Re: [dnsdir] [DNSOP] Dnsdir early review of draft-ietf-dnsop-svcb-dane-01
Ben Schwartz <bemasc@meta.com> Thu, 13 July 2023 20:28 UTC
Return-Path: <prvs=0558701fe4=bemasc@meta.com>
X-Original-To: dnsdir@ietfa.amsl.com
Delivered-To: dnsdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7237C15106D; Thu, 13 Jul 2023 13:28:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.794
X-Spam-Level:
X-Spam-Status: No, score=-2.794 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o7-bn7NyPrj1; Thu, 13 Jul 2023 13:28:47 -0700 (PDT)
Received: from mx0b-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F116C14CE52; Thu, 13 Jul 2023 13:28:47 -0700 (PDT)
Received: from pps.filterd (m0109331.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 36DIpcjI003311; Thu, 13 Jul 2023 13:28:44 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=s2048-2021-q4; bh=FAFljBRkrtCkt3EsVWaL7KKEakENvJOl1GVKPFb42JQ=; b=gwqF5C+emnzEZ+GzjpEvlxkXfsUSCrdKxHxaygvp41/ygyRIK2W2Mfk1nk7VN/FEh3fm GcjQQH5YRsjVwhOfcE0Df27CdtJRHyXFuskthDV9iCGWQaRfBqzQxX8Vmxaj7NFrk3NL tn5hG+ixVbqkSE2yku1xF+YmRCdr+BIY72je4r5jQZojD6NA/u5h7de4y6yFVG9ngTBc qGqrj1hHZdffieW91GIKHLrgC9IGlvmeDZz5Cjj1n65MoHELQ+8uJUlQbK0g1eJNKrCy x4X+sR/h9hTQAO5X93EiFQhOQ+SnqdQ9+1DjuIMk0j4DGNGphkgEQJbAECtFrLLy2BAk UA==
Received: from nam02-dm3-obe.outbound.protection.outlook.com (mail-dm3nam02lp2049.outbound.protection.outlook.com [104.47.56.49]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3rtpwm8sk6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 13 Jul 2023 13:28:43 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XWpV8Q4OnSvhMctG9sDIuWc791U6Kv0Qgqe+VE+XQqpS8tYCSJxoO8Kvf12A3z9Gh119MnR4/scJoDQI/PVLFfm4TmAulSXx/7X5vxiCXIUQB6/zcwHjgCaq8yurqhy8lvPpwL1mAr+xPzahMlcp2JVaXEAVz+ZrpI1gQJO/R8JUbNxyJ20S+maH4wtTSsr7hFf5xYXtL48stEg8d3AO+w0MM5Ci9o/FDO5zUsEnEaKNvk1ly3AopMP/iyYNdviYdy1x1EvBRWz+j/tQIxT6/4nVX/aScAtLRSODC9XNLS2P33rbDSG2+CrfRMpotItTGO7tFAgtMgFhfeSbiNllGA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=aw5ZNo0O0jJnLjxQtPyXP59LUzt4S+Xr+bZfGs2zR4c=; b=LCO7JfwYIxxM8RNsNDvB1ncXE4I2qHQFA0/n1y4B8QzcaxrCN+d6IyLJNXPujf6D9OFcNqL9OxPA0i8GkR5+dUnvZv+7mV7WRnLHgAXXhH7kkg5CT/6nULgUUo8e6Zn+mBeNFEvsJ990p9uavhozJYuHgD7QBEHJwlvpxzViVsZA6mP62BJB2KhyXaJ69vdzOJdthXEVPIab88/Lqx+66HuBFfwMNbH+8iNvdizqVNrzZNbw7eLpWFktLmHmEA4H2DkIDvgZArxrOHo5NFK9VKStJc7wVpkxN5OWveCMDW7rwrpxAxndenllrmj2RsnTHuVEhonZGdgzketSBqIsIA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from BN8PR15MB3281.namprd15.prod.outlook.com (2603:10b6:408:aa::24) by IA1PR15MB5419.namprd15.prod.outlook.com (2603:10b6:208:388::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6588.24; Thu, 13 Jul 2023 20:28:41 +0000
Received: from BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::9fed:31c4:371a:6fd5]) by BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::9fed:31c4:371a:6fd5%6]) with mapi id 15.20.6588.022; Thu, 13 Jul 2023 20:28:41 +0000
From: Ben Schwartz <bemasc@meta.com>
To: "dnsdir@ietf.org" <dnsdir@ietf.org>, Patrick Mevzek <ietf-datatracker@ext.deepcore.org>
CC: "dnsop@ietf.org" <dnsop@ietf.org>, "draft-ietf-dnsop-svcb-dane.all@ietf.org" <draft-ietf-dnsop-svcb-dane.all@ietf.org>
Thread-Topic: [DNSOP] Dnsdir early review of draft-ietf-dnsop-svcb-dane-01
Thread-Index: AQHZtRc4G6HDmuTcjUqu1OYq0L9jJq+4JuZi
Date: Thu, 13 Jul 2023 20:28:41 +0000
Message-ID: <BN8PR15MB3281B5E5F30199B8567A0FD6B337A@BN8PR15MB3281.namprd15.prod.outlook.com>
References: <168920392254.56574.8367262509814324191@ietfa.amsl.com>
