Re: [dnsdir] [DNSOP] Dnsdir last call review of draft-ietf-dnsop-dns-catalog-zones-08
Willem Toorop <willem@nlnetlabs.nl> Thu, 12 January 2023 14:33 UTC
Return-Path: <willem@nlnetlabs.nl>
X-Original-To: dnsdir@ietfa.amsl.com
Delivered-To: dnsdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BAB7C14CE4C for <dnsdir@ietfa.amsl.com>; Thu, 12 Jan 2023 06:33:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PJKe63AxAGwU for <dnsdir@ietfa.amsl.com>; Thu, 12 Jan 2023 06:33:30 -0800 (PST)
Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82687C1524D9 for <dnsdir@ietf.org>; Thu, 12 Jan 2023 06:33:30 -0800 (PST)
Received: by mail-qt1-x82c.google.com with SMTP id j15so11081654qtv.4 for <dnsdir@ietf.org>; Thu, 12 Jan 2023 06:33:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nlnetlabs.nl; s=google; h=content-transfer-encoding:in-reply-to:subject:from:references:cc:to :content-language:user-agent:mime-version:date:message-id:from:to:cc :subject:date:message-id:reply-to; bh=Y1hIsYzQJlpRM6XtHf+FTmk2x2NOqa4sW+vQxb/0kHk=; b=AVGuxrZap+zT7buUk4Y77hcMgII99oPTNZX3P0xEEaVt4js7SWsAV+FEZIfqiDglx+ ScYgoDx7FRFtDL8NgrmHY85Ch6KCc7rEE6lM1gjLvBVgc+POR2JOnDoiH7Udq6BVJQzK iYiY0SDpu+Rfej8ZFIk7IxX6ZVAVytri+32GrVfVuDZFQln1TWHGAlZp6S1X83KU5jH8 E6l8tsqVB7Cy+AtBT2wcGeajiQwYm2ZycJw7YWwmAJTkna3tkPQEQoXtsRe/ClS/aAbC NbE2t0fw/6wi9eRt77/UVf8whEqTQJJ8BZaUiQ0HWg/9AiLp590y4tnHIenxOYtDr3lZ Fcjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:subject:from:references:cc:to :content-language:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Y1hIsYzQJlpRM6XtHf+FTmk2x2NOqa4sW+vQxb/0kHk=; b=dDBwETyAoe8yuH33XOQSDQKJPkmB4XrmnaOjEK9Pj8JiN9nD3oqZ4Pr/OS3zwUfQUx YpJVSFLoE0MDnmEMW7oH6h3Bf1doqdodCyv7FqlxERDSJUDAw5XcuMGQ3iBApCtyybXo sunLUyPnx8hPemnV2zknaatam55A/rJpIz5oJ64QSOCm169Vk2u9EUVmXWpmGs4qK4A/ Pcqam8I1Gb3/0SpYf79U57N1x7jwPYLPiq24tFldnK5OubYAIc9pGQWmOVDpzoJP6Z6e pqfz6PJx9OMXdiNifbgfgJAtpsL47EbqWwapLEptFoqBw4NqA9zwYwyE2gvU7HVPXYT4 qmgQ==
X-Gm-Message-State: AFqh2kpHtumNHxxHNLgJclEvmbSck0t9T0XmeCXSl75pNlxvrx3u9SVs S7n2FoCqhkOqPa28Caog4nrPrg==
X-Google-Smtp-Source: AMrXdXsCnsv1lsfqjjovpDc73PcvpfNEeo5tnd23OpWAqytwFRURiONS+vw9nbADbVJMNSghcgSNpA==
X-Received: by 2002:a05:622a:1741:b0:3a8:2716:ac2d with SMTP id l1-20020a05622a174100b003a82716ac2dmr149102415qtk.56.1673534008885; Thu, 12 Jan 2023 06:33:28 -0800 (PST)
Received: from ?IPV6:2a04:b900::7d0? ([2a04:b900::7d0]) by smtp.gmail.com with ESMTPSA id f1-20020ac81341000000b003a6a19ee4f0sm9096231qtj.33.2023.01.12.06.33.27 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 12 Jan 2023 06:33:28 -0800 (PST)
Message-ID: <4943b4de-5aa8-c421-8e93-f13ccc3159ff@nlnetlabs.nl>
Date: Thu, 12 Jan 2023 15:33:26 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.6.0
Content-Language: en-US
To: "Blacka, David" <davidb=40verisign.com@dmarc.ietf.org>, Peter Thomassen <peter@desec.io>
Cc: "dnsdir@ietf.org" <dnsdir@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, "draft-ietf-dnsop-dns-catalog-zones.all@ietf.org" <draft-ietf-dnsop-dns-catalog-zones.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
References: <167216124072.53631.9662541115611789670@ietfa.amsl.com> <f0c3255b-c1a3-c3c3-0685-858a71234505@desec.io> <667B0937-3E17-479D-AC8D-A8FC46B7A57E@verisign.com>
From: Willem Toorop <willem@nlnetlabs.nl>
In-Reply-To: <667B0937-3E17-479D-AC8D-A8FC46B7A57E@verisign.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsdir/X8RWYapaNsSvbLuWY0_-2vFiWcQ>
Subject: Re: [dnsdir] [DNSOP] Dnsdir last call review of draft-ietf-dnsop-dns-catalog-zones-08
X-BeenThere: dnsdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS Directorate <dnsdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsdir>, <mailto:dnsdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsdir/>
List-Post: <mailto:dnsdir@ietf.org>
List-Help: <mailto:dnsdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsdir>, <mailto:dnsdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jan 2023 14:33:35 -0000
