Re: [DNSOP] New draft, seeking comments: draft-sah-resolver-information
Paul Wouters <paul@nohats.ca> Wed, 15 May 2019 17:23 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C0F61200CD for <dnsop@ietfa.amsl.com>; Wed, 15 May 2019 10:23:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fZePASyUBfHu for <dnsop@ietfa.amsl.com>; Wed, 15 May 2019 10:23:53 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8518D120072 for <dnsop@ietf.org>; Wed, 15 May 2019 10:23:53 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4541cS0xJKzL6Z; Wed, 15 May 2019 19:23:52 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1557941032; bh=ahBEy0cm/KbTAs7GNC2tPjG9IfGZdMq/mfrpT3ScpnI=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=oXC3UKw3Vvk1DPcRQAkkLS7j1WSaojJmLyzE7Zn/V0t8mY6SRZtAEXG77nqAsfdO+ WoA8ZVxpr9LYOjD9kh/iS3XlzgYJ1xnXl9luoxm0l3St/3l6ZCo7NLEe3umauMLGW9 HnadfkIAxZLLZiVozQs505mF9L4cx1KwVWZiRDBo=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id dVBeTpmPH1Kh; Wed, 15 May 2019 19:23:50 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 15 May 2019 19:23:49 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 5D5F361D86; Wed, 15 May 2019 13:23:48 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 5D5F361D86
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 537D940016E6; Wed, 15 May 2019 13:23:48 -0400 (EDT)
Date: Wed, 15 May 2019 13:23:48 -0400
From: Paul Wouters <paul@nohats.ca>
To: Paul Hoffman <paul.hoffman@icann.org>
cc: dnsop <dnsop@ietf.org>
In-Reply-To: <3BCCE28D-17C6-4367-A9C3-D0DCF56AB03A@icann.org>
Message-ID: <alpine.LRH.2.21.1905151256480.22294@bofh.nohats.ca>
References: <3BCCE28D-17C6-4367-A9C3-D0DCF56AB03A@icann.org>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/JS7V6RqFDCtOSHV4OCtHZYGLEBM>
Subject: Re: [DNSOP] New draft, seeking comments: draft-sah-resolver-information
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 May 2019 17:23:58 -0000
On Tue, 30 Apr 2019, Paul Hoffman wrote: > Also note that this is explicitly only for resolvers; we might later do a second protocol for authoritative servers who want to give information about themselves (such as if they do DoT, if that moves forward in DPRIVE). The reason for the split is that a resolver that doesn't know the protocol here might pass the query on to the authoritative servers for the root or .arpa, and the response to the stub would then be ambiguous. I don't understand why you create a specific RRtype with "information to be filled in by other documents", yet feel the need to have one for resolvers, maybe another one for authoritative servers, and kind of combine "resolvers that could offer signed responses in their forward zone" together with "random unknown resolvers that cannot offer signed responses about their capabilities". I would prefer a generic "DNSINFO" that can be used in the forward and the reverse, and can contain resolver and authoritative properties. if the resolver can be configured to also be authoritative for some zones, it can use that configuration to actually be authoritative for "resolver-info.arpa". This is misleading. No one but AS112 or the arpa. TLD nameservers could be really answer "authoritative". Others would just pretend to be and lie. And really, you would want google to put this info into in a forward zone "dns.google.com" and not limit RESINFO (or DNSINFO) to the reverse zone. For example, if the stub knows that it wants information whose name is "temp-field2", it would send the query temp-field2.resolver-info.arpa/IN/RESINFO. I can see why you might want this, to allow for smaller return answers when the stub only cares about one of many pieces of resolver infomation that might be available, but it oddly puts DNS naming constrains in that information ? It also opens up pandora's box of IDN support. Any query for the RESINFO RRtype that is not in resolver-info.arpa/IN or a subdomain of resolver-info.arpa/IN is meaningless and MUST result in a NODATA or NXDOMAIN response. Do you expect this policing to be enforced in code? I think that's naive. Anyone who is not implementing this will treat is as a generic record and just relay it back. So it is bound to be violated. I wouldn't bother trying to police this. Also, I think there are valid use cases for RESINFO in the forward, eg if I have dns.nohats.ca on my owned IP as the resolver, so I can give you DNSSEC authenticatied answers. 