Re: [DNSOP] draft-ietf-dnsop-refuse-any: points from Richard Gibson
Joe Abley <jabley@hopcount.ca> Wed, 26 July 2017 18:25 UTC
Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAE78131C8D for <dnsop@ietfa.amsl.com>; Wed, 26 Jul 2017 11:25:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.791
X-Spam-Level:
X-Spam-Status: No, score=-1.791 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RP_MATCHES_RCVD=-0.001, T_DKIM_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (OpenSSL error: data too large for key size)" header.d=automagic.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UZ1mZGp-CspV for <dnsop@ietfa.amsl.com>; Wed, 26 Jul 2017 11:25:12 -0700 (PDT)
Received: from mail.hopcount.ca (mail.hopcount.ca [67.215.197.156]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A152E131A50 for <dnsop@ietf.org>; Wed, 26 Jul 2017 11:25:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=simple/simple; d=automagic.org ; s=hopcount; h=To:References:Message-Id:Content-Transfer-Encoding:Cc:Date: In-Reply-To:From:Subject:Mime-Version:Content-Type:Sender:Reply-To:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe :List-Post:List-Owner:List-Archive; bh=EcoN2fUlz6e1xVktuGI2Zlja7l8aKXv9rZwgiO0pdl4=; b=iGmCJq8N2an/YV/p65uO6VgGZX KMEqxQdyih8RLn5lUhER0iKYTjXCNilPA4/eKt1P2cpCaK4T5f57TtTP6ezqyKno/k8IazA49rOAD IdQ3yBnRRpa4Rw8moMXXd8oZUqd8mefpdnDeUZTxAzBID5p7Ud6JDD4jc618gYpnOeD9NRC5rb71P zObUzbePW1Mfdn+tzCKuFUvb+0NqpKipkhnhpkiRP3mXnvnj0lOAqnUgqZJ5w27CdJP0ScfclZ0ah dR0Xx/wgbgRofTzn2lw9QiEuKBczDUPpqQItdOFODp2bFYZtuJImCvHoMbL02soFodcXXY9wHV9VK cXfPFN0Q==;
Received: from [192.0.145.35] (helo=[199.212.92.9]) by mail.hopcount.ca with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89 (FreeBSD)) (envelope-from <jabley@hopcount.ca>) id 1daQzM-000NJI-Kr; Wed, 26 Jul 2017 18:24:57 +0000
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <CAC94RYYYrb8AXFhwqW89jh79QvPOTtrK4esupL8YbFToUP3+Aw@mail.gmail.com>
Date: Wed, 26 Jul 2017 14:24:50 -0400
Cc: dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2E157D56-EEFB-475A-B122-F85C142E3010@hopcount.ca>
References: <083C34A2-92B9-4A9F-A331-9C38E22417C7@hopcount.ca> <CAC94RYYYrb8AXFhwqW89jh79QvPOTtrK4esupL8YbFToUP3+Aw@mail.gmail.com>
To: Richard Gibson <rgibson@dyn.com>
X-Mailer: Apple Mail (2.3273)
X-SA-Exim-Connect-IP: 192.0.145.35
X-SA-Exim-Mail-From: jabley@hopcount.ca
X-SA-Exim-Scanned: No (on mail.hopcount.ca); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-GZUUejU0I_OBUUTPFINPiB4M3E>
Subject: Re: [DNSOP] draft-ietf-dnsop-refuse-any: points from Richard Gibson
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jul 2017 18:25:14 -0000
On 26 Jul 2017, at 13:28, Richard Gibson <rgibson@dyn.com> wrote: > The need for such a signal also came up recently in https://tools.ietf.org/html/draft-wkumari-dnsop-multiple-responses-05#section-10 . But in this case particularly, middleboxes should be a complete non-issue... anyone expecting QTYPE=ANY passthrough is already asking for trouble. We may be imagining different things by "middlebox" -- I think you're thinking of a resolver, whereas I'm thinking more broadly about stateful inspection, firewalls, ALGs, proxies, forwarders, etc. I think there's an entirely reasonable and observable expectation that QTYPE=ANY passthrough works in that broader sense. Mark's <https://www.ietf.org/proceedings/92/slides/slides-92-dnsop-7.pdf> was an easy-to-find example of trouble in the real world. >> I think it would be uncontroversial to note explicitly that the mechanism described in this document contains no such signalling, however. Let me know if that seems like a pragmatic solution. > > I remain concerned about issuing incomplete responses to ANY queries without indication of such, and predict that it will hinder operational problem investigation and remediation (especially pertaining to IPv4/IPv6 issues). My preference has not changed, but an explicit acknowledgment of the gap at least provides a reference for future improvement. OK. Your future tense is Cloudflare's past tense and I have not heard of an example of the kind of operational confusion that you're predicting there, but perhaps I'm just not listening in the right dark corners. I will plan to add text to acknowledge the lack of signalling but not to change the mechanism to introduce any. People should throw rocks if that seems bad. > How about updating document text to replace "conventional ANY queries" (section 3) and "conventional response" (section 4.1) with "conventional ANY response" and defining it in the Terminology section: > In this document, "conventional ANY response" refers to an ANY Response that would be produced by the algorithm in section 4.3.2 of RFC 1034. Conventional ANY responses can include include records from an arbitrarily high number of RRSets, up to message truncation. OK, I'm fine with that. > Also, it therefore appears that this draft needs to be noted as updating RFC 1034. Noted. > In light of the above, referencing RFC 1035 actually seems misleading... the relevant definitions come from RFC 1034, and this draft is consistent with it in acknowledging use of QTYPE=255 for requesting records of all types, but inconsistent with it in specifying responses that intentionally omit matching records. OK. I'll look at this again. > I also discovered some incidental issues while confirming the above: > 1. The draft should standardize on one of "RRSet" (capital S, 17 current instances) or "RRset" (minuscule S, 7 current instances). Noted. The RFC Editor is well-practiced at dealing with that kind of thing, but it doesn't help to give them less work ahead of time. > 2. Section 4.1 appears to have some errors in grammar and use RFC 2119 terms, and should be reworded (removals in strikethrough, additions in bold): Strikethrough and bold, eh? OK. :-) Suggestions are good, many thanks! Joe
- [DNSOP] draft-ietf-dnsop-refuse-any: points from … Joe Abley
- Re: [DNSOP] draft-ietf-dnsop-refuse-any: points f… Richard Gibson
- Re: [DNSOP] draft-ietf-dnsop-refuse-any: points f… Joe Abley
- Re: [DNSOP] draft-ietf-dnsop-refuse-any: points f… Richard Gibson
- Re: [DNSOP] draft-ietf-dnsop-refuse-any: points f… Joe Abley
- Re: [DNSOP] draft-ietf-dnsop-refuse-any: points f… Tony Finch