Re: [DNSOP] Murray Kucherawy's Discuss on draft-ietf-dnsop-dns-catalog-zones-08: (with DISCUSS and COMMENT)
"Murray S. Kucherawy" <superuser@gmail.com> Tue, 14 February 2023 18:57 UTC
Return-Path: <superuser@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23C30C1782A0; Tue, 14 Feb 2023 10:57:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PRxSNubXPKyP; Tue, 14 Feb 2023 10:57:16 -0800 (PST)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E40EC187986; Tue, 14 Feb 2023 10:57:16 -0800 (PST)
Received: by mail-ed1-x52a.google.com with SMTP id s11so11105516edd.10; Tue, 14 Feb 2023 10:57:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=+Bicfj2EuK10B8qGAdiGoehAI+lbyuPEwEzJMKFVrSA=; b=ArmfnWcKQTFyL7y5Wz1pHYnAZ1n4OoxwPwVCB9aZdpUFOI4B6Tty7q5NFCJMfSWcHD 5qxp/cC3O4whc/1UjWv+5WPpoKgORWYKsAJIAjFtPvzAf4TFTHE/6KMR5HyrY37IW53+ x0yz9qVFqSf2RLCad2vIz+S0XYED/ktTe9bvrbd747KOEus7KuJGv5YAShMjaUqj1GLY oCG49C4WrzHa23GxEdXqqyJt+8MgcqN4oSRBw26tk6TBLOXod8YXBXak/y8JSyelO/dj 7CbMZpYCr0npxdjCN8Nl5AL9NBY4BWv3kiq8wo2FpJ/MeOqEFiynFVK4v3c0ic2+IzV+ R7jw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+Bicfj2EuK10B8qGAdiGoehAI+lbyuPEwEzJMKFVrSA=; b=tJT32Xg2vn3J8JdYXU8XeMD+/7XyzyzqEAGbcHHx6kaRzEkXbz/X7rfF593HmNKvZF lDhdojhJB2cc2NWMN6TvDIot/C7o9m2Auycy3y//TaOnXVNE3Cc+fVJ70KuvVNnRhI/B swNZ94d9889Sr4hqNMA8knMPwhkRDp1JS30O8PdLoMForssMYrGn1bk4upqrnRXX0hEi njeI3A9myXNIQkuF56x4zQn1jCD7i4JLxqSIkDs3G+rWOWh7sfamE2rh452ndDLOwQGN JBi0JupFqupTszDnDovHYvFkup8sfsJlsc0D2ksF2fpovyuxbkstsmecElWLgVSEWNbv RgUg==
X-Gm-Message-State: AO0yUKWwKxKlQYZLkEOBkmkN6y+VaYuG2RUpYOKWuWpfopA52iVeldqV 5v8KleGpccYEyuQzQy39u/EXflUAnm+joO5wOKRsAyJH
X-Google-Smtp-Source: AK7set9vtSK2E/aAOOf24zMglI5VMnTh3Me+GN1oKqbHeLT4ArrI+znxlyJnklmVNbtsPrPPj1Ly9pqq9wZaOGCVE9g=
X-Received: by 2002:a50:d6d5:0:b0:4ac:cdd8:fbb5 with SMTP id l21-20020a50d6d5000000b004accdd8fbb5mr1711554edj.3.1676401034460; Tue, 14 Feb 2023 10:57:14 -0800 (PST)
MIME-Version: 1.0
References: <167226657909.17946.15087865938792018398@ietfa.amsl.com> <7e2da94f-e5ed-ec19-df23-ad4a9943668c@nlnetlabs.nl>
In-Reply-To: <7e2da94f-e5ed-ec19-df23-ad4a9943668c@nlnetlabs.nl>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Tue, 14 Feb 2023 10:57:02 -0800
Message-ID: <CAL0qLwan42jc1r7_u1HN-6wx=u6KR1iZ4KyuY-9m-daTxFBghQ@mail.gmail.com>
To: Willem Toorop <willem@nlnetlabs.nl>
Cc: The IESG <iesg@ietf.org>, draft-ietf-dnsop-dns-catalog-zones@ietf.org, dnsop-chairs@ietf.org, dnsop@ietf.org, tjw.ietf@gmail.com
Content-Type: multipart/alternative; boundary="0000000000002901fe05f4ad8837"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3cmU7Xz0AUGNMghpoy79uyYI7v4>
Subject: Re: [DNSOP] Murray Kucherawy's Discuss on draft-ietf-dnsop-dns-catalog-zones-08: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Feb 2023 18:57:21 -0000
On Tue, Feb 7, 2023 at 2:02 AM Willem Toorop <willem@nlnetlabs.nl> wrote: > Op 28-12-2022 om 23:29 schreef Murray Kucherawy via Datatracker: > > (1) It's expected (required?), with no actions for IANA, to expressly > include a > > section that says so. It's conspicuously missing here. > > We've added the section. > Yay! > > (2) Why is there no registry for custom properties? I can see that > Section 4.5 > > takes a run at dealing with the collision risk by SHOULDing a particular > way of > > naming custom properties, but it feels to me like a registry is the > right way > > to deal with this. As a consumer of this work, I might not want to > reveal (via > > names) which DNS implementation I'm using, for example. > > We (the co-authors) discussed this and do recognize that a registry for > *properties* is a good idea and have added that to the draft (with PR > https://github.com/NLnetLabs/draft-toorop-dnsop-dns-catalog-zones/pull/67 > ) > Nice. The only thing I would say this needs now (per RFC 8126) is some guidance for the Designated Expert around what to consider a valid registration versus when to ask for changes. This isn't mandatory to provide, but it really is a good idea to put some advice here for future DEs. Since this isn't a strict requirement of RFC 8126, I'm going to clear my DISCUSS, but I suggest you consider adding some guidance text here. You and Warren can decide when it's ready to move forward. > > (3) I have a similar question about groups in Section 4.4.2; "nodnssec" > is an > > example of something that we might want to register with global > semantics, or > > more generally, that some values might be common in implementations and > > therefore worth documenting. > > Those group values are not for implementations, but for operators to > choose. We have done several modifications to clarify that: > - The group values now have non-descriptive names as to not suggest > that they have meanings in implementations (it's the operator that > determines the "meaning" and not the implementation) > - We have extended the lines about catalog producers publishing at > two consumer operators and how mapping of group values is a matter of > those producer/consumer relationships, so it now reads: > > "Implementations MAY facilitate mapping of a specific group > value to specific configuration configurable on a per catalog zone basis > to allow for producers that publish their catalog zone at multiple > consumer operators. Consumer operators SHOULD namespace their group > values to reduce the risk of having to resolve clashes." > OK. > > (4) Do we need a registry of names