IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements

Daniel Migault <mglt.ietf@gmail.com> Mon, 21 November 2022 15:11 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34F1CC1527A1; Mon, 21 Nov 2022 07:11:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BJmuDTHWoIbd; Mon, 21 Nov 2022 07:11:37 -0800 (PST)
Received: from mail-oa1-x31.google.com (mail-oa1-x31.google.com [IPv6:2001:4860:4864:20::31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64ACEC15271B; Mon, 21 Nov 2022 07:11:37 -0800 (PST)
Received: by mail-oa1-x31.google.com with SMTP id 586e51a60fabf-13c2cfd1126so13988128fac.10; Mon, 21 Nov 2022 07:11:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=sFhWX1TJnALdQr571G4aEg4zGu0eB7fGXnFH7DtaHvc=; b=N2L+kJg5+yPj6xmdsQhTm9BgCKkWtHD47Uh3HfUAdDUGizGpPzFW43+cksR0F3xCsd iHFiX3XF9l7iQP0peXACNGDNquSeCh53Z8LBzqhSY24TsXnsdZUuqpn815U+nrG8Oxqc dvQS/4EBtELDNjja6BEwy9kZiMKcNSSwQd503sboQ1ljEvaNStnlX2cC4OEBAubSI8js qQby8haWbYQGawb9GDUuc8dofcislzcLSg6V0vScc+yEQmKHxXF9/k+DvvRGkxzsgntm DpkOrD9QN9YHANGo6l4WilTiLvV2rLW1eDos1fGoHkqNUtA2ps2P4VywMGzFr7gjylt1 KvPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=sFhWX1TJnALdQr571G4aEg4zGu0eB7fGXnFH7DtaHvc=; b=FoAgqLioWNKhFcmlHRAYEPJD1u6wY3TQnf28AufZdKRHgCzm+Ve4KuaHjRkVegmx3v +KuGMHIKWkpBEadjIFsoorUJJcMtbRZKRBgwrqJtXHJTemTSmBb50DBQYOX0gzqx0uvE LgYrDGtIfWHKkgWwZbmwXSG0t7QPA5np/fvfmL+OI/VarrDbJLXJ7CtKmR+EryzbsVkN /Jw0vm4YJTAaA2GeG8anT8ZV1/DbUfb+8/5Z5uJwPMvCwDcC2FuBBgmIdltSs9ZN0+iz J/czUkBoIoECpO0XxkaAdzoBEyBYJCRBQZcdhMICrAN8gYQ2daYBcLiLGLKdPxPRdb7c xxzw==
X-Gm-Message-State: ANoB5pmrQxYxozgqcrvVusfg8f3KLLa9yPASOP/8UFQmAN6Q+ZJynuJD 2j7PWeWHxNDF6ujXNTRYmnwNFwnSr/xXOGs5eBo=
X-Google-Smtp-Source: AA0mqf4+i66e7Ttcj41LavqtUOGzgAkUytdTIDd98g+gQvD4BJ7tM6ac46n7VSRRK+h95epoG4xMfE0LTzQFI5/5iCo=
X-Received: by 2002:a05:6870:591:b0:13b:bbbb:1623 with SMTP id m17-20020a056870059100b0013bbbbb1623mr3233600oap.115.1669043496580; Mon, 21 Nov 2022 07:11:36 -0800 (PST)
MIME-Version: 1.0
References: <CADyWQ+FwRaSdpSWXBDqCG9ZPNPiG4pGUx37PVtExbqVPr5ZfmA@mail.gmail.com> <CAH1iCircmyXimM34VrGfYYjPAD6u7pf7sLwZOnVeQRKyGEKu+g@mail.gmail.com>
In-Reply-To: <CAH1iCircmyXimM34VrGfYYjPAD6u7pf7sLwZOnVeQRKyGEKu+g@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Mon, 21 Nov 2022 10:11:25 -0500
Message-ID: <CADZyTkkiEtScoAaw0buXkn8S8NsVK3xTjrTNZwFXM1LCwJsWog@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: Tim Wicinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>, dnsop-chairs <dnsop-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ba792305edfc7847"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/FWjChKVCMhBi44CyhM3tWcH-vX4>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Nov 2022 15:11:38 -0000

Hi Brian,

Thanks for the feedback. I do think that it is relevant to add the proposed
text to the document. I have published a PR, feel free to let me know if
the text and recommendations are fine to you and feel free to update the PR.

