Re: [DNSOP] Working Group Last Call

神明達哉 <jinmei@wide.ad.jp> Thu, 29 September 2016 18:32 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54ADA12B21D for <dnsop@ietfa.amsl.com>; Thu, 29 Sep 2016 11:32:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2J07LQ7uYawj for <dnsop@ietfa.amsl.com>; Thu, 29 Sep 2016 11:32:25 -0700 (PDT)
Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5822012B21C for <dnsop@ietf.org>; Thu, 29 Sep 2016 11:32:24 -0700 (PDT)
Received: by mail-qk0-x22b.google.com with SMTP id z190so85774275qkc.3 for <dnsop@ietf.org>; Thu, 29 Sep 2016 11:32:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=fXe58MmZWpo1SOWoo4r52WYGl1637erbhhXUFP6cs30=; b=LFdXdfd7+L8V9V7NeqspyQYkdVGrVLsX2L1VuyMSbjHH6fLH10EqlaBAwtS3DQ9VDJ 7caeYSRT/nPfr3TLznv3KOXbt0oKvYjo4CMc8gClh72m/ETKBpyt6dxOfS65XhvGcUs5 uLL+6SsoyNe0WnADSi468jyHk8lBGZ0zHnAVwMqu4CAe8KqNHGLU0LNqAcbs8G0755DL +bHP2XzviB/9MezwDk4MCB0+f00Ux+VQQVX6nevzN++NfvJyVuAvZI4f7+A9Mdgpp9Jt +dbKJF/MulaRJSuFf7Y1BTAevk0SL0Ea7bTs3FQ3ZkN/XjakSFtJk12pT5tRk8qz+D5W xVEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=fXe58MmZWpo1SOWoo4r52WYGl1637erbhhXUFP6cs30=; b=GEIujU0oZO0AS0GaGxJrhQv2QtyLc2z7o5eicFP7W9ZWNzg37Jfp550yZZy1Ms/JuS vJTReY+Z1KupAoF67jnOenzEBdON7fCdCv9Qqd2l0JRrkeG6gXIKArYv0oDTXotjja7y UUZLnu1EmVJfAip9Y3hECdVoCRbbFTK9xZDRWvRtZA7mcQIUBvhdVSv4G5dp4pU0BHOk sfaj4WPWsKQvjfA5i5d52HUWejMvrd4e3kvf9hNuRaTwew7VQpMUQvgqLqS2nLab7RWB V5RbSiPI+nLh/B1+7tAdjIdHOH87U78Ms9jv83Z12J3yu0KSDow2WnqgOlDi/v2kCJ+u rb7w==
X-Gm-Message-State: AA6/9RkOwOx9+IT/TAHS31z16J8NAXKWTJFAxcSN9b4zjvMrhP6/fiEHNkK5MNsq/aI7nOnyb0gRsPTOAb7c4g==
X-Received: by 10.55.65.139 with SMTP id o133mr2877851qka.191.1475173943473; Thu, 29 Sep 2016 11:32:23 -0700 (PDT)
MIME-Version: 1.0
Sender: jinmei.tatuya@gmail.com
Received: by 10.237.54.227 with HTTP; Thu, 29 Sep 2016 11:32:22 -0700 (PDT)
In-Reply-To: <40d5f4b1-3019-7f8a-ecc0-2f4d13e3eadf@gmail.com>
References: <40d5f4b1-3019-7f8a-ecc0-2f4d13e3eadf@gmail.com>
From: =?UTF-8?B?56We5piO6YGU5ZOJ?= <jinmei@wide.ad.jp>
Date: Thu, 29 Sep 2016 11:32:22 -0700
X-Google-Sender-Auth: 0p0qoXoVMwzI8k9ZiqVMIelQb_Q
Message-ID: <CAJE_bqeEBSrFaxEVGhKbt5LFqfe_QdoQQ1u4h9r03ZB3pJ4yzg@mail.gmail.com>
To: Tim Wicinski <tjw.ietf@gmail.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/K-Iw6iO_eHuPMlXHAf1-eCFwDR8>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Working Group Last Call
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Sep 2016 18:32:32 -0000

At Thu, 22 Sep 2016 08:19:17 -0400,
Tim Wicinski <tjw.ietf@gmail.com> wrote:

> This draft has been worked on and it seems that the Working Group is
> happy with the updates that have been made and I feel it's ready for the
> next step.
>
> This starts a Working Group Last Call for:
>     "Aggressive use of NSEC/NSEC3"
>        draft-ietf-dnsop-nsec-aggressiveuse
>
> Current versions of the draft is available here:
>     https://datatracker.ietf.org/doc/draft-ietf-dnsop-nsec-aggressiveuse/
>
> Please review the draft and offer relevant comments. Also, if someone
> feels the document is *not* ready for publication, please speak out with
> your reasons.

