Re: [dnsdir] [DNSOP] Dnsdir last call review of draft-ietf-dnsop-dns-catalog-zones-08
"Blacka, David" <davidb@verisign.com> Tue, 03 January 2023 18:42 UTC
Return-Path: <davidb@verisign.com>
X-Original-To: dnsdir@ietfa.amsl.com
Delivered-To: dnsdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 199F2C1524B3; Tue, 3 Jan 2023 10:42:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y6u2rFxuO3zj; Tue, 3 Jan 2023 10:42:18 -0800 (PST)
Received: from mail5.verisign.com (mail5.verisign.com [69.58.187.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9986C14F741; Tue, 3 Jan 2023 10:42:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=9816; q=dns/txt; s=VRSN; t=1672771338; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=bO2GbtMBuKUWDkayXhqmbHn8q26bmmADqbngc4FlAI4=; b=k20BNfBKCwBolXujmIUEcmch1Rl+SXg929NfUu7pnDOax15ZydzOValz RGueoiVk/OzA0WzIpNeQwA851tx+CfP3QYY+aSMHJDerUR6zYw3GDPtsV LMWj28FjuIWfMDl0xeZO7PbBZRwwy+1riWj0w86LR3Zzg3RuOKC+u3R6w LZc66QSEQSi7/PLuc6Us1fZj4nW7bdYEIMwPUPrT5bHh/hmLaJIRLhegY /Fnp9zyiaEEYw7CUQrJkXGLLZhMhvlFDqvEwMERWLxRfbXgQpSgMm/q7d ezrwBaHEGoYeWizAvaaJP6mL/MRSzET9bXjJQb6cTvH9bwd/ImriI2Fcd g==;
IronPort-Data: A9a23:b53KOKoiHPMvVzTSV+lvow6w/VxeBmItYhIvgKrLsJaIsI4StFGz/ xJOGSnaY6zbJjuqJcY2M9718ldF4MGLn5ImCldcGRtFVHdLrMeDHYuCRqubFy3NI8OZRUs3t Z5ONNOfIZBvE3KD/k/0Pue6/XcgiKrRSOGhV7Cda3h7FVE8EH18hEltkrJo3oMwiIfoXAqDs 9maT6EzVrOA82cc3jU8t/jb83uDxcjauC8Epg55IvdAp0eYm3gaDZkSP733JHz9GiO9tAeHL 9ovt4pVgl7k1xcxFsv31fHjcUxPRbXJJU6Ci3VXUKW4nl5JoSlq/+VjvhLUOEdLly3b2Nt4w 9hX84ehTA40Iq2Kk+MYFBxAECA5MaxJ+bTKO2S069eTxlfLf2DpwvBjB0hwNpcEotNKaV2ij sf0VA3hFDjbwbre/Zq7VvV0nZZka9b0I8UTu35hxjzDEbAtRpWEaJ3xvXWxd8pz3mqntha2W yZiUtYYUfi6S0AJYT8qIJIigP+z1D64bCJH7l6Uqqs87nLPigd21f/GCOGN0DUhuIYNNK8zR sgvVInQBAByCDDk8tbyz57WrrKJxkvGcIIOCKWjpLktn0KMgGASBxwdWEGn5/K+jwmkQ9saN kVMkhbC1pPeg3FHNPGgGUbQnVaEogIEQIgXVPIl90eBy6XV6AuDGi4PSTsGcsQv8dI/HRZC6 rPypD+eONAVmODTEhqgy4qpQROO1Qk9cmZTOiMNQFde74nqqd5tgE+WRdoyHKS41tP/Rmv5n W/W9XhvjLgt1sNajK/TEXIrId6PjsOQElNqvFW/skaNtF4RiFuNPtTwgbTjxa8catzfFjFth VBc8+CG9ucCEJqRoyKEReQJDdmB6u2MWNHmqQcH86IJqnL8pRZPQagKuGslfB4xaZ5YEdPUS BS7VT15tcc70ESCMPcfj7KZU6wC0aXmHNL5YfHYBvImjk9ZLVLvEIlGPCZ87ki1+KQeufhX1 aSzKK5AOU0n5ZFPl1Jacc9GiON2mXpurY/kbcuTIxyPidJybVbLEetVaAPmguoRtMtoqy2Nm zpT2lfjJ7yyn4QSbwGOmbP/I2zmIlAGO6/2jtZqSNSAeDE8KFgDK8WKz5I+LtkNc6R9zo8k/ 1mXYGkB93zStSWebxuBbWp7LrrjG4hltnR9NispVbqq8yF7J9/wt+FGKsBxIelPGO9LlJaYS 9EJctuBDv5nVDnd+i8cYp+7p4tnHPiurVveYXv9PWdlF3Jmb1zw5+XBWDDezjJUATHp6sElg JG4+xyOFPLvQCwnVq46csmH116tsGI1lO9pUkCOI947UEnq64RrMQTwg+M5ZcYWJn3ryj2B0 B6+ABoEq6/KuYBd2NXTjK6Y6oakD+U7EkxBGHGe4bCtcCLT4mOnxoAFQuGOcCubXWfw0KSve esTyOvzWNUDlU1W9oF1F7JDzK8i6Z3ovbAy8+h/NH/RaQ20DL5weiDDxtdV8KhM3fpTvk28Q ETWvMdAIrPPM8TgeLIMGDcYgi24/al8slHvAT4deS0WOAcfEGK7bHhv
IronPort-HdrOrdr: A9a23:fKCWaK/XSC8jX3MAKrxuk+AFI+orL9Y04lQ7vn2ZLiYlF/Bw9v re/sjzuiWVtN98Yh8dcLO7V5VoKEm0naKdirNhXotKMjOGhEKYaK9v6of4yyDtFmnU5odmuZ tIQuxbBMfrBVZ3yeT38GCDeeoI8Z2i/LqzjenTi01xSxpnApsM0y5iBh2FHlZNSA5KOJo8GP OnjfZ6mw==
X-IronPort-AV: E=Sophos;i="5.96,297,1665460800"; d="p7s'?scan'208";a="18690572"
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.16; Tue, 3 Jan 2023 13:42:16 -0500
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) by BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) with mapi id 15.01.2507.016; Tue, 3 Jan 2023 13:42:16 -0500
From: "Blacka, David" <davidb@verisign.com>
To: Peter Thomassen <peter@desec.io>
CC: "dnsdir@ietf.org" <dnsdir@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, "draft-ietf-dnsop-dns-catalog-zones.all@ietf.org" <draft-ietf-dnsop-dns-catalog-zones.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] Dnsdir last call review of draft-ietf-dnsop-dns-catalog-zones-08
Thread-Index: AQHZH6MZfxOeExJjSEmnwWqBHs7HqA==
Date: Tue, 03 Jan 2023 18:42:15 +0000
Message-ID: <667B0937-3E17-479D-AC8D-A8FC46B7A57E@verisign.com>
References: <167216124072.53631.9662541115611789670@ietfa.amsl.com> <f0c3255b-c1a3-c3c3-0685-858a71234505@desec.io>
In-Reply-To: <f0c3255b-c1a3-c3c3-0685-858a71234505@desec.io>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3696.120.41.1.1)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_9A7917AC-0CA4-48FC-8DD1-D6A18D8D9F43"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsdir/X4WccEdXOUvtyOxJT0Qz1ZshdbU>
