Re: [DNSOP] proposal: Covert in-band zone data
Ólafur Guðmundsson <olafur@cloudflare.com> Thu, 25 July 2019 17:26 UTC
Return-Path: <olafur@cloudflare.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7162D120172 for <dnsop@ietfa.amsl.com>; Thu, 25 Jul 2019 10:26:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qyAJtLJOFY2O for <dnsop@ietfa.amsl.com>; Thu, 25 Jul 2019 10:26:06 -0700 (PDT)
Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64BA91201B8 for <dnsop@ietf.org>; Thu, 25 Jul 2019 10:26:06 -0700 (PDT)
Received: by mail-wm1-x330.google.com with SMTP id s3so45690731wms.2 for <dnsop@ietf.org>; Thu, 25 Jul 2019 10:26:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=tkBgSf9Ae8/32fjjttYHkAjeLevY28cbSJO8E6M50lY=; b=qItTiZeSKCQHMTVcbsqVarJ9k6VYeeMm0M7iehYrkVfc9CuBXIp4S0U4xD15SAPGti RFflTi/84Lw4/K7j1WieyHFlInYUQrMRHGmzeFoHUl/h2KV/xPCRoV1W7k4J18kXdFzK 1KXvt5ENkPSYKBulNG9Ydemhq0aVN52nWoF5A=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tkBgSf9Ae8/32fjjttYHkAjeLevY28cbSJO8E6M50lY=; b=K9I+t0oyPqhcpltNup9O6cLvtxaP8Mf+N74DB8nhkTfuOSifeqhnJT4oyFZTe9axyT 30lPdXi0PWFp7GeMY7ZrO+Paq3IWPsiF88EjPsubMB341F843wHbnNDwYHzs6c0vx7I/ evX+ejsQ/VyLD5DhHChnLUjW2BQbVphJsq+f5RSlWEyIgW8tnXuHzrDSgkAgUvTPfUX7 v7Cee0I9i2Lz5e74AcLwP0lUnGJnGMk4960viLB/xn0ID0otdGuqvanTLcV3Ewimq49m X7kIQM4CP4XwAPVv6Sjf0HO7rd1VTnUxUQVyKbvaRXX5yvxBmBOTjL5DNfsW4WJVVo7y xLvg==
X-Gm-Message-State: APjAAAVQK4SWKSgYBY5fpye76k1W0/VUoDU7bv74NYYKNV8FsNgTbts3 hSEoLVAlHmwH6RhK4w/WPs4UeTfSJ+axLeDOL+qPcA==
X-Google-Smtp-Source: APXvYqxGJuw3ecyhN4sgNcjcsOLFmgnVoyhE1sUPzFDJC/QpaCMRvr05g8AsJ654B2LrzfC16O4f/5bY3xct9NK/X8s=
X-Received: by 2002:a1c:cb01:: with SMTP id b1mr11542688wmg.69.1564075564581; Thu, 25 Jul 2019 10:26:04 -0700 (PDT)
MIME-Version: 1.0
References: <20190706213024.GA56650@isc.org> <alpine.BSF.2.21.9999.1907221704030.7062@bikeshed.isc.org>
In-Reply-To: <alpine.BSF.2.21.9999.1907221704030.7062@bikeshed.isc.org>
From: Ólafur Guðmundsson <olafur@cloudflare.com>
Date: Thu, 25 Jul 2019 13:25:52 -0400
Message-ID: <CAN6NTqymm6+OMet0sMZC0Ms5E_5mj_nwONk3fR19HwgWXYNB4Q@mail.gmail.com>
To: Dan Mahoney <dmahoney@isc.org>
Cc: Evan Hunt <each@isc.org>, dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006e1a8e058e84b875"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/HV_kspXX6hcoXx28Rm-RPJn7we8>
Subject: Re: [DNSOP] proposal: Covert in-band zone data
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2019 17:26:11 -0000
On Mon, Jul 22, 2019 at 2:00 PM Dan Mahoney <dmahoney@isc.org> wrote: > After a hallway conversation with Evan yesterday, I wanted to clarify a > few things that I came across when working on this. Point one is the > use-case of NOTE. Point two is an argument for the general usefulness of > a COVERT record. > > On NOTE: > > I am an admin who uses my zone files as a source of truth -- which > include comments, versioning, and formatting. (I also commit to version > control, and there's a $Id: $ tag in my zonefiles.) > > I'd like the ability to have some degree of human-intended metadata > survive an AXFR, to be able to promote a slave copy of a zone to being > master, promote versioning, and keep my zonefiles readable within my > processes. I am not suggesting NOTE be anything but exactly what its name > implies: not a hook for some kind of inter-server transfers or private > keys, just things like "remove after 1/1/2020" or "allocated to group foo" > or even "generated from config DB on $date". I especially intend to > state, perhaps with stronger language, that NOTE SHOULD NOT used for > things intended to be machine-parsed the way we've overloaded TXT. > > I'm an operator. Among my credentials: I operate personal infrastructure, > ISC's infrastructure, and a nontrivial amount of the infrastructure for > the root zone. This is the operational input I'm told the IETF community > craves and suggests an issue of not getting until after a standard passes. > > Dan, I think all of this makes sense, what does not make sense is to stuff this into old "AXFR/IXFR" semantics. The draft is already changing how "upstream" deals with "downstream" in this proposal. My suggestion is to take a step back and say we have outgrown AXFR and we need better mechanism to sync various servers. Lets start work on a new "SYNC Name servers" protocol that can meet modern requirements My list of features that I would like to see: -- DNSSEC awareness (MIXFR) -- Long lived TLS connections that allow --- updates of multiple zones -- adding and removing of zones -- Configuring service parameters: online-keys, ACL's, logging status ...... -- even send back logging information This would allow us to get rid of Notify, catalog zones, and few other warts that have been added on over the years. Olafur > Best, > > -Dan > > On Sat, 6 Jul 2019, Evan Hunt wrote: > > > Colleages, > > > > Some years ago, Dan Mahoney and I submitted a draft describing a proposed > > mechanism for storing confidential zone comments alongside normal zone > > data - a NOTE RR, which would be transferrable from primary to secondary > > servers, but not accessible to ordinary DNS queries. It generated some > > iniital interest, but not much momentum, and we let the proposal lapse. > > > > More recently, Witold Krecicki had a very similar idea for a mechanism to > > disseminate private key data between primary and