Re: [DNSOP] New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt

Michael Casadevall <michael@casadevall.pro> Mon, 26 March 2018 15:33 UTC

Return-Path: <michael@casadevall.pro>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 514FE1277BB for <dnsop@ietfa.amsl.com>; Mon, 26 Mar 2018 08:33:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.424
X-Spam-Level: *
X-Spam-Status: No, score=1.424 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_SBL_CSS=3.335, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZHqWpWzOsBti for <dnsop@ietfa.amsl.com>; Mon, 26 Mar 2018 08:33:48 -0700 (PDT)
Received: from casadevall.pro (casadevall.pro [IPv6:2600:3c00::f03c:91ff:febb:64e9]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13447129C51 for <dnsop@ietf.org>; Mon, 26 Mar 2018 08:33:48 -0700 (PDT)
Received: from [192.168.2.2] (cpe-68-174-119-246.nyc.res.rr.com [68.174.119.246]) by casadevall.pro (Postfix) with ESMTPSA id 48A311F81B for <dnsop@ietf.org>; Mon, 26 Mar 2018 15:33:47 +0000 (UTC)
To: dnsop@ietf.org
References: <7CF21F70-9419-4D6A-B555-FC229F90E8A9@isc.org> <5AB546CB.3030408@redbarn.org> <CCAE4014-67F8-4E73-A893-AA06B83E880B@isc.org> <20180324124958.GA29255@puck.nether.net> <CAJhMdTPRn=mUQ6xh_HFdFLBk109b_M2+saS86KFxsttb8_oVvw@mail.gmail.com> <20180325080558.GA18671@isc.org> <066C83F5-5E1C-4DF8-8D45-A7E9F3A44673@vpnc.org> <DCE31CFA-534E-451F-B743-E022F62C7516@isc.org> <20180326124544.GA32080@isc.org> <552cfda4-572b-7c88-b5b8-0cda5c49e2fd@casadevall.pro> <20180326145729.GA35023@isc.org>
From: Michael Casadevall <michael@casadevall.pro>
Message-ID: <446d939d-5353-2f31-3b3f-7097e2c13a54@casadevall.pro>
Date: Mon, 26 Mar 2018 11:33:50 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <20180326145729.GA35023@isc.org>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/4_GbH7TqiWithAD8O-d4kVNoYKE>
Subject: Re: [DNSOP] New Version Notification for draft-sury-deprecate-obsolete-resource-records-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Mar 2018 15:33:49 -0000


On 03/26/2018 10:57 AM, Evan Hunt wrote:
>>> 2. responders SHOULD NOT compress rdata when rendering obsolete/deprecated
>>>    type records to wire format.
>>>
>>
>> The problem here is that right up until the point the camel declares
>> these RRtypes dead, the specification specifically allows them to be
>> compressed.
> 
> But it's always allowed them not to be compressed, too. The trouble
> PowerDNS had was because it wasn't expecting compression, but I would
> expect the opposite problem (failing because something *didn't* compress)
> to be rarer.
> 

Right, it just happens the DNS compression is common. RFC 3597-compliant
resolvers will just take whatever blob they get and kick it along.
Anything with specific support for these types realistically are going
to support the uncompressed variants limiting interop issues.

>>  1. Authoritative servers SHOULD warn when loading zones with obsolete
>> record types
>>
>>  2. Resolvers MUST never send obsolete RRtypes in a compressed format.
> 
> Problem here: If the resolver is treating the record as opaque, then it
> can only send it along in whatever format it was received in, so this
> requirement doesn't work as written. But I think what you mean is that
> even if the resolver is able to parse compressed rdata, it MUST NOT
> compress when sending the answer along to its own client. This is
> re-stated in point 5, below.
> 

Ah, misthink. You got my intent right, but it should be specifically
written as such.

2. Resolvers MUST never generate obsolete RRtypes in a compressed
format. If (in line with below) the resolver receives a record in
compressed form, it MUST be decompressed before being sent to downstream
resolvers as though. Resolvers SHOULD warn that they are unpacking
records in transit.

How's that sound? I'm still somewhat iffy on my understanding of DNSSEC
RRSIG canonical forms, but if I understood the RFCs correctly, the
uncompressed record should match the canonical form the RRSIG validates
against to which in turn is identical to RFC 3597 (aside from WKS,
although RFC 2136 suggests it only applies in the case of DNS update and
not validation)

It specifically states you're allowed to understand, but thou must not
speak. If there's a DNSSEC concern, it should be noted though I don't
think it's a showstopper in and of itself. As previously stated, I very
much doubt these records are commonly if ever signed.

>>  3. Signers MUST treat rdata as opaque
>>
>>  4. Obsolete RRtypes MUST never be treated as a known-type with respect
>> to the wire protocol
>>
>>  5. Resolvers MAY support legacy compression for received data for
>> backward compatibility if desired, but SHOULD warn if such information
>> is received. Compressed records MUST never be re-transmitted.
> 
> You use MUSTs where I used SHOULDs, but I think we're both pointing
> in the same direction.
> 

My thought process here with MUST is we're basically saying that
compressing these types is no longer valid behavior. You can understand
it for backwards compatibility, but if you're compliant with this new
RFC, you're basically asserting you will not generate compressed
responses. It also somewhat aids the process of the special case
disappearing from the internet.

I see no reason why we should allow them unless someone can come up with
an actual usecase (I haven't had a chance to read RFC 2136 in-depth but
it looks like it should work just fine with uncompressed records).
Michael