that are special in the context of > catalog > > zones, e.g., "zones", "ext", "group", "version", "coo", "invalid"? > > We have added a registry for catalog zones properties, already > provisioned with "zones", "ext", "group", "version" and "coo". > The latest version of the IANA registry (including "zones") can be seen > here: > > > https://github.com/NLnetLabs/draft-toorop-dnsop-dns-catalog-zones/blob/master/draft-ietf-dnsop-dns-catalog-zones.md#iana-considerations-iana > > "invalid" is already part of the "Special use domain names" registry: > > > https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml OK. > > Separately: What action should be taken if a nameserver is already > > authoritative for a zone (say, is a primary), yet it receives a catalog > update > > that now contains that same zone? This seems like a possible attack that > > should be discussed. I guess the second-last paragraph of Section 7 > covers > > this, though indirectly. > > There is text for this in section 5.2: > > "If there is a clash between an existing zone's name (either from > an existing member zone or otherwise configured zone) and an incoming > member zone's name (via transfer or update), the new instance of the > zone MUST be ignored and an error SHOULD be logged." > Ah, you're right. Thanks for the pointer. > Could I trouble you for an example of a complete sample catalog zone, > perhaps > > in BIND format, in an appendix? I can see each individual concept > illustrated, > > but it would be helpful to see them assembled someplace. > > Ack. We've added a sample zone: > > > https://github.com/NLnetLabs/draft-toorop-dnsop-dns-catalog-zones/blob/master/draft-ietf-dnsop-dns-catalog-zones.md#catalog-zone-example Thanks for this. You might consider adding some prose following the example that walks the reader through it, but this isn't strictly necessary. > We thought it couldn't harm to repeat this for clarity. Some reviewers > "stumbled" over the word "meaningless" so we rephrased this to: > > "Catalog consumers MUST ignore any RRs in the catalog zone for > which no processing is specified or which are otherwise not supported by > the implementation." > Fair enough. > > Section 4.1: > > > > Given the text in Section 3 (specifically that a catalog zone follows > the same > > rules as any other zone), is this section needed? The third paragraph > could be > > its own differently-named section, but the rest seems redundant. > > This has moved up and rephrased into one sentence: > > "A catalog zone MUST follow the usual rules for DNS zones. In > particular, SOA and NS record sets MUST be present and adhere to > standard requirements (such as [RFC1982])" > > Is that better? > Yep, thanks! I'm a little wary of redundant MUSTs (i.e., these are MUSTs that have been in effect for a really long time already), but I don't think they're harmful. > Section 4.2: > > > > The SHOULD at the end leaves implementers with a choice. Why might an > > implementer choose to do something other than what it says? Or should > this > > really be a MUST? > > As it is most likely that catalog producers and consumers hold the zone > authoritatively, TTLs shouldn't play a role as the records are not > cached anyway. However, we could imagine a catalog consumer processing > the catalog (or part of it) by performing queries. Such a consumer may > not have the choice to ignore TTLs when it is querying indirectly via a > resolver. SHOULD leaves the door open for other "kinds" of > implementations than we have now. > OK. > > Section 4.3: > > > > It doesn't say anywhere (unless I missed it) that the RRTYPEs of > properties are > > unspecified, and depend on the property. It might be good to make that > > explicit, because I kept searching for it. > > We said in the second half of the second sentence of the section: > > "with type(s) as appropriate for the respective property." > > We've changed "with type(s)" into "with RR types(s)" to make it clearer. > Thanks. > > Section 4.4.1: > > > > Regarding the last paragraph, is there any advice to pass on to > operators about > > how exactly one can tell when the COO is complete? > > Not really without querying all the secondaries, but at least > secondaries will pick it up if they either lost the notify or were down. > I suppose monitoring the network status of the secondary provider and > making sure the whole network has been up for at least the refresh time > of the catalog zone ... and then a bit more, would be a safe bet, but > it's very much dependent on the specific operational reality. > OK, I was just curious if there might be a way to close the loop here. > > Section 7: > > > > Why are the protections of zone transfers and updates only SHOULDs? > > It depends on the operational reality. Zone transfers may be using a > completely separate distribution network which is shielded from external > DNS access (with VPNs or UPDATES from an internal network or local > machine even). It is also not a MUST with zone transfers in general > which may also contain privacy sensitive or operational critical > information. > OK. Thanks for all this extra work. This is great stuff. -MSK
- [DNSOP] Murray Kucherawy's Discuss on draft-ietf-… Murray Kucherawy via Datatracker
- Re: [DNSOP] Murray Kucherawy's Discuss on draft-i… Willem Toorop
- Re: [DNSOP] Murray Kucherawy's Discuss on draft-i… Murray S. Kucherawy