In-Reply-To: <168920392254.56574.8367262509814324191@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN8PR15MB3281:EE_|IA1PR15MB5419:EE_
x-ms-office365-filtering-correlation-id: 5a01cc0b-6f16-4f70-3f4b-08db83dfbf74
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: kRGIMGG8IYAUCAM/Dl/R1OlWce4v7dwCH4SphoydLGj5UOQ1W4s8m1RVPM+u3V0lR+5EncRNveKMLACqliMXikJ7dkW1S6dRJEwwh/luTKXZgRzOvTVtUhaJlONUBZaqxTieqW1PO6kd4Sky7gKsp0aLzuCtMz/qTFzDHTH2ECwpDV2u9urXEwoWEc8PTjqw3R2O+pQmii2QIO+OA9iYJGLrDqFkT8DBHdGIETtSnxlVTExT4EWmK8e2ChqGjuBbnF6q297RVLMZ9bu6XJP6uMLQmOnDf1FVctlhs+l9ucGgGBptkucPJUaZtlxTKF+0O5A5EroHF55jsV2h9pr5EoFw8wb+6TK/RiAiYg3tXbbMHSHbH4PKGlK7+KIwMv0RPBbhaMFixhn8tuVomrofniqGnnZ/YgIy8qnlGA4eOhsoMe/uy+hVKOhGjtCEcKxP83YAdDJ8jUTZ6OxrP8BAm2zol59oT0aP97VDvh834zg5EVh8pQE8usKrQNLdh1LJqJAIoDm1CRSE4bwf194DJeTD3pYqBsuFXEvCjwHxh115q7AWx7jSXT1A99ToGJE1ECI2wkSLcRKU016LlpbBTPRN17+ygL+yhiDMH9H/uEU=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN8PR15MB3281.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(136003)(366004)(346002)(39860400002)(376002)(396003)(451199021)(110136005)(316002)(54906003)(91956017)(71200400001)(186003)(19627405001)(7696005)(66946007)(4326008)(66556008)(76116006)(66446008)(66476007)(64756008)(478600001)(966005)(9686003)(41300700001)(8676002)(8936002)(53546011)(86362001)(166002)(6506007)(52536014)(5660300002)(55016003)(33656002)(83380400001)(122000001)(38070700005)(2906002)(38100700002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 11q3gPFhagFeyk0Cqbs3yQOh5UIRTfoeg/hszYIP7gtZK4n3rRvKN06pFIMkUAuX7ucX+9MwcdHzjWgy6nby2rTWnRxo+q/64DDn+Un7nB+tjD2SEASuB9nCiGUi039OeTJXXjQPpxSuDVJbAqBP4ZEvX7YyVG8/YlGvLkngBY6CMWLh+4ismK26OE7RU3+KgJ7FLjXP8vduvBsSIi/BgYJx41NvldaEwKYcXr0eXepWTgxYcI4tks+C+imw/VSShd2aOQ0Er1vq/pSW2D5Csg7wvnhO9rhmIZ1Dn08abLhrnNMIRWPfo3DAnX0rc1tQo0rG20ovosnn+cjTMiTAfiZDTXkbiNYd5mZecbgfulCAUcpcABorhVWVxdb6JqlZ2RrjoMsrJGmustQyH75e3BgU3/p+G8iLDByiBp+zC5UHYngau2kNQRwll6Dd1BuPAYPqmIHzHk8cN5JDHGVhiEwg+eQhj30uBTSlupWXS6MbrEzhl9Z+m4AZXoQhaVFxu1cW1EEWDQsqSNIFOVuN2Y8F9ZC7RgZZiEoN/6WAh+RajIhltWEzBkboNeV8XZTLlGovSVWxJ2mEGKbOaY5DSJvw0v+BY32/x+WLCWaLaMmvFcjlOcLhwdMXGIeVyIJTi/zYtxdKFyS57Qgiolap3IhGLrYQW16ZrOLzPBXifuohnSI0xkDPbzu5Q7QRQmQDd9y1OTShOxUTq77Tj/DHdADYwG0JkPoLZZH/SEDesZhHBH5afiQZjtHpqjZ4p6CLVbWr6sai4uRYQjGiXo1mQsKd0CJJtcimHo8hYgvaqVJlS15UBLIUABpq3R5K2lkunZYEgC0RMdY6TGZ+9eyKQ9HVpHZ7DghPGcNgGpd9sY5XyJ4tX88zA1O4eQjbdLdsz2dSMVrllKCKN7Nc2fvi48VPJ1z+KlLSK1Gc7BcJ05E0V88APsFr0PdY9LeuFfQMtr1YmKPpQ2tjN4AlpmrOWgl51i2rSV4KVeBzYsihVDODq8HejxhXUfL1YHnOcVyFB3uTQP4eUhWSVBFH9glaQrbHcz1vtqSXPbsEUgL39CL3drXr9dqRemYJeGB8t79YIsgvJbAyfHXrfRPJVf4vSREK+kcmGBTvHu8eUIfvmM8Yxq+QTvMhqvvipxxshRtvUHiBMjRZNTy6BYH5l/UN5qSNbGVy1580Vn0oFKrxa41mlFHLqu1KLFqSXnmYSMTrGotgS5Ju14JXs3066QmIe0ySoRcSVCx1Rcmnn4d911+GeTq7rHXWI09O/FvpljSESen3YXjgoYOkNPVW+J5W2dskTzGnbsA+MXp/Q18jJy6fxA0bYJrYN0aOLnR7rhWggBAf0g2GGY6SA4KQpSzJpNoSxnJfYmvfa6TBtTBNUB+0eYWh0xsuJzRx7cdqxqgmdi0GEZeupfrgBUe0+sUL31zFKx422xum1Olbv6ErC/YykWEk0uE4UHJNHK6LTzziiiAUs97rMaBvOTyQ1QP+2oWBO51/KyY1Yu6pvYuLTc6vYahkppt0FF/8Uwylu+zRH71R7NY459mBvBMU+14OfNtwISFkteP2nMp6OfOy0w2h5UZeNWIaFsIR3E9aIhBD
Content-Type: multipart/alternative; boundary="_000_BN8PR15MB3281B5E5F30199B8567A0FD6B337ABN8PR15MB3281namp_"
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN8PR15MB3281.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5a01cc0b-6f16-4f70-3f4b-08db83dfbf74
