Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-03.txt

Joe Abley <> Sat, 27 May 2023 11:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B527CC151069 for <>; Sat, 27 May 2023 04:23:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Jr4vossyVWMw for <>; Sat, 27 May 2023 04:23:48 -0700 (PDT)
Received: from ( []) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by (Postfix) with ESMTPS id 08985C14CF1C for <>; Sat, 27 May 2023 04:23:48 -0700 (PDT)
Date: Sat, 27 May 2023 11:23:36 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=protonmail; t=1685186625; x=1685445825; bh=q3PeFmkzHutfz3nMEz50BkIboYMrLggO5+e9FawOmls=; h=Date:To:From:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=gq+VkUZh68s59+DC/7QEXRSfulgJiiADaqSDhnMtKjH21fx2CjdN5lGUp5j7qsNkG 1R8/uWQmN8w6ZtSl1Okd22HDjBbQjV/Ln7CCdTHwhoKvbfVQobk/TGxBWEkxIDng1F WbgdOiXZ+Q16w3x3ypRnj10dAvr+OYaRT70YbeclinKO07q95WTL86F477dPt6j5fs lcWVM37yEfBKCW+xcegp8wF4mD6+Tns+Shd4Lld8t8OPSfrhy9uVEfcCkMgy3TsQin nAPToDROecFTFXyZwJA/IO+koKGoFyLRb4OcNeFi14Sv9ZspyEPNhbequgJdQgL4Op ipvsZzB8WDI4Q==
From: Joe Abley <>
Message-ID: <>
In-Reply-To: <>
References: <>
Feedback-ID: 73263797:user:proton
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="b1_YRMujtVcPfq2dW9kk9Mm06v91Ae8uxqmTmIrvPDBs"
Archived-At: <>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-structured-dns-error-03.txt
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 27 May 2023 11:23:52 -0000

On Sat, May 27, 2023 at 04:50, <[](mailto:On Sat, May 27, 2023 at 04:50,  <<a href=)> wrote:

> A New Internet-Draft is available from the on-line Internet-Drafts
> directories. This Internet-Draft is a work item of the Domain Name System
> Operations (DNSOP) WG of the IETF.
> Title : Structured Error Data for Filtered DNS
> Authors : Dan Wing
> Tirumaleswar Reddy
> Neil Cook
> Mohamed Boucadair
> Filename : draft-ietf-dnsop-structured-dns-error-03.txt
> Pages : 21
> Date : 2023-05-26

I see this version still has the text citing resinfo in the security considerations section.

As I said earlier (below, but with a subject that perhaps wasn't very helpful) I think this needs some more thought.


---------- Forwarded message ----------
From: Joe Abley <>
Date: On Fri, May 26, 2023 at 11:34
Subject: Fw: Re: [ietf-wg-dnsop/draft-ietf-dnsop-structured-dns-error] Client requests including empty EDE isn't currently interoperable (Issue #26)
To: <>

[This arrived the other day from github, and I don't know what kind of mess I will make if I just group-reply to it, so I'm following up on the list. List seems better for general discussion anyway.]

On Tue, May 23, 2023 at 23:25, Dan Wing <[](mailto:On Tue, May 23, 2023 at 23:25, Dan Wing <<a href=)> wrote:

> The justification for signaling draft-ietf-add-resolver-info is in Security Considerations where it currently says:
> An attacker might inject (or modify) the EDE EXTRA-TEXT field with an DNS proxy or DNS forwarder that is unaware of EDE. Such a DNS proxy or DNS forwarder will forward that attacker-controlled EDE option. To prevent such an attack, clients supporting this document MUST discard the EDE option if their DNS server does not signal EDE support via RESINFO [I-D.ietf-add-resolver-info]. As recommended in [I-D.ietf-add-resolver-info], RESINFO should be retrieved over an encrypted DNS channel or integrity protected with DNSSEC.
> should we soften that? The authors have argued back and forth on the risk of this attack versus deployment, code, and operational complexity of draft-ietf-add-resolver-info signaling.

RESINFO provides a statement of intent about what you can expect from a particular resolver service. I am not convinced it is an adequate substitute for a negotiation of capabilities between the endpoints of a DNS transaction.

For many significant DNS servers that we arguably care most about troubleshooting problems with (and hence where extended error codes might provide the most benefit) the particular server (host, process, implementation) that handles a query sent to address A is usually not the same server that handles the next query sent to the same address.

The root servers are an example of a set of servers that use anycast with intentionally-different DNS implementations deployed in different places. Most resolver clusters relied upon by any significant population of clients are not single instances of software bound to an address on just one host interface.

Software and metadata (in general) is routinely released incrementally, meaning that the software running on one particular origin server in an anycast deployment is not in general the same as that on other servers, and cannot always be expected to behave the same (otherwise you would never be able to roll out or roll back new features).

EDNS options are attached to a particular response and refer to that self-same transaction, which is why they are a good choice for things like EDE, NSID, buffer negotiation, etc.

(NSID is an improvement over CH/TXT/HOSTNAME.BIND or CH/TXT/ID.SERVER for the same kind of reasons that I'm waving my hands about here.)

Information published by RESINFO (or by other means disconnected from the transaction about which information is required, on a web page maybe, on a mailing list!) seems like good input to a human troubleshooting expedition but a poor choice for a client that is trying to make real-time, automated decisions about how to handle a request for name resolution.

I think perhaps this risk and its suggested mitigation need some more thought.

(I'm not actually sure I agree this is a risk that needs a mitigation.)