Re: [DNSOP] DNS Grease?
Shumon Huque <shuque@gmail.com> Wed, 28 February 2024 15:10 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C2E1C14F696 for <dnsop@ietfa.amsl.com>; Wed, 28 Feb 2024 07:10:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jwUFHYwMEUNM for <dnsop@ietfa.amsl.com>; Wed, 28 Feb 2024 07:10:53 -0800 (PST)
Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23EEFC14F690 for <dnsop@ietf.org>; Wed, 28 Feb 2024 07:10:53 -0800 (PST)
Received: by mail-yb1-xb2b.google.com with SMTP id 3f1490d57ef6-dc6d8bd618eso5866733276.3 for <dnsop@ietf.org>; Wed, 28 Feb 2024 07:10:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709133052; x=1709737852; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Zle0VQOHpAShs1mF23gwxSDC+h8aLZ9J1FWMN0AkkUk=; b=UhKkFSKBAldIVN/2nIXfcqL+yKHA012+tm3Y84puoE6tnWztgRLtMalIxbyXjtWOtG u1+iZAwulOH74j7ngz9ViQyl5IiGj3X4uMv4ZpoRPKbt75bRpD5t1uApivPlZVE9EE0d xyQ0HZJ+rJT1XafVKcFAUz7L2zzUHPNOrAJOwTfBELiZr4bHd5TBqNSST8VAvaurskHG wZkrZBIlV2ja+QK/0oJSVRo7bkrsILr0G33WsZgLA22TeZWkE2+lqZvcJmF0dfJSX/Lf jZsgh4OTbjB6aQROt86TWblYvVLMz9xlgJyay/LphgVNaTkO7PT724yMEsEZwCCjFx1n QOHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709133052; x=1709737852; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Zle0VQOHpAShs1mF23gwxSDC+h8aLZ9J1FWMN0AkkUk=; b=u/akfoIRhU+OFukmYiMOSU6Wsrr0XGdMhxQNE2SmXDpuZsEY3wnNvn6CYT/5r/dXzY SRRhwqPtKWVHAp9Bvhcaj/q3tWhOlRhef2AOvzAXqugFkR823LD8q1RI2P4vthJEQMQ+ X+aTZS2+AkNeNhWQmr/3GhS+e1Z2doSL8esn3tuqWYjaxObd9nTNDGTvBk86klQFCNzp vBby7fXFvbh0H6N99adn9sIVeRX5epcNgyjoNblc0Uf3IfNbqsgSmPH5Mf5DBSDxyzNR gOkYDYay8uXh51PDCF5na2bZlhGmADwZGl02Um4xFFU7/WS4sBnYFtc9Fmk5PqzIzO8X jMyA==
X-Gm-Message-State: AOJu0YxCP+OmFSwYv6uV9bMYQSfVojIX8AmJY6SGEHUjDUpqAl5QBSWO /Yzel0e/4m6AzeUGzjB19F2hR+1JZO7RjgcFiHOVXg+RwN8xLgbf4a2Mard7tPkau3+xgMbPzbZ gPwTIwyQ9VDJnYrQxmchsnHkAVMo=
X-Google-Smtp-Source: AGHT+IGDwxldt6qdxtgV3uE1ngjv40woh3CQrQKr+phGD7YVqHVWTwMjnF+3TIgd1L//KJWh94FtkjY/kmfFF+CvatY=
X-Received: by 2002:a25:aa29:0:b0:dc7:4c92:16a3 with SMTP id s38-20020a25aa29000000b00dc74c9216a3mr2453063ybi.27.1709133052118; Wed, 28 Feb 2024 07:10:52 -0800 (PST)
MIME-Version: 1.0
References: <CAHPuVdUiRbUT6ODa8UDSSkyjuzHgkQxJ5xrb9_OZH5oR7aWYDg@mail.gmail.com> <CAKr6gn3CTaRc82Wak+vn5vehK0CCzZ6meREHhi0vdhd9Zgd-gg@mail.gmail.com> <96CE9D37-480F-4B7A-B9A1-65D8F7AC9078@isc.org> <CAHPuVdVOGGVHhVm0j0SBj8T1r1+ZGD+mUew_W7XFgaJ70VSq1g@mail.gmail.com> <CAKr6gn0NyYXjRxtOo2-CXSniYRGRQ8sUYVFUZn9BtAsbryoPCA@mail.gmail.com> <68F5F9FD-3A76-4FF0-8224-4C036135EF0E@isc.org> <CAPDSy+6iMsffp2q4JtH+0O4fy9YX5Q7gTpdKP3hM5WQ0TNtVQQ@mail.gmail.com>
In-Reply-To: <CAPDSy+6iMsffp2q4JtH+0O4fy9YX5Q7gTpdKP3hM5WQ0TNtVQQ@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
Date: Wed, 28 Feb 2024 10:10:40 -0500
Message-ID: <CAHPuVdWSJgwdjVV1zSNHF9EuvKpHhwGb_C3+E-tsqyeg363U+Q@mail.gmail.com>
To: David Schinazi <dschinazi.ietf@gmail.com>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000720d6b0612728c39"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/8z4zflMJkL-NTrwlnLNo-qpLSdM>
Subject: Re: [DNSOP] DNS Grease?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2024 15:10:55 -0000
Thanks for your comments David. I hope it will progress too, and good to hear that that grease worked well for TLS and QUIC. On random vs reserved values, we do intend to propose some reserved ranges (there is a placeholder section in the draft for this already). And then try to have a debate about the pros and cons (e.g. is reservation just going to cause middleboxes to treat the greasing range specially, etc). For the larger fields, yes, we could allocate larger reserved ranges and pick randomly from those. For the smaller fields (that accommodate just a discrete set of flags, rather than a number), we could reserve just a small handful of flags. For any proposal that uses purely random unallocated