Subject: Re: [dnsdir] [DNSOP] Dnsdir last call review of draft-ietf-dnsop-dns-catalog-zones-08
X-BeenThere: dnsdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS Directorate <dnsdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsdir>, <mailto:dnsdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsdir/>
List-Post: <mailto:dnsdir@ietf.org>
List-Help: <mailto:dnsdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsdir>, <mailto:dnsdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Jan 2023 18:42:22 -0000
> On Jan 3, 2023, at 12:48 PM, Peter Thomassen <peter@desec.io> wrote: > > Caution: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. > Hi David, > > Thank you for your review. Please see inline. Thanks! Also see inline. > > On 12/27/22 18:14, David Blacka via Datatracker wrote: > >> Second, some comments: >> This draft is not quite definitive on whether or not Catalog Zones are directly >> queryable. Instead, it strongly discourages them from being queried, but >> usually using non-normative language. (The exception: the security >> considerations RECOMMEND limiting who can query the zone.) I wonder if the >> document would be better served with a more up-front statement on this issue? > > Good point -- the text indeed was a bit hand-wavy in this regard. I modified as follows: > > - Replace (with better wording) or remove "casual" (non-normative) references to DNS queries (e.g. when talking about TTL values) > > - Add justification why limiting queries is RECOMMENDED (namely, to prevent unintentional exposure of catalog zone contents) I looked at your changes, and I think those updates work for this. > >> An appendix showing a full example catalog zone would be a nice addition to the >> document. There are examples throughout the text demonstrating specific >> concepts, however, so it isn't clear that such an appendix is strictly >> necessary. > > Done, based on an example from the Knot DNS documentation. (This has also been requested by other reviewers.) Also great! > >> Catalog zones appear to be intentionally not fully interoperable between >> completely un-coordinated instances. Is this interpretation correct? I think >> my basic confusion arises from not seeing what can be done with catalog zones >> *without* custom properties. > > This is correct. > > As to "what can be done without custom properties": The main use case is provisioning and deprovisioning zones on secondary DNS servers. > > Without catalog zones, the secondary has to either somehow retrieve the list of zones via an out-of-band channel, or rely on heuristic processing of indirect signals from the primary. For example, a common way for removing secondary zones has been to let them "expire": check periodically whether the primary still knows the zone, and if it doesn't for say 1 week, assume it's not a glitch and remove the zone. This scales badly (requires lots of checking queries) and also risks deleting a zone prematurely when there actually is some other kind of problem causing the primary to not respond as expected. > > This is the use case in which catalog zones are expected to be interoperable. Beyond that, vendors are free to map whatever zone settings their implementation offers, by means of custom properties. Examples of this could be zone-specific rate limiting or statistics collection. Ah, I wasn’t clear. I understand the overall use case for the catalog zones, but there were so few non-custom properties I wondered if one could effectively use catalog zones without them. I was expecting a few standard properties describing (e.g.) what the secondary should use as masters and what TSIG key to use. That is, I can see you must give the zone name for the given zone, but nothing else seems to be required. Did I miss some text that describes what is expected to happen by default?
- [dnsdir] Dnsdir last call review of draft-ietf-dn… David Blacka via Datatracker
- Re: [dnsdir] [DNSOP] Dnsdir last call review of d… Peter Thomassen
- Re: [dnsdir] [DNSOP] Dnsdir last call review of d… Blacka, David
- Re: [dnsdir] [DNSOP] Dnsdir last call review of d… Willem Toorop