Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-unilateral-probing
Florian Obser <florian+ietf@narrans.de> Fri, 30 June 2023 16:08 UTC
Return-Path: <florian+ietf@narrans.de>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC2B6C14CE4C; Fri, 30 Jun 2023 09:08:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C7ty-IALGuPn; Fri, 30 Jun 2023 09:08:45 -0700 (PDT)
Received: from imap.narrans.de (michelangelo.narrans.de [45.77.55.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA512) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35C7FC14CF15; Fri, 30 Jun 2023 09:08:42 -0700 (PDT)
Received: from pinkunicorn (2001-1c00-270d-e800-fd19-97e0-b7b3-dd00.cable.dynamic.v6.ziggo.nl [2001:1c00:270d:e800:fd19:97e0:b7b3:dd00]) by michelangelo.narrans.de (OpenSMTPD) with ESMTPSA id f6ff2dee (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Fri, 30 Jun 2023 18:08:37 +0200 (CEST)
From: Florian Obser <florian+ietf@narrans.de>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: "dns-privacy@ietf.org" <dns-privacy@ietf.org>, "dnsdir@ietf.org" <dnsdir@ietf.org>
References: <64e17d73-ea1a-00cb-a8a5-b5cfb39c37ae@innovationslab.net> <CADyWQ+HMj5NH1g_oCTNxYkGDmp2L3EwmMyOv2-bXeXvp5kvm0A@mail.gmail.com> <6B55CCC0-069F-43DD-B9DA-024E4334D6F4@icann.org> <20c5ac1666e4428b8ffa70c7b9e8a19c@verisign.com> <CADyWQ+HJ7ZLWfwxr6vb9HsERMJXuu-1zD_=cr4S+mZ1ieWrYwQ@mail.gmail.com> <0007CDA7-ADD3-43BB-B5D3-3B1810206E0E@icann.org> <8fbed8926b3f4e28b9f3f76a85e0b619@verisign.com> <CANMuhxt5cE--GUtapEL69dFkAFSU5dF3psMCgNRKj8_dXpsFLA@mail.gmail.com> <ABE27A4A-BA96-4505-A3E3-1FE83CAA5A63@icann.org> <m1q6YGM-0000KoC@stereo.hq.phicoh.net> <3B79D45A-1F95-4A4A-9F8D-D3D9C424B4B2@icann.org> <m1q6oAa-0000KqC@stereo.hq.phicoh.net> <E68DAF11-E748-4F3C-AAD3-4E5921B652D9@icann.org> <m1q7FM5-0000LSC@stereo.hq.phicoh.net> <9E965077-D2BA-46C7-99EC-5B4C37918069@icann.org> <m1q82YG-0000MXC@stereo.hq.phicoh.net> <B2088F5F-60B6-4796-B16F-ED7F42838B72@icann.org> <m14jndnsh3.fsf@narrans.de> <B9001CCC-3686-4EED-8B2E-856291269240@icann.org> <m1ilbqhsyr.fsf@narrans.de> <24B7D6A7-0200-431F-87C8-913D92C68C8C@icann.org>
Date: Fri, 30 Jun 2023 18:08:35 +0200
In-Reply-To: <24B7D6A7-0200-431F-87C8-913D92C68C8C@icann.org> (Paul Hoffman's message of "Sat, 24 Jun 2023 22:17:21 +0000")
Message-ID: <m15y75szjw.fsf@narrans.de>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (darwin)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/vLbeBAfk3u5v_3f6kM2rrngvBtM>
Subject: Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-unilateral-probing
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Addition of privacy to the DNS protocol <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jun 2023 16:08:50 -0000
Apologise for the late response, I'm slowly working through a huge pile of emails. On 2023-06-24 22:17 UTC, Paul Hoffman <paul.hoffman@icann.org> wrote: > On Jun 14, 2023, at 10:08 AM, Florian Obser <florian+ietf@narrans.de> wrote: >> >> On 2023-06-12 19:48 UTC, Paul Hoffman <paul.hoffman@icann.org> wrote: >>> On Jun 12, 2023, at 1:46 AM, Florian Obser <florian+ietf@narrans.de> wrote: >>>> >>>> On 2023-06-10 22:48 UTC, Paul Hoffman <paul.hoffman@icann.org> wrote: >>>>> On Jun 10, 2023, at 1:38 PM, Philip Homburg <pch-ietf-dprive@u-1.phicoh.com> wrote: >>>>>> >>>>>>> In such a case, resolvers following >>>>>>> this protocol will look for authoritative answers to ports 53 and >>>>>>> 853 on that system, and the system would need to be able to >>>>>>> differentiate queries for recursive answers from queries for >>>>>>> authoritative answers. >>>> >>>> I think this needs some MUST requirements because it's an interop >>>> problem. >>> >>> Please say more. Would this be MUST requirements on resolvers, auth servers, or both? What requirements would you suggest? >>> >> >> It's on the recursive resolvers. People have been happily providing open >> resolvers using DoT on port 853. Now a new standard comes out that is >> OPTIONAL for auths and OPTIONAL for recursive resolvers that still >> changes what auths and recursive resolvers are allowed to do. >> >> "Recursive resolvers when implementing this protocol MUST ignore answers >> from recursive resolvers on port 853." >> >> Clearly this needs word smithing. > > Maybe I'm being dense, but I'm not sure how this differs at all from > today on port 53. If someone lists 9.9.9.9 as authoritative for > fournines.com, and a recursive resolver queries it, doesn't it have > *exactly* the same problem as you are saying this document creates for > port 853? > Yes, but that's not what I'm suggesting. Let me try again. Say I have example.com NS ns1.example.com ns1.example.com A 192.0.2.53 