[1]
https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/pull/9/commits/5177f1b460db5a6db89b4c73032838441de1840b

Yours,
Daniel

On Wed, Oct 19, 2022 at 5:21 PM Brian Dickson <brian.peter.dickson@gmail.com>
wrote:

>
>
> On Wed, Oct 19, 2022 at 12:22 PM Tim Wicinski <tjw.ietf@gmail.com> wrote:
>
>>
>>
>> This starts a Working Group Last Call for
>> draft-ietf-dnsop-dnssec-validator-requirements
>>
>> Current versions of the draft is available here:
>>
>> https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-validator-requirements/
>>
>> The Current Intended Status of this document is: Informational
>>
>> Please review the draft and offer relevant comments.
>> If this does not seem appropriate please speak out.
>> If someone feels the document is *not* ready for publication, please
>> speak out with your reasons.
>>
>> This starts a two week Working Group Last Call process, and ends on:  2
>> November 2022
>>
>>
> Here are some suggested additions to the document, both general, and where
> appropriate, more specific in nature.
>
> It may seem obvious to those familiar with operating DNS servers
> (resolvers and authority servers), especially in the context of DNSSEC, but
> given recent operation experience, I think the following need to be
> highlighted explicitly, possibly in a new section (e.g. immediately after
> section 12 in the document):
>
> DNSSEC validation requires that the validator is able to reliably obtain
> necessary records, especially DNSKEY records. This should be done at
> initial configuration, and tested periodically.
>
> This means the validator MUST ensure it is configured so that the UDP and
> TCP transports, and DNS resolver components, are compatible with the
> network paths that the majority of DNS queries traverse.
>
> In other words, make sure that:
>
>    - DNS UDP bufsize (EDNS parameter) is set to a value compatible with
>    network MTUs the queries and responses will encounter.
>       - If the validator advertises a bufsize >> MTU, responses with the
>       DF bit set and response size R where MTU < R <= bufsize will be dropped by
>       any router with MTU < R.
>    - The validator's OS TCP configuration has its advertised MSS set to a
>    value compatible with network MTUs the queries and responses will encounter.
>       - Having an advertised MSS set to a value < MTU ensures that Path
>       MTU Discovery is not required
>       - If PMTUD fails for any reason, or if the server responding does
>       not maintain or use PMTUD, and advertised MSS > MTU at any point in the
>       path, TCP may encounter problems caused by IP fragmentation and reassembly.
>       - This is particularly relevant if there are any NAT type devices
>       in the path, as those may not properly handle fragmentation and reassembly
>       - If all TCP segments are smaller than the path MTU, TCP will work
>       reliably.
>
> We (GoDaddy) recently investigated a number of problems where the root
> cause was one or more of the above situations.
> While we have adjusted some of the server-side parameters, those can only
> accommodate clients within an acceptable range of MTUs that we anticipate
> will occur.
> The avoidance of fragmentation in order to address known
> fragmentation-related security issues with DNS (leading to cache poisoning,
> for example) has resulted in the need to set the DF bit on UDP.
> Validators will need to ensure their local environment can reliably get
> any critical DNSSEC records (notably DNSKEY) over UDP, or reliably get
> responses with TC=1 if overly large responses cannot be sent over UDP due
> to answers not fitting within the advertised bufsize payload.
> Validators also need to ensure TCP works if it is needed, for the same
> situations.
>
> Brian
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>


-- 
Daniel Migault
Ericsson

v2.23.0 | Report a Bug | By Email