IETF Logo Mail Archive

Re: [DNSOP] Incompatibility with indicating client support for EDE (draft-ietf-dnsop-structured-dns-error)

Tommy Pauly <tpauly@apple.com> Tue, 23 May 2023 02:44 UTC

Return-Path: <tpauly@apple.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 228D3C14CE4F for <dnsop@ietfa.amsl.com>; Mon, 22 May 2023 19:44:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.399
X-Spam-Level:
X-Spam-Status: No, score=-4.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=apple.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o2j70QcnWg9F for <dnsop@ietfa.amsl.com>; Mon, 22 May 2023 19:44:30 -0700 (PDT)
Received: from rn-mailsvcp-mx-lapp02.apple.com (rn-mailsvcp-mx-lapp02.apple.com [17.179.253.23]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4830C14CE54 for <dnsop@ietf.org>; Mon, 22 May 2023 19:44:30 -0700 (PDT)
Received: from rn-mailsvcp-mta-lapp03.rno.apple.com (rn-mailsvcp-mta-lapp03.rno.apple.com [10.225.203.151]) by rn-mailsvcp-mx-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) with ESMTPS id <0RV300Q9GBM60E00@rn-mailsvcp-mx-lapp02.rno.apple.com> for dnsop@ietf.org; Mon, 22 May 2023 19:44:30 -0700 (PDT)
X-Proofpoint-ORIG-GUID: veQpswoX2ow0JFNOHgkWp4bLdU3Mmez0
X-Proofpoint-GUID: veQpswoX2ow0JFNOHgkWp4bLdU3Mmez0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.573, 18.0.942 definitions=2023-05-10_04:2023-05-05, 2023-05-10 signatures=0
X-Proofpoint-Spam-Details: rule=interactive_user_notspam policy=interactive_user score=0 adultscore=0 spamscore=0 mlxlogscore=999 suspectscore=0 mlxscore=0 phishscore=0 bulkscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2304280000 definitions=main-2305100147
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apple.com; h=from : message-id : content-type : mime-version : subject : date : in-reply-to : cc : to : references; s=20180706; bh=I3JounscKy2KDDDF3TquagGaKZDbEDkFjqOvYG8BhPw=; b=K8dmEv2U5Xaa0Lyvq7oQS0cnaCJvdFXXLfMvhnEaRSceVpIYHLDKWERQaCKsc0Fy8zkw BVVFjvOB8vYK9tOPCFQ1Gu9Pv6s8V5A3fSBI/b+Rp3Lj9VkEBFaRu0CO2XPlUPYoR6+S I+9yda0tIie6gr+P9VUSo356wDuAIhS8//Q02c6h2JP0nIo584zqyf+sqZrom2Bo23Op EEFO2wXxemdmFgbxdhkXE/E93noa44j4v76jf2bz64nqjPJIjt/MU18enpKONT3dVlJ8 F2aIUuWAXoChOHqL5wZ4uCXPFPyDfkkm6GLtaNwYkHJkZznHT2rvV/wUoxY0JC8bJjvs 8w==
Received: from rn-mailsvcp-mmp-lapp02.rno.apple.com (rn-mailsvcp-mmp-lapp02.rno.apple.com [17.179.253.15]) by rn-mailsvcp-mta-lapp03.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) with ESMTPS id <0RV300IJYBM6AUC0@rn-mailsvcp-mta-lapp03.rno.apple.com>; Mon, 22 May 2023 19:44:30 -0700 (PDT)
Received: from process_milters-daemon.rn-mailsvcp-mmp-lapp02.rno.apple.com by rn-mailsvcp-mmp-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) id <0RV300G00B8CCA00@rn-mailsvcp-mmp-lapp02.rno.apple.com>; Mon, 22 May 2023 19:44:30 -0700 (PDT)
X-Va-A:
X-Va-T-CD: ee4c6c0660e4a98aa34d703cc3cd5142
X-Va-E-CD: 0b79d2ebc82ccddf39c2a87c6a53fc06
X-Va-R-CD: d9006b4b5f3e35bccc03845f7ae332f2
X-Va-ID: 9e1afd00-b1ab-4688-b8b9-d7f8a6893554
X-Va-CD: 0
X-V-A:
X-V-T-CD: ee4c6c0660e4a98aa34d703cc3cd5142
X-V-E-CD: 0b79d2ebc82ccddf39c2a87c6a53fc06
X-V-R-CD: d9006b4b5f3e35bccc03845f7ae332f2
X-V-ID: ea611e02-e444-41e4-a184-e2c88e083bbb
X-V-CD: 0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.573, 18.0.957 definitions=2023-05-22_18:2023-05-22, 2023-05-22 signatures=0
Received: from smtpclient.apple (unknown [17.234.82.115]) by rn-mailsvcp-mmp-lapp02.rno.apple.com (Oracle Communications Messaging Server 8.1.0.22.20230228 64bit (built Feb 28 2023)) with ESMTPSA id <0RV300Q8BBM5R200@rn-mailsvcp-mmp-lapp02.rno.apple.com>; Mon, 22 May 2023 19:44:30 -0700 (PDT)
From: Tommy Pauly <tpauly@apple.com>
Message-id: <A474412D-191B-48BD-8FC4-E07578E9C487@apple.com>
Content-type: multipart/alternative; boundary="Apple-Mail=_7E916B22-BF4F-4D0A-82A1-E9FB39CE9E59"
MIME-version: 1.0 (Mac OS X Mail 16.0 \(3762.100.4.1.11\))
Date: Mon, 22 May 2023 19:44:19 -0700
In-reply-to: <4A22932F-1980-438E-9B6A-176B82CECE50@isc.org>
Cc: Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org>, dnsop <dnsop@ietf.org>
To: Mark Andrews <marka@isc.org>
References: <1BE5004E-B64D-407D-80F5-EB25D7BB671C@apple.com> <4A22932F-1980-438E-9B6A-176B82CECE50@isc.org>
X-Mailer: Apple Mail (2.3762.100.4.1.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/379u3zxumsDJoYXTZlEJadaDjMg>
Subject: Re: [DNSOP] Incompatibility with indicating client support for EDE (draft-ietf-dnsop-structured-dns-error)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 May 2023 02:44:35 -0000

