Re: [DNSOP] Working Group Last call for draft-ietf-dnsop-dns-error-reporting
Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 10 July 2023 16:59 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93034C14CEE3 for <dnsop@ietfa.amsl.com>; Mon, 10 Jul 2023 09:59:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FTd1sEQN4D3V for <dnsop@ietfa.amsl.com>; Mon, 10 Jul 2023 09:59:13 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB149C14CE38 for <dnsop@ietf.org>; Mon, 10 Jul 2023 09:58:58 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 04DC512EF5B; Mon, 10 Jul 2023 12:58:56 -0400 (EDT)
Date: Mon, 10 Jul 2023 12:58:56 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dnsop@ietf.org
Message-ID: <ZKw40DEHBUfBEoUI@straasha.imrryr.org>
Reply-To: dnsop@ietf.org
References: <ZJn_cwWWOKIn1wbq@straasha.imrryr.org> <76E9FBC8-9F6D-4050-9C6F-E92A2CBEB326@dnss.ec>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <76E9FBC8-9F6D-4050-9C6F-E92A2CBEB326@dnss.ec>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/1qULyHvl7BRgogLegZN3LUPuQrk>
Subject: Re: [DNSOP] Working Group Last call for draft-ietf-dnsop-dns-error-reporting
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jul 2023 16:59:15 -0000
On Wed, Jul 05, 2023 at 12:17:34PM +0100, Roy Arends wrote: > > I would prefer to require resolvers to be more tolerant of unexpected > > options, and would have servers report the channel without explicit > > solicitation. > > That is indeed the plan. I shall make that explicit in the new text. Thanks. That will be helpful. > > What is a "recipient"? Is it a monitoring agent "zone", or a monitoring > > agent transport endpoint? If we're concerned about DoS, perhaps it > > should be the latter, since many zones can resolve to the same set of > > underlying nameservers... > > I will deal with this text in the update. Appreciated. > > Requiring cookies would be great, but they have not yet seem broad > > adoption. Can we reasonably expect the monitoring agent zones to > > support them (and ensure consistent cookie keys across the server > > pool behind each server IP)? > > > > Requiring TCP, combined with per-IP rate limits is probably simpler. > > I will include a note to implementors that reports received over TCP > will be more reliable. The rate limiting you mentioned can be managed > by resolver caching, right? Yes. > > The proposed qname structure is suboptimal: > > > > - There is insufficient justification for the "_er" labels > > at either end of the error report qname. > > > > o If the monitoring agent wants to see some particular prefix, > > (perhaps even periodically rotated to quickly drop stale > > junk) the authoritative server can vend the prefix with the > > agent domain. So the "most-significant" parent "_er" is > > IMNHSO redundant. > > The monitoring agent has to determine where the QNAME ends, and the > agent domain starts. If you assume that a monitoring agent only uses a > single agent domain for all its reports, then sure, the _er_ label > between the strings is redundant. > > If however, the monitoring agent has domains in use, where the least > significant labels collide with existing top level domains, it needs > to determine heuristically where the agent domain starts. This is IMHO > suboptimal. Right, but surely the monitoring agent can decide whether to solicit such a prefix label or not. That is whether an "_er" prefix label is signalled is a *local matter* betweent the authoritative server signalling the option and the monitoring agent. Why should resolvers have to be responsible for this? If a given monitoring agent does not need such signalling, what value does it add? > > o The leading "least-significant" "_er" is likewise (see below) > > not adequately justified. > > The sole purpose of the leading “least-significant” “_er” is to > distinguish between qname-minimized queries (for lack of a better > term) and “full” queries. I understand that you argue that a > monitoring agent can determine this without the _er labels (as > described below), but that seem suboptimal to me. The qname minimised query (whether or not a dedicated qtype is used) will be for "A" or "NS" records, not TXT or the dedicated qtype, so there's no need for "_er" in the first label, the qtype is sufficient. > > Also, qtypes are cheap, and I rather think that a dedicated qtype (one > > that a supporting resolver might refuse to accept in queries from > > clients for example) makes sense here. There's no need to overload > > TXT here. > > This seems counter intuitive to me. A qtype that a supporting resolver > might refuse to accept in queries from clients is either a temporary > state (it may be accepted in the near future when this qtype will be > implemented), or it needs to be specified that this qtype should not > be accepted in queries from clients, which makes this qtype not cheap > (that is, we won’t be able to simply use the template to request one, > as it requires additional work). There's no need to require that it not be accepted from clients, but it is easier to do that with a dedicated qtype. It can be added to: - RRSIG (semantically vacuous sans the associated RRset) - NSEC3 (not part of the zone's qname namespace). - ANY (if that's what the resolver chooses to do). However, to avoid forwarding junk reports to the monitoring agent, a resolver may well sensibly choose to not forward such queries, and only source them internally. The specification might also recommend that "stub" resolvers that forward most queries to a "full service" resolver, should send error reports *directly* to the monitoring agent. And, of course, "full service" resolvers MUST NOT *forward* the monitoring agent OPTION to clients, if they send such an option, it should be locally generated to signal the monitoring agent for the resolver itself. > Allocating a new QTYPE for this purpose just seems redundant. It is not. This is not a normal query, it is an error report. > >> This document gives no guidance on the content of the TXT resource > >> record RDATA for this record. > > > > The dedicated qtype should have an empty payload. > > We can require that the returned TXT record should record have an > empty payload. I would strongly prefer a dedicated qtype (with support from Puneet Sood). However, if the WG consensus is TXT, we'll grudginly cope. Would it make sense to raise this narrow question by the chairs as a consensus call? > > As mentioned above, making the "info-code" more significant than the > > domain gets in the way here. I did not see a response to the point about moving the info code to the least-significant label in the query (first or right after the leading "_er" if despite my exhortations that's retained). > > Instead, note that qname minimised queries will not have the same qtype > > (be it TXT or dedicated). Instead they'll typically be "A" or "NS", > > and also the reporting resolve should avoid all qname minimisation > > below the agent domain, unasking the question. > > Viktor, your optimisations (removing the _er labels) are premature as > it turns a deterministic process at the monitoring agent into a > heuristic process. I don't see how it becomes heuristic. The dedicated qtype signals an complete error reporting query, other qtypes are minimised variants. -- Viktor.
- [DNSOP] Working Group Last call for draft-ietf-dn… Benno Overeinder
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] DNSOPWorking Group Last call for draf… Wes Hardaker
- Re: [DNSOP] Working Group Last call for draft-iet… Benno Overeinder
- Re: [DNSOP] DNSOPWorking Group Last call for draf… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
- Re: [DNSOP] Working Group Last call for draft-iet… Willem Toorop
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
- Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
- Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Paul Wouters
- Re: [DNSOP] DNSOPWorking Group Last call for draf… Wes Hardaker
- Re: [DNSOP] Working Group Last call for draft-iet… Ben Schwartz
- Re: [DNSOP] Working Group Last call for draft-iet… Viktor Dukhovni
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Viktor Dukhovni
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Ben Schwartz
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Viktor Dukhovni
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Viktor Dukhovni
- Re: [DNSOP] Working Group Last call for draft-iet… Benno Overeinder
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Roy Arends