Re: [DNSOP] I-D Action: draft-ietf-dnsop-resolver-information-00.txt

Neil Cook <neil.cook@noware.co.uk> Fri, 11 October 2019 13:41 UTC

Return-Path: <neil.cook@noware.co.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3407F120103 for <dnsop@ietfa.amsl.com>; Fri, 11 Oct 2019 06:41:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.107
X-Spam-Level:
X-Spam-Status: No, score=-1.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J8QOrwRR7AJv for <dnsop@ietfa.amsl.com>; Fri, 11 Oct 2019 06:41:02 -0700 (PDT)
Received: from mail.noware.co.uk (unknown [IPv6:2604:a880:0:1010::add:2001]) by ietfa.amsl.com (Postfix) with ESMTP id C9DAC1200D6 for <dnsop@ietf.org>; Fri, 11 Oct 2019 06:41:02 -0700 (PDT)
Received: from [192.168.1.170] (unknown [86.178.6.223]) by mail.noware.co.uk (Postfix) with ESMTPSA id F350E1C056C for <dnsop@ietf.org>; Fri, 11 Oct 2019 13:31:49 +0000 (UTC)
From: Neil Cook <neil.cook@noware.co.uk>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Fri, 11 Oct 2019 14:41:00 +0100
References: <156624288737.19884.5252170663574668911@ietfa.amsl.com>
To: dnsop@ietf.org
In-Reply-To: <156624288737.19884.5252170663574668911@ietfa.amsl.com>
Message-Id: <A8482079-FC91-414D-B0EF-E016606E9093@noware.co.uk>
X-Mailer: Apple Mail (2.3445.104.11)
X-VADE-SPAMSTATE: clean
X-VADE-SPAMSCORE: 0
X-VADE-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedufedrieehgdeilecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfpgffknfevqffqmfenuceurghilhhouhhtmecufedttdenucenucfjughrpefhtgfgggfuffhfvfgjkffosehtqhhmtdhhtdejnecuhfhrohhmpefpvghilhcuvehoohhkuceonhgvihhlrdgtohhokhesnhhofigrrhgvrdgtohdruhhkqeenucffohhmrghinhepihgvthhfrdhorhhgnecukfhppeekiedrudejkedriedrvddvfeenucfrrghrrghmpehinhgvthepkeeirddujeekrdeirddvvdefpdhhvghloheplgduledvrdduieekrddurddujedtngdpmhgrihhlfhhrohhmpefpvghilhcuvehoohhkuceonhgvihhlrdgtohhokhesnhhofigrrhgvrdgtohdruhhkqedprhgtphhtthhopegunhhsohhpsehivghtfhdrohhrghenucevlhhushhtvghrufhiiigvpedt
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Fl9aztwpbXzc_mHuYZ2RmFLkz_w>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-resolver-information-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Oct 2019 13:41:14 -0000

I have some comments on this draft.

I’m particularly concerned about the extremely common use-case where a DNS proxy is used in front of the actual resolver; this is the case for many home routers/CPEs, particularly those provided by ISPs. They tend to give out DNS via DHCP on a private IP address e.g. 192.168.0.x, and then use dnsmasq (or homegrown software) to proxy to the actual resolver of the ISP located in the network on a public IP address.

TL;DR - there are two mechanisms defined in this draft. The first mechanism "Retrieving Resolver Information by DNS” seems like it would work ok with the above scenario. The second mechanism "Retrieving Resolver Information by Well-Known URI” would require changes to every CPE of the type described above, which IMO makes it unworkable for that scenario. (BTW for CPE insert any kind of DNS proxy/forwarder, which would have the same issue).

My main concern is that given that there are two mechanisms specified, clients may choose only to implement one of them. The draft doesn’t appear to specify that client authors must implement one or the other, or both. So I’d like to see the draft mandate that if only one of the mechanisms is implemented, it must be the "Retrieving Resolver Information by DNS” method.

I’d like to see the draft give due consideration to this very common use-case, (both CPEs and the more general case of DNS proxies/forwarders). 

A few additional comments which I think need to be considered:

- For the Well-Known URI mechanism by resolver IP, clearly private IP addresses can never get valid certificates, so even if CPEs were to implement this mechanism, they can never be authenticated.

- For the DNS method, given that a resolver never knows if DNS proxies are being used (in CPEs or elsewhere) or indeed what IP addresses are being used behind those proxies, I would imagine that at a minimum it would need to answer RESINFO queries for *all* RFC1918 addresses. This does then lead to the question, why include the IP address in the query at all? I assume the answer is “DNSSEC”, but see below for some more questions/comments on that.

- There is an acknowledgement "Erik Kline suggested using "<reverse-ip>.{in-addr,ip6}.arpa" as the
   domain name to allow for the possibility of DNSSEC-signed responses.”

I think it’s worth noting that RESINFO queries for private IP addresses will never be able to generate DNSSEC-signed responses. Also given the restriction "Authoritative servers MUST NOT answer queries that are defined in this protocol.” it seems unlikely that many resolvers would be capable of generating DNSSEC-signed responses, especially given that resolvers and authoritative servers tend to be completely separate entities these days.

This also begs the question, why create that restriction at all? Why must Authoritative Servers not answer those queries? The draft also states that "if the resolver can be configured to also be authoritative for some zones, it can use that configuration to actually be authoritative for the addresses on which it responds.” Which seems to contradict the previous MUST NOT - surely this is an implementation detail that should not be mentioned in an IETF draft?

Neil Cook

> On 19 Aug 2019, at 20:28, internet-drafts@ietf.org wrote:
> 
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Domain Name System Operations WG of the IETF.
> 
>        Title           : DNS Resolver Information Self-publication
>        Authors         : Puneet Sood
>                          Roy Arends
>                          Paul Hoffman
> 	Filename        : draft-ietf-dnsop-resolver-information-00.txt
> 	Pages           : 9
> 	Date            : 2019-08-19
> 
> Abstract:
>   This document describes methods for DNS resolvers to self-publish
>   information about themselves, such as whether they perform DNSSEC
>   validation or are available over transports other than what is
>   defined in RFC 1035.  The information is returned as a JSON object.
>   The names in this object are defined in an IANA registry that allows
>   for light-weight registration.  Applications and operating systems
>   can use the methods defined here to get the information from
>   resolvers in order to make choices about how to send future queries
>   to those resolvers.
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-resolver-information/
> 
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-dnsop-resolver-information-00
> https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-resolver-information-00
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>