code points, I think we'd need software to have pre-configured (or configurable) end-of-test dates as one way to avoid future interoperability issues. Even for the larger ranges though, there is a more granular classification (such as data vs meta vs q-types in the RR-type space) where more nuanced treatment is needed, such as defining multiple reserved ranges and expecting distinct response behavior for each. Shumon. On Tue, Feb 27, 2024 at 5:59 PM David Schinazi <dschinazi.ietf@gmail.com> wrote: > I think this draft is a great idea and I'd love to see it progress. GREASE > did well in TLS and worked wonders in QUIC - it helped us catch multiple > real production issues early on. > > That said, I do worry about the idea of using random unallocated values. > Not all software gets updated, and no software gets updated immediately > worldwide, so this idea is bound to cause interoperability failures down > the road. For the 16-bit values, definitely allocate a few hundred GREASE > codepoints and then pick a random one from that allocated list. For the > fields smaller than 8 bits, things are obviously more difficult but I think > you'll be much better off reserving a much smaller number of codepoints and > using those instead of using random ones. One instance of an non-updated > implementation spraying what values it thinks are unallocated could be > enough to prevent future extensibility. > > David > > On Mon, Feb 26, 2024 at 10:39 PM Mark Andrews <marka@isc.org> wrote: > >> Yep, we are in a much better position than we were in 2019. Most >> failures are >> well < 1% when talking to authoritative servers. Broken firewall >> defaults have >> been fixed and mostly deployed. >> >> > On 27 Feb 2024, at 16:41, George Michaelson <ggm@algebras.org> wrote: >> > >> > so yet again, I voice things which show my ignorance, not yours. I >> > thank you for the gentle clue-stick hit, it was educational. >> > >> > -G >> > >> > On Tue, Feb 27, 2024 at 12:24 PM Shumon Huque <shuque@gmail.com> wrote: >> >> >> >> On Tue, Feb 27, 2024 at 12:01 AM Mark Andrews <marka@isc.org> wrote: >> >>> >> >>> >> >>>> On 27 Feb 2024, at 15:53, George Michaelson <ggm@algebras.org> >> wrote: >> >>>> >> >>>> Not in any way to stop this specific draft, I wonder if this is a >> more >> >>>> general principle of exercising code points which are not marked >> >>>> "never to be used" and should also be raised cross-area, or in >> another >> >>>> place? >> >>>> >> >>>> Maybe the best path is to get this proved here, and then >> embrace-extend. >> >>> >> >>> Sure there are a lot of places where this should be done. This is >> going >> >>> to cover DNS. >> >> >> >> >> >> Yup, and although Mark and I have been mulling this for DNS for a >> number >> >> of years now, the general principle has also been discussed elsewhere >> (see >> >> the references to greasing) and RFC 8701 describes greasing for TLS. >> >> >> >> We should track that work too, but this draft can focus on the DNS use >> case. >> >> >> >> Shumon. >> >> >> >> -- >> Mark Andrews, ISC >> 1 Seymour St., Dundas Valley, NSW 2117, Australia >> PHONE: +61 2 9871 4742 INTERNET: marka@isc.org >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop >> > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] DNS Grease? Shumon Huque
- Re: [DNSOP] DNS Grease? George Michaelson
- Re: [DNSOP] DNS Grease? Mark Andrews
- Re: [DNSOP] DNS Grease? Shumon Huque
- Re: [DNSOP] DNS Grease? George Michaelson
- Re: [DNSOP] DNS Grease? Mark Andrews
- Re: [DNSOP] DNS Grease? David Schinazi
- Re: [DNSOP] DNS Grease? Shumon Huque
- Re: [DNSOP] DNS Grease? Brian Dickson
- Re: [DNSOP] DNS Grease? David Schinazi
- Re: [DNSOP] DNS Grease? Brian Dickson
- Re: [DNSOP] DNS Grease? David Schinazi
- Re: [DNSOP] DNS Grease? Brian Dickson
- Re: [DNSOP] DNS Grease? Mark Andrews