IETF Logo Mail Archive

Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-requirements

"Wessels, Duane" <dwessels@verisign.com> Wed, 21 April 2021 23:29 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF6C93A3B2D for <dnsop@ietfa.amsl.com>; Wed, 21 Apr 2021 16:29:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.399
X-Spam-Level:
X-Spam-Status: No, score=-4.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XMyh1cehbZim for <dnsop@ietfa.amsl.com>; Wed, 21 Apr 2021 16:29:22 -0700 (PDT)
Received: from mail6.verisign.com (mail6.verisign.com [69.58.187.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0C003A3B2C for <dnsop@ietf.org>; Wed, 21 Apr 2021 16:29:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=13589; q=dns/txt; s=VRSN; t=1619047762; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=GvH8n7ELaVUgXzjrJ4HLVET8IuXI2o3zkHHuQiVODms=; b=Uco0DkGDBkYnSXcEvqLuKP/zxUi0b6Ya9OmMCHr0avZNX5DUG+8+7Krj AjUe8SkRzdUdsfas/wUpcYrbiCJRpKvNzNvTjbDjylSUlgSYDkfNG5CWy sg4yP6dtdHjioCFtsuXi2+7ARkGCjSsVjDfCZoFx8UNwRuc39vqxM7PhY njzvk7D8gaGEXtYR46kxo5rpvzeQP6cpmcnkb7yS4MYjEfks6s5JdTKKN DTI6qpVzPt4EMoUKy13NKyxrSVi49w9bCShpkxA5oAMUldepauCo94pnA o8kGqqiflNnbSml/ublQUdrt0zceGXI1H9YzWVpASVLZSrU2wOvLiJvKs w==;
IronPort-SDR: 7N23nXsUCVPFb+nl6dFn346gku49Gj5MJw5QfVBGE+SRTSXzI31oM2hlUNjaYFnSNbwmKdVdBx QyWCBuu0g++v08GidoQOXSVs650yWOYXQ7Vgso+hq0IyL/S5WOtY+GKCBkxJbq6GNuFKgaIfTG 9oTDDkgUb/k/dJICSturtM80YP8AVa9EKAoCqmKw3ZEu9CUh+6P1vgufFhv8aw8uz7iCgmuCMd v9caAKYdvYzLKHTRCr42FcVIO7uH21yBmdz4FjE4kNCTsMw2juqft3Jkg2etTdQyCnhv4az0v9 8Tk=
IronPort-HdrOrdr: A9a23:ba+uqqvSF1wlt/0R92UgIwgU7skD4dV00zAX/kB9WHVpW+afkN 2jm+le6AT9jywfVGpltdeLPqSBRn20z+8R3aA6O7C+UA76/Fa5NY0K1/qB/xTMEzDzn9Q86Y 5OaK57YeefMXFfreLXpDa1CMwhxt7vys+VrNzTxXtsUg1mApsIhztRMBqREUF9WWB9dPkEPa ebj/AnmxOQPVoaacihDmQIUqzpt7Tw+K7OUFojCwQ84AeDyRGl+NfBeSSw71M7XylUybkvtV LZlRf0j5/Pj9igxgTC23To45NapdvkxrJ4b/Cxtg==
X-IronPort-AV: E=Sophos; i="5.82,241,1613451600"; d="p7s'?scan'208"; a="6747648"
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2242.4; Wed, 21 Apr 2021 19:29:19 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%4]) with mapi id 15.01.2242.008; Wed, 21 Apr 2021 19:29:19 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Joe Abley <jabley@hopcount.ca>
CC: Suzanne Woolf <suzworldwide@gmail.com>, "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [EXTERNAL] [DNSOP] WGLC for draft-ietf-dnsop-tcp-requirements
Thread-Index: AQHXNwYn+W+2sHKI6EuBVfNpEgN/Ig==
Date: Wed, 21 Apr 2021 23:29:19 +0000
Message-ID: <4CB0C0D8-CC73-4B74-8FA4-F914DC533C59@verisign.com>
References: <93D82731-7B33-4E39-8DEF-FF6C14803191@gmail.com> <9FDEDB22-997A-479A-9EC8-818988BC1A79@hopcount.ca>
In-Reply-To: <9FDEDB22-997A-479A-9EC8-818988BC1A79@hopcount.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.120.23.2.4)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_98ED09A7-8274-4AFF-AD97-B436E3FC2EA0"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/38Qx10lbV6WzBFDn-PQQ0XaK4uA>
Subject: Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Apr 2021 23:29:27 -0000


> On Apr 19, 2021, at 4:31 AM, Joe Abley <jabley@hopcount.ca> wrote:
> 
> 
> Hi Suz,
> 
> On 18 Apr 2021, at 19:17, Suzanne Woolf <suzworldwide@gmail.com> wrote:
> 
>> This message starts the Working Group Last Call for draft-ietf-dnsop-tcp-requirements (https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-tcp-requirements/)
> 
> I have read draft-ietf-dnsop-dns-tcp-requirements-07 and have the following comments, in flagrant defiance of George's advice to ship the document based mainly on considerations of age. :-)

Thanks Joe!

