Re: [DNSOP] New draft, seeking comments: draft-sah-resolver-information

Paul Wouters <paul@nohats.ca> Wed, 15 May 2019 17:23 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C0F61200CD for <dnsop@ietfa.amsl.com>; Wed, 15 May 2019 10:23:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fZePASyUBfHu for <dnsop@ietfa.amsl.com>; Wed, 15 May 2019 10:23:53 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8518D120072 for <dnsop@ietf.org>; Wed, 15 May 2019 10:23:53 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4541cS0xJKzL6Z; Wed, 15 May 2019 19:23:52 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1557941032; bh=ahBEy0cm/KbTAs7GNC2tPjG9IfGZdMq/mfrpT3ScpnI=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=oXC3UKw3Vvk1DPcRQAkkLS7j1WSaojJmLyzE7Zn/V0t8mY6SRZtAEXG77nqAsfdO+ WoA8ZVxpr9LYOjD9kh/iS3XlzgYJ1xnXl9luoxm0l3St/3l6ZCo7NLEe3umauMLGW9 HnadfkIAxZLLZiVozQs505mF9L4cx1KwVWZiRDBo=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id dVBeTpmPH1Kh; Wed, 15 May 2019 19:23:50 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Wed, 15 May 2019 19:23:49 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 5D5F361D86; Wed, 15 May 2019 13:23:48 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 5D5F361D86
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 537D940016E6; Wed, 15 May 2019 13:23:48 -0400 (EDT)
Date: Wed, 15 May 2019 13:23:48 -0400 (EDT)
From: Paul Wouters <paul@nohats.ca>
To: Paul Hoffman <paul.hoffman@icann.org>
cc: dnsop <dnsop@ietf.org>
In-Reply-To: <3BCCE28D-17C6-4367-A9C3-D0DCF56AB03A@icann.org>
Message-ID: <alpine.LRH.2.21.1905151256480.22294@bofh.nohats.ca>
References: <3BCCE28D-17C6-4367-A9C3-D0DCF56AB03A@icann.org>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/JS7V6RqFDCtOSHV4OCtHZYGLEBM>
Subject: Re: [DNSOP] New draft, seeking comments: draft-sah-resolver-information
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 May 2019 17:23:58 -0000

On Tue, 30 Apr 2019, Paul Hoffman wrote:

> Also note that this is explicitly only for resolvers; we might later do a second protocol for authoritative servers who want to give information about themselves (such as if they do DoT, if that moves forward in DPRIVE). The reason for the split is that a resolver that doesn't know the protocol here might pass the query on to the authoritative servers for the root or .arpa, and the response to the stub would then be ambiguous.

I don't understand why you create a specific RRtype with "information to
be filled in by other documents", yet feel the need to have one for
resolvers, maybe another one for authoritative servers, and kind of
combine "resolvers that could offer signed responses in their
forward zone" together with "random unknown resolvers that cannot
offer signed responses about their capabilities".

I would prefer a generic "DNSINFO" that can be used in the forward and
the reverse, and can contain resolver and authoritative properties.




    if the resolver can be configured
    to also be authoritative for some zones, it can use that
    configuration to actually be authoritative for "resolver-info.arpa".

This is misleading. No one but AS112 or the arpa. TLD nameservers could be
really answer "authoritative".  Others would just pretend to be and lie.
And really, you would want google to put this info into in a forward zone
"dns.google.com" and not limit RESINFO (or DNSINFO) to the reverse zone.

    For example, if the stub knows that it
    wants information whose name is "temp-field2", it would send the
    query temp-field2.resolver-info.arpa/IN/RESINFO.

I can see why you might want this, to allow for smaller return answers
when the stub only cares about one of many pieces of resolver infomation
that might be available, but it oddly puts DNS naming constrains in that
information ? It also opens up pandora's box of IDN support.

    Any query for the RESINFO RRtype that is not in resolver-info.arpa/IN
    or a subdomain of resolver-info.arpa/IN is meaningless and MUST
    result in a NODATA or NXDOMAIN response.

Do you expect this policing to be enforced in code? I think that's
naive. Anyone who is not implementing this will treat is as a generic
record and just relay it back. So it is bound to be violated. I wouldn't
bother trying to police this. Also, I think there are valid use cases
for RESINFO in the forward, eg if I have dns.nohats.ca on my owned IP
as the resolver, so I can give you DNSSEC authenticatied answers.

 	3.  Retrieving Resolver Information by Well-Known URI

You offer a non-DNS method that can deliver (channel) authenticated
answers, but you don't allow DNSSEC (data origin) authenticated answers?

    A resolver that uses this protocol to publish its information SHOULD,
    if possible, have a TLS certificate whose subject identifiers are any
    IP address that the resolver is available on

Again lifting TLS over DNSSEC ?


    If the request was over DNS using a subdomain under resolver-
    info.arpa, the resolver SHOULD return an object that contains a name-
    value pair with that name if the resolver has that information.  If
    the resolver does not have information for that name, it MUST NOT
    returen the name in the object.

So what should it return? The options are 1) nothing or 2) all and the
document should clearly specify which of the two is allowed and which is
prefered.

    If the request was over HTTPS, the resolver SHOULD return an object
    with all known name-value pairs for which it has information.

It is a little unclear whether this is part of the "a specific name was
requested" case. And if the rules above for DNS/subdomains apply here. I
think the authors are implying that HTTPS is so expensive in overhead
and has no packet size issues, you might as well always return
everything. If so, just state that more clearly.

    All names in the returned object MUST be defined in the IANA registry
    or begin with the substring "temp-".

IETF tradition is to use a x- or X- prefix for this kind of thing. Why
now use "temp-" ?

       "inventory": [ "inventory", "temp-field1", "temp-field2" ]

I'm not sure how useful "inventory" is. It cannot be trusted anyway, so
I think if I would write code for this, I would just completely gnore it
anyway.


    The specification that is required for registration can be either an
    Internet-Draft or an RFC.

I'm a little uneasy with this. If the draft is moving forward and we do
an Early Code Point, that is fine. If it is a batshit crazy draft that
will never get RFC status, it should not. You can see the Expert will
handle with this, but sadly this text is followed by:

    The reviewer for this registry is
    instructed to generally be liberal in what they accept into the
    registry: as long as the specification that comes with the
    registration request is reasonably understandable, the registration
    should be accepted.

Also, for those who would like to use DNS queries, size does matter.

What to do if the inventory is too large for a DNS reply. What are the
rules for choosing which content to include or not? Or are you expecting
a truncated response and a TCP retry? There should be text about this.

 	6.  Security Considerations

It does not talk about putting this information in the forward zone
of a named resolver (eg dns.nohats.ca) that can use DNSSEC to protect
this information.


Paul
ps: NITS: when announcing drafts for people to read, including a URL is helpful :)