies there, the encrypted transport is usable and preferable. ## D - Wording knit In sections 4.6.2 and 4.6.9 the following is said: If R is successful: - Return R to the requesting client It may well be the case that the R is to an internal query and there is no requesting client waiting for an answer. Would the following work better? If R is successful: - R is further processed by the resolver ## E - Possible bug In sections 4.6.2 and 4.6.9 the following is said after receiving a successful reply: - If Q is in N-queries[X]: - Remove Q from N-queries[X] I believe this is a bug and needs to be removed since future, slower replies from the N transport will not be allowed to update the relevant metrics as section 4.6.9 will stop further processing by the following text: If Q is not in E-queries[X]: - Discard R and process it no further (do not respond to a encrypted response to a query that is not outstanding) In general I support the idea of the draft but I believe we need to iron out the expectations on both sides, also regarding Florian's recent comments about per zone answers and thread-intelligence systems behavior. Thanks for considering and best regards, -- Yorgos > > Some questions were raised about the draft, giving the experience with > PowerDNS Recursor: > > * If the ADoT server replies but the reply indicates an error, > such as SERVFAIL or REFUSED, should the resolver retries without > DoT? PowerDNS recursor does it, but it seems it would make more > sense to accept the reply, and just to remind system > administrators that port 853 and 53 should deliver consistent > answers. The draft seems clear on the first point (as long as > there is a properly formatted DNS request, regard the server as > DoT-enabled) but not on the second (no clear reminder for > authoritative name servers). > > * What should be the criteria to select an authoritative name > server to query? Should we prefer a fast insecure server or a slow > encrypted one? The draft does not mention it, because it is local > policy. (PowerDNS recursor has apparently no way to change its > default policy, which is to use the fastest one, DoT or > not.) The draft does not mandate such a knob in the authoritative > server, again, IETF typically does not tell endpoints how they have > to be configured.
- [dns-privacy] WGLC : draft-ietf-dprive-unilateral… Brian Haberman
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Joey Salazar
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Hollenbeck, Scott
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Brian Haberman
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Wessels, Duane
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Brian Haberman
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Florian Obser
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Stephane Bortzmeyer
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Stephane Bortzmeyer
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Petr Špaček
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Florian Obser
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Ralf Weber
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Stephane Bortzmeyer
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Florian Obser
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Ralf Weber
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… George (Yorgos) Thessalonikefs
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Brian Haberman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Tim Wicinski
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… George (Yorgos) Thessalonikefs
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Tim Wicinski
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Brian Haberman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Rob Sayre
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Philip Homburg
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Rob Sayre
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Philip Homburg
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… George (Yorgos) Thessalonikefs
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… George (Yorgos) Thessalonikefs
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Florian Obser
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Philip Homburg
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Rob Sayre
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Rob Sayre
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Tim Wicinski
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Philip Homburg
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Florian Obser
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Florian Obser
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Florian Obser
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [dnsdir] [Ext] WGLC : draft-iet… Peter van Dijk
- Re: [dns-privacy] [dnsdir] [Ext] WGLC : draft-iet… Peter van Dijk
- Re: [dns-privacy] [dnsdir] [Ext] WGLC : draft-iet… Paul Hoffman
- Re: [dns-privacy] [dnsdir] [Ext] WGLC : draft-iet… Florian Obser
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Brian Haberman
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Eric Vyncke (evyncke)
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… joeygsal