> 
> I think these are all fairly minor.
> 
> 
> Abstract, Section 4.4 "DNS-over-TLS"
> 
> The abstract includes the sentence "This includes both DNS over unencrpted TCP, as well as over an encrypted TLS session." The later section 4.4 says "this document applies equally well to DNS-over-TLS'.
> 
> The inclusion of DoT looks like an afterthought that has not been entirely afterthought-through. The procedural updates to 1034 in section 3 clearly don't apply to RFC 7858; the justifiable confusion about transports in the DNS (the main topic of this document) also doesn't apply to 7858 which only specifies use of TLS, not DTLS.
> 
> I suggest that this document is really only concerned with strengthening the requirements around the use of TCP transport as described in 1034 and 1035 and that mentioning any other transport is unhelpful and arguably introduces more confusion. I think that sentence should be changed in the abstract to reflect that and section 4.4 should be removed. I would not be surprised to hear that this DoT text was added precisely to address some other earlier reviewer's opinion to the contrary, but this is what I think.

IIRC, DNS-over-TLS was added to this draft following a working group discussion at IETF 104.  I can easily be convinced to remove it, but I would like to hear more people supporting its removal.  I know Tony Finch also already raised questions about including DNS-over-TLS.


> 2.3 EDNS0
> 
> RFC 6891 uses the notation EDNS(0), not EDNS0. Since 6891 obsoletes 2671 it seems reasonable to adopt its notation. I suggest going all search and replace on that.

Okay, done.

> 
> 2.4 Fragmentation and Truncation
> 
> The second paragraph does not mention another fundamental problem with stateless protocols over IPv6 when datagrams require truncation, which is that the requirement in v6 to fragment and resent from the source is not possible when the source has not retained any state regarding to the response that was just sent. While I had my hands in the patient I also added a small reference to tunnel encaps in IPv4.
> 
> OLD:
> 
>    For IPv4-connected hosts, the de-facto MTU is often the Ethernet
>    payload size of 1500 bytes.  This means that the largest unfragmented
>    UDP DNS message that can be sent over IPv4 is likely 1472 bytes.  For
>    IPv6, the situation is a little more complicated.  First, IPv6
>    headers are 40 bytes (versus 20 without options in IPv4).  Second, it
>    seems as though some people have mis-interpreted IPv6's required
>    minimum MTU of 1280 as a required maximum.  Third, fragmentation in
>    IPv6 can only be done by the host originating the datagram.  The need
>    to fragment is conveyed in an ICMPv6 "packet too big" message.  The
>    originating host indicates a fragmented datagram with IPv6 extension
>    headers.  Unfortunately, it is quite common for both ICMPv6 and IPv6
>    extension headers to be blocked by middleboxes.  According to
>    [HUSTON] some 35% of IPv6-capable recursive resolvers were unable to
>    receive a fragmented IPv6 packet.
> 
> NEW:
> 
>    For IPv4-connected hosts, the MTU is often the Ethernet payload
>    size of 1500 bytes.  This means that the largest unfragmented
>    UDP DNS message that can be sent over IPv4 is likely 1472 bytes,
>    although tunnel encapsulation may reduce that maximum message
>    size in some cases.
> 
>    For IPv6, the situation is a little more complicated.  First,
>    IPv6 headers are 40 bytes (versus 20 without options in IPv4).
>    Second, it seems as though some people have mis-interpreted
>    IPv6's required minimum MTU of 1280 as a required maximum.  Third,
>    fragmentation in IPv6 can only be done by the host originating
>    the datagram.  The need to fragment is conveyed in an ICMPv6
>    "packet too big" message.  The originating host indicates a
>    fragmented datagram with IPv6 extension headers.  Unfortunately,
>    it is quite common for both ICMPv6 and IPv6 extension headers
>    to be blocked by middleboxes. According to [HUSTON] some 37% of
>    IPv6-capable recursive resolvers were unable to receive a
>    fragmented IPv6 packet.  Even if the originating host does receive
>    a signal that fragmentation is required, the stateless nature
>    of the DNS protocol is such that the host does not generally
>    retain a copy of the message concerned and hence is unable to  
>    fragment and re-send anyway. 

Thanks, I've added your new text here.

But was the change of Geoff's numbers from 35% to 37% intentional?  I got 35% from this part of the cited article:

    We saw 10,115 individual IPv6 addresses used by IPv6-capable recursive
    resolvers.  Of this set of resolvers, we saw 3,592 resolvers that
    consistently behaved in a manner that was consistent with being unable
    to receive a fragmented IPv6 packet.

Maybe we should meet in the middle (and I should round up) and call it 36%?


> 
> The third paragraph refers to "BIND" without a reference. While it seems ridiculous to imagine that anybody my age would not know what BIND was (ignoring the distinction that has been made between BIND and BIND9) there are other popular products today and terrible young people who are wandering all over my lawn. I think a reference would be useful.

Done.


> 
> The fifth paragraph refers to "growing sentiment in the DNSSEC community" which would benefit from being anchored in time, ideally with a citation.

Cited the 2015 article "Making the Case for Elliptic Curves in DNSSEC" by Rijswijk-Deij et. al.

> 
> 
> 2.5 "Only Zone Transfers Use TCP"
> 
> Second paragraph: replace "historic" ("having importance in or influence on history") with "historical" ("based on past events or set in the past").

Done.

> 
> 
> 4.1 "Connection Establishment and Admission"
> 
> Third paragraph might benefit from a reference to RFC 5358/BCP 140.

Done.

DW

v2.23.0 | Report a Bug | By Email