secondary servers. We > > talked it over and decided to expand the NOTE record semantics into a > > generic method for storing and transferring covert in-band zone data. > > > > The generic mechanism is described in draft-krecicki-dns-covert-00. It > > calls for the allocation of a range of "Covert-RR" type code values, > > which would have restrictions on their dissemenination. A primary server > > implementing Covert-RR types must not allow them to queried, nor to be > > transerred to a secondary server unless that server indicates via an EDNS > > option that it *also* understands Covert record semantics and will not > > transfer the data to any peer that doesn't. > > > > The original NOTE RR draft has been shrunk down and rewritten as a > > proposed use case for Covert RR's. Additional use cases will be coming > > in the future; in particular, draft-pusateri-dnsop-update-timeout seems > > like it might be a good candidate. > > > > Details are below. Please have a look. Thanks! > > > > -------- > > Name: draft-krecicki-dns-covert > > Revision: 00 > > Title: Domain Name System (DNS) Resource Record types for > transferring covert information from primary to secondaries > > Document date: 2019-07-06 > > Group: Individual Submission > > Pages: 6 > > URL: > https://www.ietf.org/internet-drafts/draft-krecicki-dns-covert-00.txt > > Status: > https://datatracker.ietf.org/doc/draft-krecicki-dns-covert/ > > Htmlized: https://tools.ietf.org/html/draft-krecicki-dns-covert-00 > > Htmlized: > https://datatracker.ietf.org/doc/html/draft-krecicki-dns-covert > > > > > > Abstract: > > The Domain Name System (DNS) Resource Record TYPEs IANA registry > > reserves the range 128-255 for Q-TYPEs and Meta-TYPEs [RFC6895] - > > Resource Records that can only be queried for or contain transient > > data associated with a particular DNS message. > > > > This document reserves a range of RR TYPE numbers for Covert-TYPEs - > > types that are an integral part of the zone but cannot be accessed > > via a normal QUERY operation. > > > > Uses for such records could include zone comments that are > > transferrable with the zone, expiry times for dynamically updated > > records, or Zone Signing Keys for inline signing. This document, > > however, does not define any specific Covert RR types. > > > > -------- > > Name: draft-hunt-note-rr > > Revision: 02 > > Title: A DNS Resource Record for Confidential Comments > (NOTE RR) > > Document date: 2019-07-06 > > Group: Individual Submission > > Pages: 4 > > URL: > https://www.ietf.org/internet-drafts/draft-hunt-note-rr-02.txt > > Status: https://datatracker.ietf.org/doc/draft-hunt-note-rr/ > > Htmlized: https://tools.ietf.org/html/draft-hunt-note-rr-02 > > Htmlized: https://datatracker.ietf.org/doc/html/draft-hunt-note-rr > > Diff: https://www.ietf.org/rfcdiff?url2=draft-hunt-note-rr-02 > > > > Abstract: > > While the DNS zone master file format has always allowed comments, > > there is no existing mechanism to preserve comments once the zone has > > been loaded into memory or converted to a binary representation. > > This note proposes a new RR type "NOTE", to be allocated from the > > Covert-RR type range proposed in [I-D.krecicki-dns-covert], so that > > confidential comments can be stored alongside zone data, and included > > in zone transfers when Covert semantics are supported by the > > secondary. > > > > _______________________________________________ > > DNSOP mailing list > > DNSOP@ietf.org > > https://www.ietf.org/mailman/listinfo/dnsop > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > -- Ólafur Gudmundsson | Engineering Director www.cloudflare.com blog.cloudflare.com
- [DNSOP] proposal: Covert in-band zone data Evan Hunt
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Evan Hunt
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Wessels, Duane
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Brian Dickson
- Re: [DNSOP] proposal: Covert in-band zone data Richard Gibson
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Bill Woodcock
- Re: [DNSOP] proposal: Covert in-band zone data Wessels, Duane
- Re: [DNSOP] proposal: Covert in-band zone data jabley
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Tony Finch
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Dan Mahoney
- Re: [DNSOP] proposal: Covert in-band zone data Matthew Pounsett
- Re: [DNSOP] proposal: Covert in-band zone data Samuel Weiler
- Re: [DNSOP] proposal: Covert in-band zone data Ólafur Guðmundsson
- Re: [DNSOP] proposal: Covert in-band zone data Paul Wouters
- Re: [DNSOP] proposal: Covert in-band zone data Evan Hunt
- Re: [DNSOP] proposal: Covert in-band zone data Tim Wattenberg
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Dan Mahoney
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Dan Mahoney
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Bob Harold
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Dan Mahoney
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Paul Ebersman
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Mark Andrews
- Re: [DNSOP] proposal: Covert in-band zone data Witold Krecicki
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data Bob Harold
- Re: [DNSOP] proposal: Covert in-band zone data Joe Abley
- Re: [DNSOP] proposal: Covert in-band zone data JW λ John Woodworth