ns1.example.com is answering authoritatively for example.com on udp/53 and tcp/53 since November 1987. All recursive resolvers are happy. Come May 2016, RFC 7858 tells me I can run a recursive resolver on port 853 using TLS. I decide to run an open DoT resolver and since I'm out of IPv4 I run this on 192.0.2.53 port 853. Still, all recursive resolvers are happy. They never talk to port 853 and they get authoritative answers on udp/53 and tcp/53. example.com is still resolvable. Stub resolvers are also happy, they use my open DoT resolver and ask for anything with RD flag set, so they get an answer. Now this draft comes along. I do nothing on ns1.example.com. The draft says unilateral and it says it's OPTIONAL for authoritative servers. A recursive resolver implementing this draft will probe on 853 without RD set. ns1.example.com will respond with refused. The recursive resolver will answer SERVFAIL. At least that's how I'm reading 4.6.9. R is successful, (it's not a timeout or connection closed), so we do this: If R is successful: * R is further processed by the resolver Well, the resolver got REFUSED and there are no more NS to try. It can only answer SERVFAIL. Therefore example.com is no longer resolvable. This draft breaks a valid configuration that has been working since 2016. That's why I'm saying that a recursive resolver while probing MUST be prepared to encounter open resolvers on 853 and not assume that that's a successful probe. -- In my defence, I have been left unsupervised.
- [dns-privacy] WGLC : draft-ietf-dprive-unilateral… Brian Haberman
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Joey Salazar
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Hollenbeck, Scott
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Brian Haberman
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Wessels, Duane
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Brian Haberman
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Florian Obser
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Stephane Bortzmeyer
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Stephane Bortzmeyer
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Petr Špaček
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Florian Obser
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Ralf Weber
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Stephane Bortzmeyer
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Florian Obser
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Ralf Weber
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… George (Yorgos) Thessalonikefs
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Brian Haberman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Tim Wicinski
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… George (Yorgos) Thessalonikefs
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Tim Wicinski
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Brian Haberman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Rob Sayre
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Philip Homburg
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Rob Sayre
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Philip Homburg
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… George (Yorgos) Thessalonikefs
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… George (Yorgos) Thessalonikefs
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Florian Obser
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Philip Homburg
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Rob Sayre
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Rob Sayre
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Tim Wicinski
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Philip Homburg
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Florian Obser
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Hollenbeck, Scott
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Florian Obser
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Florian Obser
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [dnsdir] [Ext] WGLC : draft-iet… Peter van Dijk
- Re: [dns-privacy] [dnsdir] [Ext] WGLC : draft-iet… Peter van Dijk
- Re: [dns-privacy] [dnsdir] [Ext] WGLC : draft-iet… Paul Hoffman
- Re: [dns-privacy] [dnsdir] [Ext] WGLC : draft-iet… Florian Obser
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Brian Haberman
- Re: [dns-privacy] WGLC : draft-ietf-dprive-unilat… Eric Vyncke (evyncke)
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… Paul Hoffman
- Re: [dns-privacy] [Ext] WGLC : draft-ietf-dprive-… joeygsal