Hi David, Response inline at the bottom. Op 03-01-2023 om 19:42 schreef Blacka, David: > > >> On Jan 3, 2023, at 12:48 PM, Peter Thomassen <peter@desec.io> wrote: >> >> Caution: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. >> Hi David, >> >> Thank you for your review. Please see inline. > > Thanks! Also see inline. > >> >> On 12/27/22 18:14, David Blacka via Datatracker wrote: >> >>> Second, some comments: >>> This draft is not quite definitive on whether or not Catalog Zones are directly >>> queryable. Instead, it strongly discourages them from being queried, but >>> usually using non-normative language. (The exception: the security >>> considerations RECOMMEND limiting who can query the zone.) I wonder if the >>> document would be better served with a more up-front statement on this issue? >> >> Good point -- the text indeed was a bit hand-wavy in this regard. I modified as follows: >> >> - Replace (with better wording) or remove "casual" (non-normative) references to DNS queries (e.g. when talking about TTL values) >> >> - Add justification why limiting queries is RECOMMENDED (namely, to prevent unintentional exposure of catalog zone contents) > > I looked at your changes, and I think those updates work for this. > >> >>> An appendix showing a full example catalog zone would be a nice addition to the >>> document. There are examples throughout the text demonstrating specific >>> concepts, however, so it isn't clear that such an appendix is strictly >>> necessary. >> >> Done, based on an example from the Knot DNS documentation. (This has also been requested by other reviewers.) > > Also great! > >> >>> Catalog zones appear to be intentionally not fully interoperable between >>> completely un-coordinated instances. Is this interpretation correct? I think >>> my basic confusion arises from not seeing what can be done with catalog zones >>> *without* custom properties. >> >> This is correct. >> >> As to "what can be done without custom properties": The main use case is provisioning and deprovisioning zones on secondary DNS servers. >> >> Without catalog zones, the secondary has to either somehow retrieve the list of zones via an out-of-band channel, or rely on heuristic processing of indirect signals from the primary. For example, a common way for removing secondary zones has been to let them "expire": check periodically whether the primary still knows the zone, and if it doesn't for say 1 week, assume it's not a glitch and remove the zone. This scales badly (requires lots of checking queries) and also risks deleting a zone prematurely when there actually is some other kind of problem causing the primary to not respond as expected. >> >> This is the use case in which catalog zones are expected to be interoperable. Beyond that, vendors are free to map whatever zone settings their implementation offers, by means of custom properties. Examples of this could be zone-specific rate limiting or statistics collection. > > Ah, I wasn’t clear. I understand the overall use case for the catalog zones, but there were so few non-custom properties I wondered if one could effectively use catalog zones without them. I was expecting a few standard properties describing (e.g.) what the secondary should use as masters and what TSIG key to use. That is, I can see you must give the zone name for the given zone, but nothing else seems to be required. Did I miss some text that describes what is expected to happen by default? Setting up a catalog on the secondary is a manual step anyhow (see Section 6. second paragraph en the third paragraph of Section 3.). Catalogs are assumed to be associated with a set of configuration (third paragraph of section 3) which is predefined (perhaps while configuring for consumption for that catalog) on the secondaries. Part of this set of configuration for secondaries are the primaries and TSIG keys to use. Secondary name servers can have multiple catalog zones configured and be a consumer for them, each catalog zone for a different set of primaries (and TSIG keys). The (predefined) set of configuration can furthermore be changed per individual member zone within a catalog basis with the `group` property. Also, a member zone can be migrated to a different catalog hosted on the same secondary which is associated with a different set of predefined configuration. Do you think this needs to be stated more explicitly in the draft? For the record: BIND9's implementation does provide custom properties for primaries, the names of the TSIG keys to use, and query and transfer ACL, but the other implementation do not as far as I can see in the documentation for each (co-authors please correct me if I'm wrong). Many thanks for you review David! Cheers, -- Willem
- [dnsdir] Dnsdir last call review of draft-ietf-dn… David Blacka via Datatracker
- Re: [dnsdir] [DNSOP] Dnsdir last call review of d… Peter Thomassen
- Re: [dnsdir] [DNSOP] Dnsdir last call review of d… Blacka, David
- Re: [dnsdir] [DNSOP] Dnsdir last call review of d… Willem Toorop