Re: [dns-privacy] Alternative signalling propsals
Warren Kumari <warren@kumari.net> Fri, 14 December 2018 21:19 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9CF1130E84 for <dns-privacy@ietfa.amsl.com>; Fri, 14 Dec 2018 13:19:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.357
X-Spam-Level:
X-Spam-Status: No, score=-3.357 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, TVD_PH_BODY_META_ALL=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kdV8Nrxzi59s for <dns-privacy@ietfa.amsl.com>; Fri, 14 Dec 2018 13:19:50 -0800 (PST)
Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B98B130E7C for <dns-privacy@ietf.org>; Fri, 14 Dec 2018 13:19:50 -0800 (PST)
Received: by mail-wm1-x330.google.com with SMTP id q26so7082836wmf.5 for <dns-privacy@ietf.org>; Fri, 14 Dec 2018 13:19:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Ugtz1y6U93xMs4hXgKV+uaLVsKTf3NYLfHMWmhsBvYQ=; b=h65slkPpwLMjbz0SxbzIUYk30mh7HQ7/rGNwJE333+bLpX4GLZelWxOGJ6Tr8ujBkx xrQbnAmE6cjxGzrTaZw60L0BJhgbMffuPIYLf/fUsUn4rFRwbffnH5gRXtnRy31K4QIN JhSSXa3KyYJfB+bx8mYCCyNkzb/vNMzj0kV+w7aCOGnhmriBbjbxLEpkq3AsZjTQgKdf cT/twtVMZgl5Kt7/ZfRLAFCeu69VG3IKT0ujza+iIA6ywdk9YLFr14lpoJpw4QASof8o RC1v5ocYmpJ5QuF3QWx/u0a5grKA2cFo7Y7TpE5bPCGqlFiPzwvS8aIhKJEWs/qgQQhz n8Kg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Ugtz1y6U93xMs4hXgKV+uaLVsKTf3NYLfHMWmhsBvYQ=; b=E76Pi4xJJlv08T1T1pH48WOfZG63TQ54jceRoSmy6AVYEHmegfSmFBdeYoWgz5RsuC e9PBxhZE/lrGihGVvlJUDX08dSbMGPFDu/jAWQVwomUHSLBPCsysLqiPtGe6SVIU0xPn 0mZcxNCzThrhlgfgMa51TI7WQUdypfhBKSXOVC3XQCaf8X1ddu9PXTfg/8yPdiWulwbP VELkSD8Em7CKwOlxASLFe7Zi+rYPjjQwrdkNfGGZYi2EXJg7OJ5CSO7EjfRYLEYiqlXD NQrN0Vvlzt+YfxejBMPfG/+j98UQwOnvDB50QOvfk/jCbIAZjnaL6SXWdQzsxLBvaskK 5CQA==
X-Gm-Message-State: AA+aEWbJ9ti//Q9eB2Hif5T18I3P3/VWKPY/Gx0GOnyQX/oF2qEXB4sC 3xrHA3kEnSKHR9SGuF/Mk/VSqR2R8LFPfonJDCgHPQ==
X-Google-Smtp-Source: AFSGD/VNNkmSGfS47sMC8VU5srdf7MN39EHSwCEXoKL0ml5jsdFwggaGMlW1uPdxR80b1PsxN3itfxATei2aRHAFsAU=
X-Received: by 2002:a7b:c853:: with SMTP id c19mr4251490wml.61.1544822388135; Fri, 14 Dec 2018 13:19:48 -0800 (PST)
MIME-Version: 1.0
References: <74C380A3-C69F-4340-A723-B134F052953E@akamai.com>
In-Reply-To: <74C380A3-C69F-4340-A723-B134F052953E@akamai.com>
From: Warren Kumari <warren@kumari.net>
Date: Fri, 14 Dec 2018 16:19:10 -0500
Message-ID: <CAHw9_iKcYoW2U=fLM=HqGY0=JHAd13Dc5pbue53d64SgE3bUwg@mail.gmail.com>
To: jreed@akamai.com
Cc: dns-privacy@ietf.org
Content-Type: multipart/alternative; boundary="000000000000afb12c057d01fdbc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/iREsLRPuLj2KnVOXKgHE4nOodKY>
Subject: Re: [dns-privacy] Alternative signalling propsals
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Dec 2018 21:19:54 -0000
On Fri, Dec 14, 2018 at 12:43 PM Reed, Jon <jreed@akamai.com> wrote: > I'd like to start a thread about alternatives to encoding fingerprints in > NS names. As I noted in the meeting (unless I'm significantly > misunderstanding the proposal), this is a non-starter for large operators > like us. It's not feasible to get our customers to change every NS record > in their thousands of domains, and there's no way to do any sort of > incremental rollout. Customers are reluctant to even finish KSK rotations > (by updating the DS in the parent), I can't imagine trying to get them to > update NS records to enable this feature, let alone update them for an > emergency keypair rotation. > > We use the encoding in our infrastructure zone that hosts customer > authoritative NS names (in this case, akam.net), but that creates a gap > in the chain. > > On the call, someone (Wes?) proposed an alternative such as records in the > reverse zones. That would be a huge win for us, since we have a small > finite set of nameserver IPs, and easily