3. Retrieving Resolver Information by Well-Known URI You offer a non-DNS method that can deliver (channel) authenticated answers, but you don't allow DNSSEC (data origin) authenticated answers? A resolver that uses this protocol to publish its information SHOULD, if possible, have a TLS certificate whose subject identifiers are any IP address that the resolver is available on Again lifting TLS over DNSSEC ? If the request was over DNS using a subdomain under resolver- info.arpa, the resolver SHOULD return an object that contains a name- value pair with that name if the resolver has that information. If the resolver does not have information for that name, it MUST NOT returen the name in the object. So what should it return? The options are 1) nothing or 2) all and the document should clearly specify which of the two is allowed and which is prefered. If the request was over HTTPS, the resolver SHOULD return an object with all known name-value pairs for which it has information. It is a little unclear whether this is part of the "a specific name was requested" case. And if the rules above for DNS/subdomains apply here. I think the authors are implying that HTTPS is so expensive in overhead and has no packet size issues, you might as well always return everything. If so, just state that more clearly. All names in the returned object MUST be defined in the IANA registry or begin with the substring "temp-". IETF tradition is to use a x- or X- prefix for this kind of thing. Why now use "temp-" ? "inventory": [ "inventory", "temp-field1", "temp-field2" ] I'm not sure how useful "inventory" is. It cannot be trusted anyway, so I think if I would write code for this, I would just completely gnore it anyway. The specification that is required for registration can be either an Internet-Draft or an RFC. I'm a little uneasy with this. If the draft is moving forward and we do an Early Code Point, that is fine. If it is a batshit crazy draft that will never get RFC status, it should not. You can see the Expert will handle with this, but sadly this text is followed by: The reviewer for this registry is instructed to generally be liberal in what they accept into the registry: as long as the specification that comes with the registration request is reasonably understandable, the registration should be accepted. Also, for those who would like to use DNS queries, size does matter. What to do if the inventory is too large for a DNS reply. What are the rules for choosing which content to include or not? Or are you expecting a truncated response and a TCP retry? There should be text about this. 6. Security Considerations It does not talk about putting this information in the forward zone of a named resolver (eg dns.nohats.ca) that can use DNSSEC to protect this information. Paul ps: NITS: when announcing drafts for people to read, including a URL is helpful :)
- [DNSOP] New draft, seeking comments: draft-sah-re… Paul Hoffman
- Re: [DNSOP] New draft, seeking comments: draft-sa… Paul Wouters
- Re: [DNSOP] New draft, seeking comments: draft-sa… John Levine
- Re: [DNSOP] [Ext] New draft, seeking comments: dr… Paul Hoffman
- Re: [DNSOP] [Ext] New draft, seeking comments: dr… John Levine
- Re: [DNSOP] [Ext] New draft, seeking comments: dr… Paul Wouters
- [DNSOP] draft-sah-resolver-information (revised) Paul Hoffman
- Re: [DNSOP] draft-sah-resolver-information (revis… Erik Nygren
- Re: [DNSOP] draft-sah-resolver-information-01 and… John Levine
- Re: [DNSOP] draft-sah-resolver-information (revis… Ben Schwartz
- Re: [DNSOP] [Ext] draft-sah-resolver-information … Paul Hoffman
- Re: [DNSOP] [Ext] draft-sah-resolver-information-… Paul Hoffman
- Re: [DNSOP] [Ext] draft-sah-resolver-information-… John R Levine
- Re: [DNSOP] draft-sah-resolver-information (revis… John R. Levine
- Re: [DNSOP] draft-sah-resolver-information (revis… John Dickinson
- Re: [DNSOP] [Ext] draft-sah-resolver-information … Paul Hoffman