Re: [dnsdir] [DNSOP] Dnsdir last call review of draft-ietf-dnsop-dns-catalog-zones-08
Peter Thomassen <peter@desec.io> Tue, 03 January 2023 17:48 UTC
Return-Path: <peter@desec.io>
X-Original-To: dnsdir@ietfa.amsl.com
Delivered-To: dnsdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06F4EC14F6E5; Tue, 3 Jan 2023 09:48:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=a4a.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MHeZhT7FNQFp; Tue, 3 Jan 2023 09:48:49 -0800 (PST)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D875C14EB1E; Tue, 3 Jan 2023 09:48:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=a4a.de; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:Subject:From :References:Cc:To:MIME-Version:Date:Message-ID:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=zezugij34UwfjdF/35OKjJOCulYgkZ4ZRY7HUCSqBVo=; b=pAqP2DCad7UMUB0Lp/RTQtiM3y A5MzO7n5JZAXOkjestlFKyF360yk0fWB7Mekp6yeCDwEsWvSmAF/JTPx3p+EM/PlCAPainxgfqlDp ckbt4CJuMPhrpYmZqYhZ0w3BtFYNvMVVXUSx9cEnW5/Npk3W2JdzttsHAbQY4xeyOOtA+wWXE5BXr 61s+pwSxURRRGLnClDXMwv6aRhBU+5LbFCL3fCWAJbke/q27p4KR4GA8bWobS9nrrR8wBrZJL08Vn nVAqJWcMIqV6GM7rDt5zaGPrYhfXyPz71oxLaozyVolzZndLu5kkVOTEj9zj3JkXWZ78WCeexPOV2 g84e0ATA==;
Received: from [90.187.67.221] (helo=[192.168.188.94]) by mail.a4a.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <peter@desec.io>) id 1pClP1-0006EH-6X; Tue, 03 Jan 2023 18:48:43 +0100
Message-ID: <f0c3255b-c1a3-c3c3-0685-858a71234505@desec.io>
Date: Tue, 03 Jan 2023 18:48:42 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2
Content-Language: en-US
To: David Blacka <davidb@verisign.com>, dnsdir@ietf.org
Cc: dnsop@ietf.org, draft-ietf-dnsop-dns-catalog-zones.all@ietf.org, last-call@ietf.org
References: <167216124072.53631.9662541115611789670@ietfa.amsl.com>
From: Peter Thomassen <peter@desec.io>
In-Reply-To: <167216124072.53631.9662541115611789670@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsdir/BzyIe6eG_v27yAarxedL9ar8DPU>
Subject: Re: [dnsdir] [DNSOP] Dnsdir last call review of draft-ietf-dnsop-dns-catalog-zones-08
X-BeenThere: dnsdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS Directorate <dnsdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsdir>, <mailto:dnsdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsdir/>
List-Post: <mailto:dnsdir@ietf.org>
List-Help: <mailto:dnsdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsdir>, <mailto:dnsdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2023 17:48:54 -0000
Hi David, Thank you for your review. Please see inline. On 12/27/22 18:14, David Blacka via Datatracker wrote: > Reviewer: David Blacka > Review result: Ready with Nits > > Reviewer: David Blacka > Review Result: Ready with Nits > > Hi, I'm the designated DNS Directorate (dnsdir) reviewer for this document. > Overall, I think this draft is in pretty good shape. I have a nit and a few > overall comments. > > First, a small typo that could be fixed. In section 7, > >> As catalog zones are transmitted using DNS zone transfers, it is > RECOMMENDED that catalog zone transfer are protected from unexpected > modifications by way of authentication, > > should be: > >> As catalog zones are transmitted using DNS zone transfers, it is > RECOMMENDED that catalog zone transfers are protected from unexpected > modifications by way of authentication, > > That is, "transfer" should be "transfers". Done. This and other changes below are part of the following PR that will be merged along with changes from other reviews: https://github.com/NLnetLabs/draft-toorop-dnsop-dns-catalog-zones/pull/55/commits > Second, some comments: > > This draft is not quite definitive on whether or not Catalog Zones are directly > queryable. Instead, it strongly discourages them from being queried, but > usually using non-normative language. (The exception: the security > considerations RECOMMEND limiting who can query the zone.) I wonder if the > document would be better served with a more up-front statement on this issue? Good point -- the text indeed was a bit hand-wavy in this regard. I modified as follows: - Replace (with better wording) or remove "casual" (non-normative) references to DNS queries (e.g. when talking about TTL values) - Add justification why limiting queries is RECOMMENDED (namely, to prevent unintentional exposure of catalog zone contents) > An appendix showing a full example catalog zone would be a nice addition to the > document. There are examples throughout the text demonstrating specific > concepts, however, so it isn't clear that such an appendix is strictly > necessary. Done, based on an example from the Knot DNS documentation. (This has also been requested by other reviewers.) > Catalog zones appear to be intentionally not fully interoperable between > completely un-coordinated instances. Is this interpretation correct? I think > my basic confusion arises from not seeing what can be done with catalog zones > *without* custom properties. This is correct. As to "what can be done without custom properties": The main use case is provisioning and deprovisioning zones on secondary DNS servers. Without catalog zones, the secondary has to either somehow retrieve the list of zones via an out-of-band channel, or rely on heuristic processing of indirect signals from the primary. For example, a common way for removing secondary zones has been to let them "expire": check periodically whether the primary still knows the zone, and if it doesn't for say 1 week, assume it's not a glitch and remove the zone. This scales badly (requires lots of checking queries) and also risks deleting a zone prematurely when there actually is some other kind of problem causing the primary to not respond as expected. This is the use case in which catalog zones are expected to be interoperable. Beyond that, vendors are free to map whatever zone settings their implementation offers, by means of custom properties. Examples of this could be zone-specific rate limiting or statistics collection. Thanks, Peter -- https://desec.io/
- [dnsdir] Dnsdir last call review of draft-ietf-dn… David Blacka via Datatracker
- Re: [dnsdir] [DNSOP] Dnsdir last call review of d… Peter Thomassen
- Re: [dnsdir] [DNSOP] Dnsdir last call review of d… Blacka, David
- Re: [dnsdir] [DNSOP] Dnsdir last call review of d… Willem Toorop