Thanks, Mark.

For what it's worth, I just ran two other tests, and for both of these cases, all of the resolvers I tried did accept the request:
- Choose a new EDNS option code point (I just tested 50, randomly)
- Use EDE but set the length to 2 and the error to 0 (other error), rather than a length of 0

Both of these seem viable, and I’ll let the authors and WG decide which is the right way forward.

Best,
Tommy

> On May 22, 2023, at 5:00 PM, Mark Andrews <marka@isc.org> wrote:
> 
> 
> 
>> On 23 May 2023, at 02:20, Tommy Pauly <tpauly=40apple.com@dmarc.ietf.org> wrote:
>> 
>> Hello DNSOP,
>> 
>> In draft-ietf-dnsop-structured-dns-error, there’s a description of how clients should indicate that they understand extended DNS errors (EDE) by sending an empty EDE option. 
>> 
>> https://www.ietf.org/archive/id/draft-ietf-dnsop-structured-dns-error-02.html#name-client-generating-request
>> 
>> This is something that makes a lot of sense to me, and provides a great way to indicate that a client would prefer to receive proper blocked/filtered errors (with possible extra text) as opposed to a forged answer.
>> 
>> However, in testing this out, I’m seeing inconsistent compatibility with some public resolvers. I was testing enabling this for encrypted resolvers only, and I see the following behavior for a sampling of resolvers using DoH:
>> 
>> 1.1.1.1 - NOERROR, works fine!
>> 9.9.9.9 - NOERROR, works fine!
>> 8.8.8.8 - FORMERR on all responses
>> dns.adguard-dns.com - SERVFAIL on all responses
>> 
>> Do we think that this should be allowed in queries (and thus this is a bug in resolvers like 8.8.8.8 or AdGuard)? Or is there a problem with the approach this document is suggesting?
> 
> RFC 8914 left whether EDE in requests was permitted or not undefined.  I can see an EDE implementation making the option parser return FORMERR if the EDE option length was less than 2 and applying that to both requests and responses.  RFC 8914 really should have said that EDE in requests should be ignored and then there would have been a possibility on extending behaviour based on adding EDE to a request.  We are already 10 years into trying to fix unknown EDNS option behaviour and are still getting FORMERR on unknown EDNS options in requests.  If the working group want to allow extending EDE by adding it to a request is should obsolete RFC 8914 now with RFC8914bis that specifies that EDE in requests are to be ignored.
> 
> At the moment draft-ietf-dnsop-structured-dns-error-02 really should use another EDNS option code point.  It really is not backwards compatible with EDE the way it is currently specified. 
> 
> 
>> Best,
>> Tommy
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org <mailto:DNSOP@ietf.org>
>> https://www.ietf.org/mailman/listinfo/dnsop
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka@isc.org <mailto:marka@isc.org>
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org <mailto:DNSOP@ietf.org>
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email