Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements
Daniel Migault <mglt.ietf@gmail.com> Mon, 21 November 2022 15:11 UTC
Return-Path: <mglt.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34F1CC1527A1; Mon, 21 Nov 2022 07:11:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BJmuDTHWoIbd; Mon, 21 Nov 2022 07:11:37 -0800 (PST)
Received: from mail-oa1-x31.google.com (mail-oa1-x31.google.com [IPv6:2001:4860:4864:20::31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64ACEC15271B; Mon, 21 Nov 2022 07:11:37 -0800 (PST)
Received: by mail-oa1-x31.google.com with SMTP id 586e51a60fabf-13c2cfd1126so13988128fac.10; Mon, 21 Nov 2022 07:11:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=sFhWX1TJnALdQr571G4aEg4zGu0eB7fGXnFH7DtaHvc=; b=N2L+kJg5+yPj6xmdsQhTm9BgCKkWtHD47Uh3HfUAdDUGizGpPzFW43+cksR0F3xCsd iHFiX3XF9l7iQP0peXACNGDNquSeCh53Z8LBzqhSY24TsXnsdZUuqpn815U+nrG8Oxqc dvQS/4EBtELDNjja6BEwy9kZiMKcNSSwQd503sboQ1ljEvaNStnlX2cC4OEBAubSI8js qQby8haWbYQGawb9GDUuc8dofcislzcLSg6V0vScc+yEQmKHxXF9/k+DvvRGkxzsgntm DpkOrD9QN9YHANGo6l4WilTiLvV2rLW1eDos1fGoHkqNUtA2ps2P4VywMGzFr7gjylt1 KvPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=sFhWX1TJnALdQr571G4aEg4zGu0eB7fGXnFH7DtaHvc=; b=FoAgqLioWNKhFcmlHRAYEPJD1u6wY3TQnf28AufZdKRHgCzm+Ve4KuaHjRkVegmx3v +KuGMHIKWkpBEadjIFsoorUJJcMtbRZKRBgwrqJtXHJTemTSmBb50DBQYOX0gzqx0uvE LgYrDGtIfWHKkgWwZbmwXSG0t7QPA5np/fvfmL+OI/VarrDbJLXJ7CtKmR+EryzbsVkN /Jw0vm4YJTAaA2GeG8anT8ZV1/DbUfb+8/5Z5uJwPMvCwDcC2FuBBgmIdltSs9ZN0+iz J/czUkBoIoECpO0XxkaAdzoBEyBYJCRBQZcdhMICrAN8gYQ2daYBcLiLGLKdPxPRdb7c xxzw==
X-Gm-Message-State: ANoB5pmrQxYxozgqcrvVusfg8f3KLLa9yPASOP/8UFQmAN6Q+ZJynuJD 2j7PWeWHxNDF6ujXNTRYmnwNFwnSr/xXOGs5eBo=
X-Google-Smtp-Source: AA0mqf4+i66e7Ttcj41LavqtUOGzgAkUytdTIDd98g+gQvD4BJ7tM6ac46n7VSRRK+h95epoG4xMfE0LTzQFI5/5iCo=
X-Received: by 2002:a05:6870:591:b0:13b:bbbb:1623 with SMTP id m17-20020a056870059100b0013bbbbb1623mr3233600oap.115.1669043496580; Mon, 21 Nov 2022 07:11:36 -0800 (PST)
MIME-Version: 1.0
References: <CADyWQ+FwRaSdpSWXBDqCG9ZPNPiG4pGUx37PVtExbqVPr5ZfmA@mail.gmail.com> <CAH1iCircmyXimM34VrGfYYjPAD6u7pf7sLwZOnVeQRKyGEKu+g@mail.gmail.com>
In-Reply-To: <CAH1iCircmyXimM34VrGfYYjPAD6u7pf7sLwZOnVeQRKyGEKu+g@mail.gmail.com>
From: Daniel Migault <mglt.ietf@gmail.com>
Date: Mon, 21 Nov 2022 10:11:25 -0500
Message-ID: <CADZyTkkiEtScoAaw0buXkn8S8NsVK3xTjrTNZwFXM1LCwJsWog@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: Tim Wicinski <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>, dnsop-chairs <dnsop-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ba792305edfc7847"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/FWjChKVCMhBi44CyhM3tWcH-vX4>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-dnssec-validator-requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Nov 2022 15:11:38 -0000
Hi Brian, Thanks for the feedback. I do think that it is relevant to add the proposed text to the document. I have published a PR, feel free to let me know if the text and recommendations are fine to you and feel free to update the PR. [1] https://github.com/mglt/draft-mglt-dnsop-dnssec-validator-requirements/pull/9/commits/5177f1b460db5a6db89b4c73032838441de1840b Yours, Daniel On Wed, Oct 19, 2022 at 5:21 PM Brian Dickson <brian.peter.dickson@gmail.com> wrote: > > > On Wed, Oct 19, 2022 at 12:22 PM Tim Wicinski <tjw.ietf@gmail.com> wrote: > >> >> >> This starts a Working Group Last Call for >> draft-ietf-dnsop-dnssec-validator-requirements >> >> Current versions of the draft is available here: >> >> https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-validator-requirements/ >> >> The Current Intended Status of this document is: Informational >> >> Please review the draft and offer relevant comments. >> If this does not seem appropriate please speak out. >> If someone feels the document is *not* ready for publication, please >> speak out with your reasons. >> >> This starts a two week Working Group Last Call process, and ends on: 2 >> November 2022 >> >> > Here are some suggested additions to the document, both general, and where > appropriate, more specific in nature. > > It may seem obvious to those familiar with operating DNS servers > (resolvers and authority servers), especially in the context of DNSSEC, but > given recent operation experience, I think the following need to be > highlighted explicitly, possibly in a new section (e.g. immediately after > section 12 in the document): > > DNSSEC validation requires that the validator is able to reliably obtain > necessary records, especially DNSKEY records. This should be done at > initial configuration, and tested periodically. > > This means the validator MUST ensure it is configured so that the UDP and > TCP transports, and DNS resolver components, are compatible with the > network paths that the majority of DNS queries traverse. > > In other words, make sure that: > > - DNS UDP bufsize (EDNS parameter) is set to a value compatible with > network MTUs the queries and responses will encounter. > - If the validator advertises a bufsize >> MTU, responses with the > DF bit set and response size R where MTU < R <= bufsize will be dropped by > any router with MTU < R. > - The validator's OS TCP configuration has its advertised MSS set to a > value compatible with network MTUs the queries and responses will encounter. > - Having an advertised MSS set to a value < MTU ensures that Path > MTU Discovery is not required > - If PMTUD fails for any reason, or if the server responding does > not maintain or use PMTUD, and advertised MSS > MTU at any point in the > path, TCP may encounter problems caused by IP fragmentation and reassembly. > - This is particularly relevant if there are any NAT type devices > in the path, as those may not properly handle fragmentation and reassembly > - If all TCP segments are smaller than the path MTU, TCP will work > reliably. > > We (GoDaddy) recently investigated a number of problems where the root > cause was one or more of the above situations. > While we have adjusted some of the server-side parameters, those can only > accommodate clients within an acceptable range of MTUs that we anticipate > will occur. > The avoidance of fragmentation in order to address known > fragmentation-related security issues with DNS (leading to cache poisoning, > for example) has resulted in the need to set the DF bit on UDP. > Validators will need to ensure their local environment can reliably get > any critical DNSSEC records (notably DNSKEY) over UDP, or reliably get > responses with TC=1 if overly large responses cannot be sent over UDP due > to answers not fitting within the advertised bufsize payload. > Validators also need to ensure TCP works if it is needed, for the same > situations. > > Brian > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > -- Daniel Migault Ericsson
- [DNSOP] Working Group Last Call for draft-ietf-dn… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for draft-iet… Brian Dickson
- Re: [DNSOP] Working Group Last Call for draft-iet… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for draft-iet… Brian Dickson
- Re: [DNSOP] Working Group Last Call for draft-iet… Vladimír Čunát
- Re: [DNSOP] Working Group Last Call for draft-iet… Daniel Migault
- Re: [DNSOP] Working Group Last Call for draft-iet… Daniel Migault
- Re: [DNSOP] Working Group Last Call for draft-iet… Vladimír Čunát
- Re: [DNSOP] Working Group Last Call for draft-iet… Daniel Migault
- Re: [DNSOP] Working Group Last Call for draft-iet… Florian Obser
- Re: [DNSOP] Working Group Last Call for draft-iet… Vladimír Čunát
- Re: [DNSOP] Working Group Last Call for draft-iet… Peter Thomassen
- Re: [DNSOP] Working Group Last Call for draft-iet… Peter Thomassen
- Re: [DNSOP] Working Group Last Call for draft-iet… Vladimír Čunát
- Re: [DNSOP] Working Group Last Call for draft-iet… Daniel Migault
- Re: [DNSOP] Working Group Last Call for draft-iet… Daniel Migault
- Re: [DNSOP] Working Group Last Call for draft-iet… Vladimír Čunát
- Re: [DNSOP] Working Group Last Call for draft-iet… Daniel Migault
- Re: [DNSOP] Working Group Last Call for draft-iet… Daniel Migault
- Re: [DNSOP] Working Group Last Call for draft-iet… Daniel Migault
- Re: [DNSOP] Working Group Last Call for draft-iet… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for draft-iet… Daniel Migault
- Re: [DNSOP] Working Group Last Call for draft-iet… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for draft-iet… Livingood, Jason
- Re: [DNSOP] Working Group Last Call for draft-iet… Viktor Dukhovni
- Re: [DNSOP] Working Group Last Call for draft-iet… Peter Thomassen
- Re: [DNSOP] Working Group Last Call for draft-iet… Daniel Migault
- Re: [DNSOP] Working Group Last Call for draft-iet… Peter Thomassen
- Re: [DNSOP] Working Group Last Call for draft-iet… Daniel Migault
- Re: [DNSOP] Working Group Last Call for draft-iet… Daniel Migault
- Re: [DNSOP] Working Group Last Call for draft-iet… Peter Thomassen
- Re: [DNSOP] Working Group Last Call for draft-iet… Daniel Migault