Re: [DNSOP] Alias mode processing in auths for draft-ietf-dnsop-svcb-https-01

Tony Finch <dot@dotat.at> Tue, 11 August 2020 22:18 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A38933A0C7A; Tue, 11 Aug 2020 15:18:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bKdvT626avjI; Tue, 11 Aug 2020 15:18:49 -0700 (PDT)
Received: from ppsw-33.csi.cam.ac.uk (ppsw-33.csi.cam.ac.uk [131.111.8.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C69853A0C77; Tue, 11 Aug 2020 15:18:48 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:51526) by ppsw-33.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.137]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1k5cbW-000vJ0-gU (Exim 4.92.3) (return-path <dot@dotat.at>); Tue, 11 Aug 2020 23:18:46 +0100
Date: Tue, 11 Aug 2020 23:18:45 +0100
From: Tony Finch <dot@dotat.at>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
cc: dnsop <dnsop@ietf.org>, Brian Dickson <brian.peter.dickson@gmail.com>, Pieter Lexis <pieter.lexis@powerdns.com>
In-Reply-To: <CAHbrMsBPyrgbbjx0_-w2Ysky63edtw3kKEBu7DrgDCfP_-GBBw@mail.gmail.com>
Message-ID: <alpine.DEB.2.20.2008112302420.21650@grey.csi.cam.ac.uk>
References: <00cfd965-bf69-d1cb-2df3-1a9bb110d7e0@powerdns.com> <CAHbrMsAJ-cbcW3v4T34f8-gzgzgHSkoBO545_Y3N8D6rof7Nmw@mail.gmail.com> <CAH1iCipZ25XaES0C4MFt3+aOm=d1U5LKigJe5AwKUWG-+yETFw@mail.gmail.com> <alpine.DEB.2.20.2008102304160.21650@grey.csi.cam.ac.uk> <CAHbrMsCePLp=vaw3fgf611TfnFpeUaV3xkCT5BSH3yzu-XZ1rg@mail.gmail.com> <alpine.DEB.2.20.2008112129160.21650@grey.csi.cam.ac.uk> <CAHbrMsBPyrgbbjx0_-w2Ysky63edtw3kKEBu7DrgDCfP_-GBBw@mail.gmail.com>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Al8qL69KE5bv5-S6bJrd3HNfnVU>
Subject: Re: [DNSOP] Alias mode processing in auths for draft-ietf-dnsop-svcb-https-01
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2020 22:18:51 -0000

Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> wrote:
>
> > > If the server does not complete this procedure (e.g. due to response size
> > > limits), it MUST remove any SOA records from the Additional section.
> > > Recursive resolvers MAY use the presence of an SOA record in the Additional
> > > section to enable negative caching of the follow-up queries, as in
> > > {{?RFC2308}}.
> >
> > I'm not sure I understand this paragraph. Truncation is normally from the
> > end of the additional section backwards, so it is really weird to drop
> > records from the authority section first. SOA (start of authority) records
> > go in the authority section not the additional section
>
>
> In this procedure, "all returned records" for follow-up queries are added
> to the Additional section.  Therefore, there could be SOA records in the
> Additional section.

I thought the target types were just A, AAAA, SVCB, so where does the SOA
come from?

> > The DNS doesn't allow a client to know that additional data doesn't exist
> > when it is omitted from a response. It sucks, but that's the way it is.
> >
>
> Yes; this proposal would change that in this case.  If you think it won't
> work, I'd love to know why.

I can't see anything in the current SVCB draft that would change this.
There's simply no way to put a negative answer in an additional section
(without DNSSEC) - RFC 2308 relies on the context of the message header
and query sections and they don't exist for additional records.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
protect and enlarge the conditions of liberty and social justice