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jul 2023 20:28:41.5556 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: llGvKNtifJqztNZ9NF7sS9w3eVSrodAQnFp58ZX82Vny3wwydTCoF113rqPiauOl
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR15MB5419
X-Proofpoint-GUID: _4UzoSCIBXL1k_j8cXFaeHuSq9ceaxUD
X-Proofpoint-ORIG-GUID: _4UzoSCIBXL1k_j8cXFaeHuSq9ceaxUD
X-Proofpoint-UnRewURL: 12 URL's were un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-07-13_08,2023-07-13_01,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsdir/b8eWg18rai_4ST4ob5OeYKJJek0>
Subject: Re: [dnsdir] [DNSOP] Dnsdir early review of draft-ietf-dnsop-svcb-dane-01
X-BeenThere: dnsdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: DNS Directorate <dnsdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsdir>, <mailto:dnsdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsdir/>
List-Post: <mailto:dnsdir@ietf.org>
List-Help: <mailto:dnsdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsdir>, <mailto:dnsdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jul 2023 20:28:51 -0000
Thanks for this close review, Patrick. I've copied your notes into the draft's issue tracker so we don't forget to address them: https://github.com/bemasc/svcb-dane/issues/8. --Ben Schwartz ________________________________ From: DNSOP <dnsop-bounces@ietf.org> on behalf of Patrick Mevzek via Datatracker <noreply@ietf.org> Sent: Wednesday, July 12, 2023 7:18 PM To: dnsdir@ietf.org <dnsdir@ietf.org> Cc: dnsop@ietf.org <dnsop@ietf.org>; draft-ietf-dnsop-svcb-dane.all@ietf.org <draft-ietf-dnsop-svcb-dane.all@ietf.org> Subject: [DNSOP] Dnsdir early review of draft-ietf-dnsop-svcb-dane-01 !-------------------------------------------------------------------| This Message Is From an External Sender |-------------------------------------------------------------------! Reviewer: Patrick Mevzek Review result: Ready with Nits I have been selected as the DNS Directorate reviewer for this draft draft-ietf-dnsop-svcb-dane-01 The DNS Directorate seeks to review all DNS or DNS-related drafts as they pass through IETF last call and IESG review, and sometimes on special request. The purpose of the review is to provide assistance to the ADs. For more information about the DNS Directorate, please see https://wiki.ietf.org/en/group/dnsdir This is an early review, and the document seems mostly ready to ship, with some nits in formatting or presentation, and nothing specifically related to DNS. There are no changes or consequences on DNS operations based on this draft, outside what is already defined in the specifications for TLSA and SVCB/HTTPS records. My points below are just in chronological order of reading it. * It updates 6698, but it also focuses mostly on operational issues/guidance, which is what 7671 is about, so maybe it should also be marked as updating 7671 in addition of 6698? * Section 1. — Nit: `_8080._tcp.example.com.` does not appear in specific “code” font in HTML output of draft, while other names later in document do, so I guess just a formatting change. — Potentially use “TLSA records” (plural) in various places instead of “the TLSA record” as this gives the impression there can be only one. — Introduction says the document does two things: giving details using DANE with SVCB and also how to use DANE with QUIC. However, neither the document title nor the abstract of it mention QUIC, only SVCB is mentioned. If the document does both, perhaps both points should be clearly listed early on (title + abstract), or otherwise (as SVCB and QUIC are fairly distinct things in my view), it should be split in two documents, each one focusing on one point only. * Section 3 — name of section: I would suggest using SVCB specifically instead of Service Bindings Same for title and abstract of document in fact. — s/This draft applies/This document applies/ (or specification, or other terms, but not “draft”) Maybe other occurrences of “draft” later on should be replaced as well. — “if SVCB resolution was entirely secure” : maybe mentioning it once that secure here means with DNSSEC along all the paths (DNS answers) taken? Or pointing to somewhere where secure is defined (maybe: §4.1 of RFC6698?) — “In usage modes other than DANE-EE(3)”: shouldn't that also include DANE-TA case at same level than DANE-EE? — section 3 “Section 6 of [RFC7671] says:” (present) vs section 4 “Section 3 of [RFC6698] defined the protocol prefix used for constructing TLSA QNAMEs, and said:” (past) I suggest using either present or past tense in both cases, as the intent is the same (redefining something coming from elsewhere) * Section 4 — name of section: I would make sure to list QUIC explicitly, otherwise seems too generic — “this draft Updates the above sentence as follows:” Replace “draft” by document or equivalent and lowercase “Updates”. — “udp” (DTLS [I-D.draft-ietf-tls-dtls13]) Shouldn't that instead reference by RFC9147 “The Datagram Transport Layer Security (DTLS) Protocol Version 1.3”? * Section 5.1 — Please replace examples of `alias.net`, `provider.com` with things under `.example` TLD. — “TLSA <provider keys>” Why plural? Possibly just ellipse the whole <> part, as it could be a hash too, etc. — “Service consumers are expected to use CNAME or SVCB AliasMode”, yet the example given is using only HTTPS record and not SVCB record. Maybe use multiple examples? — Perhaps add that this works mostly for DANE-EE and DANE-TA use cases? * Section 6 — “might use DANE for some conection” => connection — While not having actual element to provide, I feel the section to be a little too simple and specially the last paragraph, saying basically “insecurely resolved is not safe”, without giving guidance or at least detailing the tradeoffs between various possible scenarios (ignoring unsecure results, continue, etc.) * Section 7 — make sure all examples use IETF reserved names for hostnames (ex: `example-cdn.com` => `cdn-foobar42.example`) — “7.3. QUIC and CNAME”, not sure what the record on `http://www.example.com ` is useful for? Or the URI should be `https://www.example.com/`? — “7.7. DNS ServiceMode”: perhaps use another TargetName to avoid having to say “The TLSA base name is taken from the SVCB TargetName.”? — “7.8. DNS AliasMode”: I don't understand the example given. Where does `ns1` come from? — nitpick/personal: I would prefer the examples to go from specific to general, and as such I would put the two DNS cases currently at the end more in the middle, right before “New scheme ServiceMode” * Section 8 — “IANA is instructed to add the following entry to the “Underscored and Globally Scoped DNS Node Names” registry:” Give some references on where this registry is located/where it is defined? (RFC 8553 maybe?) _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
- [dnsdir] Dnsdir early review of draft-ietf-dnsop-… Patrick Mevzek via Datatracker
- Re: [dnsdir] [DNSOP] Dnsdir early review of draft… Ben Schwartz