control our reverse zones (as, I > would imagine, do other large providers). I wasn't in Bangkok, so I'm not > sure if there were any specific implementation proposals kicked around, but > I'd like to start talking about what that would look like. Something > TLSA-ish at the reverse name for the nameserver IP? There's obviously > some overhead with the recursive having to look up reverse names for NS > IPs, but large TTL values could help with that. > One of the stated reasons for browsers not doing DANE / TLSA was having to wait for the TLSA record to come back before you can connect. "Ah! Fine..", says I, "Just do these in parallel -- you will get back the TLSA record at about the same time as the A or AAAA. You could even be smart and start making the TCP connection if you happen to get back the A first. There, I fixed it for you...[0]". Turns out this doesn't (or, at least, didn't) work -- yes, ~1/2 the time the TLSA record will come in first, and ~1/2 the time it will be second -- but, when it is second: A: you often don't know if it will ever show up and B: sometimes is it really really second / your query got lost and you need to ask again, after a suitable backoff. In a well functioning Internet you could do something clever like wait for "a little bit more" than the time it took to get the A (1.5 times?) and, if you haven't gotten an NXDOMAIN assume your query got lost -- unfortunately the DNS is messy - a notable number of servers seem to not bother sending NXDOMAIN, some middleboxes (or stupid implementations) drop Q types they don't understand, etc. Hopefully the world has gotten better since this research[1], and hopefully the Recursive to Auth path is better then the Stub to Recursive path, but it is definitely worth confirming / checking... This sort of problem was one of the motivations for Wes and my Multiple Responses ( https://datatracker.ietf.org/doc/draft-wkumari-dnsop-multiple-responses/ , https://datatracker.ietf.org/meeting/96/materials/slides-96-dnsop-6 ) and various other solutions, including multiple Q types, etc (https://datatracker.ietf.org/doc/draft-bellis-dnsext-multi-qtypes/, https://datatracker.ietf.org/meeting/99/materials/slides-99-dnsop-sessb-multiple-responses-multi-qtypes-00 W [0]: "Oh, that was easy," says I, and for an encore went on to prove that black is white and got myself killed on the next pedestrian crossing.” (with apologies to Douglas Adams) [1]: Citation needed :-). I've seen a number of papers showing the DNS long tail - I think Giovane was the author of at least one... > > -Jon > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy > -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [dns-privacy] Alternative signalling propsals Reed, Jon
- Re: [dns-privacy] Alternative signalling propsals Warren Kumari
- Re: [dns-privacy] Alternative signalling propsals Jon Reed
- Re: [dns-privacy] Alternative signalling propsals Warren Kumari
- Re: [dns-privacy] Alternative signalling propsals Paul Wouters
- Re: [dns-privacy] Alternative signalling propsals Stephen Farrell
- Re: [dns-privacy] Alternative signalling propsals Daniel Kahn Gillmor
- Re: [dns-privacy] Alternative signalling propsals Daniel Kahn Gillmor
- Re: [dns-privacy] Alternative signalling propsals Stephen Farrell
- Re: [dns-privacy] Alternative signalling propsals Mark Andrews
- Re: [dns-privacy] Alternative signalling propsals Wes Hardaker
- Re: [dns-privacy] Alternative signalling propsals Paul Wouters
- Re: [dns-privacy] Alternative signalling propsals Warren Kumari
- Re: [dns-privacy] Alternative signalling propsals Tony Finch
- Re: [dns-privacy] Alternative signalling propsals Wes Hardaker
- Re: [dns-privacy] Alternative signalling propsals Petr Špaček