Re: [DNSOP] Second Working Group Last Call for draft-ietf-dnsop-extended-error
Wes Hardaker <wjhns1@hardakers.net> Fri, 27 September 2019 23:40 UTC
Return-Path: <wjhns1@hardakers.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CC31120071 for <dnsop@ietfa.amsl.com>; Fri, 27 Sep 2019 16:40:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CE3ifT3vwV6u for <dnsop@ietfa.amsl.com>; Fri, 27 Sep 2019 16:40:56 -0700 (PDT)
Received: from mail.hardakers.net (mail.hardakers.net [168.150.192.181]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF3F8120026 for <dnsop@ietf.org>; Fri, 27 Sep 2019 16:40:56 -0700 (PDT)
Received: from localhost (unknown [128.9.16.41]) by mail.hardakers.net (Postfix) with ESMTPA id 303F3256D9; Fri, 27 Sep 2019 16:40:56 -0700 (PDT)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Puneet Sood <puneets=40google.com@dmarc.ietf.org>
Cc: dnsop <dnsop@ietf.org>
References: <CADyWQ+FG7qzPnLkUH7mSBca=1NfXy6YduHD4UdmcfXFjD8xC6g@mail.gmail.com> <CA+9_gVuwAEthi9HU2wdw+Vf+STCwvXr4wOB4PRD_Hej6JPPbuQ@mail.gmail.com>
Date: Fri, 27 Sep 2019 16:40:55 -0700
In-Reply-To: <CA+9_gVuwAEthi9HU2wdw+Vf+STCwvXr4wOB4PRD_Hej6JPPbuQ@mail.gmail.com> (Puneet Sood's message of "Fri, 20 Sep 2019 17:17:03 -0400")
Message-ID: <yblr241z4s8.fsf@w7.hardakers.net>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-Oq_zOBuS026n5E3U5VJ6q5L5YU>
Subject: Re: [DNSOP] Second Working Group Last Call for draft-ietf-dnsop-extended-error
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Sep 2019 23:40:59 -0000
Puneet Sood <puneets=40google.com@dmarc.ietf.org> writes: Hi Puneet, Thanks for the comments. Responses are inline below in my tracking notes below. 14.5 TODO Puneet Sood ~~~~~~~~~~~~~~~~~~~~~ I got around to review the draft only recently and have made an attempt to avoid points of discussion that have been resolved since IETF Prague. Apologies in advance for any duplicates. * 14.5.0.1 DONE 1. Introduction and background Para 2: "A good example of issues that would benefit ..." Comment: The paragraph leads up to the conclusion that the EDE codes will be helpful to a client to decide between retry and stopping. Since the consensus is that the EDEs are purely diagnostic, it would be good to reiterate that at the end of this paragraph. + Response from Viktor: For the record, while that was "diagnostic" was my take on the purpose of these codes, reading other responses, I am not sure that's yet the consensus view... I could also live with these being actionable, provided the text is then more clear on how to do that correctly If the actions based on these codes are arbitrary choices for each implementation, with not even a clear correspondence with associated RCODEs, that feels like too much rope to me... Eric Orth's comment from Sept 17 is also relevant here (no one has responded to it yet). Quoting the last bullet from his response here for reference: [https://mailarchive.ietf.org/arch/msg/dnsop/GTg8wa7lQ-VoBFcp_P5tT4VuQhE] *Something like "applications MUST NOT act on EDE" or "applications MUST NOT change rcode processing" does not seem reasonable to me. Way too unclear what "diagnostic" processing is reasonable and allowed or not. And potentially limits applications from doing processing based on very reasonable or obvious interpretations of the received rcode/EDE combinations." + Response: Paul H. gave us language to put in both the abstract and introduction to address this. Let me know if you think it doesn't address this issue. * 14.5.0.2 TODO 2. Extended Error EDNS0 option format / forwarding /etc/ Final para: "The Extended DNS Error (EDE) option can be included in any response (SERVFAIL, NXDOMAIN, REFUSED, and even NOERROR, etc) to a query that includes OPT Pseudo-RR [RFC6891]. ..." Comment: Given the level of discussion around behavior when sending/receiving the EDE option, there should be some more text giving guidance on behavior. a. For recursive resolvers, it may be worth pointing that it is not expected to copy/forward EDE values received from authoritative nameservers to their clients. b. What is the expectation on caching for the EDE code generated by a recursive resolver in response to a query? My expectation is that it will be cached (if the answer itself is cached) so the next response has the same EDE code. c. Truncation: In case a response including the EDE option with EXTRA-TEXT filled in exceeds the effective UDP payload size, what is the desired behavior for the EDE option? Should the EXTRA-TEXT field be left empty in favor of filling in other RR types? Should the response be marked truncated to require a re-query over TCP? This is unlikely for failures but could happen when DNSSEC validation could not be performed due to unsupported digest type. + Response: good questions, and I think the WG needs to think about whether to add that much more data. * 14.5.0.3 DONE 3.14 Extended DNS Error Code 13 - Cached Error The resolver has cached SERVFAIL for this query. Comment: To match the text the name should be "Cached SERVFAIL". * 14.5.0.4 NOCHANGE 5. Security Considerations Para 2: "This information is unauthenticated information, and an attacker (e.g a MITM or malicious recursive server) could insert an extended error response into already untrusted data ..." Comment: Agree with some other comments that this is not relevant since no action is expected to be taken based on EDEs. Comment: There are ideas in the thread to have links to info in the EXTRA-TEXT and possibly display it to users. I guess the usual warnings to not click on potentially unsafe links apply. + Yeah, it really would be remiss to leave out that point. There may be nothing we can do, but the whole point of a security consideration is to properly disclose any known threats/issues. Thanks, Puneet -- Wes Hardaker USC/ISI
- [DNSOP] Second Working Group Last Call for draft-… Tim Wicinski
- Re: [DNSOP] Second Working Group Last Call for dr… Loganaden Velvindron
- Re: [DNSOP] Second Working Group Last Call for dr… Viktor Dukhovni
- Re: [DNSOP] Second Working Group Last Call for dr… Stephane Bortzmeyer
- Re: [DNSOP] Second Working Group Last Call for dr… Michael J. Sheldon
- Re: [DNSOP] Second Working Group Last Call for dr… Puneet Sood
- Re: [DNSOP] Second Working Group Last Call for dr… Viktor Dukhovni
- Re: [DNSOP] Second Working Group Last Call for dr… Wes Hardaker
- Re: [DNSOP] Second Working Group Last Call for dr… Wes Hardaker
- Re: [DNSOP] Second Working Group Last Call for dr… Wes Hardaker
- Re: [DNSOP] Second Working Group Last Call for dr… Wes Hardaker
- Re: [DNSOP] Second Working Group Last Call for dr… Vittorio Bertola
- Re: [DNSOP] Second Working Group Last Call for dr… Wes Hardaker
- Re: [DNSOP] Second Working Group Last Call for dr… Tim Wicinski
- Re: [DNSOP] Second Working Group Last Call for dr… Petr Špaček
- Re: [DNSOP] Second Working Group Last Call for dr… Tim Wicinski
- Re: [DNSOP] Second Working Group Last Call for dr… Tony Finch
- Re: [DNSOP] Second Working Group Last Call for dr… Puneet Sood
- Re: [DNSOP] Second Working Group Last Call for dr… Puneet Sood
- Re: [DNSOP] Second Working Group Last Call for dr… Patrick McManus
- Re: [DNSOP] Second Working Group Last Call for dr… Eric Orth
- Re: [DNSOP] Second Working Group Last Call for dr… Warren Kumari
- Re: [DNSOP] Second Working Group Last Call for dr… Jan Komissar (jkomissa)
- Re: [DNSOP] Second Working Group Last Call for dr… Petr Špaček
- Re: [DNSOP] Second Working Group Last Call for dr… Petr Špaček
- Re: [DNSOP] Second Working Group Last Call for dr… Eric Orth
- Re: [DNSOP] Second Working Group Last Call for dr… Petr Špaček
- Re: [DNSOP] Second Working Group Last Call for dr… Wes Hardaker
- Re: [DNSOP] Second Working Group Last Call for dr… Wes Hardaker
- Re: [DNSOP] Second Working Group Last Call for dr… Wes Hardaker
- Re: [DNSOP] Second Working Group Last Call for dr… Viktor Dukhovni
- Re: [DNSOP] Second Working Group Last Call for dr… Viktor Dukhovni
- Re: [DNSOP] Second Working Group Last Call for dr… Richard Gibson
- Re: [DNSOP] Second Working Group Last Call for dr… Vladimír Čunát