This draft is now in a pretty good shape, but IMO it needs some more
non-trivial discussions, and in that sense I don't think it's ready
for publication as it is.  Specific comments follow.  I'll also try to
answer some of the points I haven't responded to in previous threads.

- (general) this draft still unnecessarily limits the use of this
  technique to *recursive* resolvers.  In my previous comment I
  pointed out that the term "full-service resolver" is too
  restrictive.  The 02 version changes the term to "recursive
  resolver", but that doesn't address the main point of my comment.
  I'll note some specific part of the draft that has this issue, but
  it may not be comprehensive.  If the sense of this comment is
  accepted, the entire draft will have to be carefully examined and
  revised.

- Section 1: s/recursive/validating/

   This document updates RFC 4035 to allow recursive resolvers to use

  Note: the use of "validating resolver" is my suggested change in
  this sense, so I'll consistently use it throughout my comments.  But
  I understand it's not the only way to address the point.

- Section 2

   Many of the specialized terms used in this document are defined in
   DNS Terminology [RFC7719].  In this document we are using the terms
   "recursive resolver" or "recursive server" as a more readable
   alternative to the more formal[RFC7719] "full-service resolver"

  See the general comment.  At least in the context of my previous
  comment, this is not about readability but about applicability, so
  changing "full-service resolver" to "recursive resolver/server"
  doesn't address the point.  My primary suggestion is to just remove
  the second sentence.  Or, if we want to make some note about a
  terminology regarding "resolver", it may be that this document uses
  the term "validating resolver" as it's used in RFC4035.

- Section 3: this section also has an issue of "recursive resolver".
  Although it may not be as critical as other part of the draft since
  it's only used as an example scenario, it's probably better to not
  limit the role of resolver to avoid misleading.  Maybe "recursive
  resolver" is just changed to "validating resolver", and
  "authoritative server" is changed to, e.g., "external servers"
  (meaning either authoritative or or other recursive servers).

- Section 4: s/recursive server/validating resolver/

- Section 4: is this perhaps some leftover and should be removed?

   [RFC4035]; Section 4.5 states:

   For a zone signed with NSEC, it would be possible to use the
   ...

  There doesn't seem to be text starting with "For a zone..." in
  Section 4.5 of RFC4035.  And, even if there's such text, "However,
  such use is discouraged by Section 4.5 of RFC4035." in that context
  is really awkward.

- Section 4

   We believe this
   recommendation can be relaxed because lookups for the specific name
   could have come in during the normal negative cache time and so
   operators should have no expectation that an added name would work
   immediately.  We think that the TTL of the NSEC record is the
   authoritative statement of how quickly a name can start working
   within a zone.

  I'm not necessarily opposed to this claim per se, but IMO it should
  provide some more careful justification.  It's true that "specific
  name could have come in during the normal negative cache time", but
  nsec-aggressiveuse could make such accidental disruption more likely
  to happen.  Even if it should be considered an operational error, I
  believe we should at least note the difference, and, ideally,
  provide an explanation of why it should be still acceptable.  IIRC I
  raised the same point for the cheese shop draft.  I don't remember
  the conclusion at that time, but if it was an introduction of some
  more explanation, the same resolution can apply here.

- Section 5.2

   Implementations SHOULD enable aggressive use of NSEC by default.

  On a fresh re-read of the draft, I'm now not so sure if this is
  clear enough and the requirement is reasonable.  First, does this
  also implies an implementation SHOULD implement aggressive use of
  NSEC?  Secondly, and especially if the answer to the first point is
  'yes', I'm not sure if SHOULD is reasonable.  Since this is just an
  optimization, it may be just up to the discretion of the
  implementor.

- Section 5.4

   Such aggressive use of cached deduced wildcard can be employed
   independently from aggressive use of NSEC.  But, it will be more
   effective when both are enabled since the resolver can determine the
   name subject to wildcard would not otherwise exist more efficiently.

  I've seen a comment in a previous thread that the second sentence
  (I suggested this text) isn't very readable.  I tend to agree, and
  although I suspect there should be a better English writer than me
  to improve it, I wonder this might be better:

   Such aggressive use of cached deduced wildcard can be employed
   independently from aggressive use of NSEC.  However, the resolver
   still needs to determine the name subject to wildcard would not
   otherwise exist.  Aggressive use of NSEC will help determine it
   more effectively.

- Section 5.4: I suspect this is a leftover from a previous version
  and should now be removed:

   Furthermore, when aggressive use of NSEC is enabled, the aggressive
   use of cached deduced wildcard will be more effective.

- Section 6: s/recursive server/resolver/ (or validating resolver)

   Decreased recursive server load  By answering negative queries from

- Section 6:

   The technique described in this document may also mitigate so-called
   "random QNAME attacks", in which attackers send many queries for
   ...

  IMO this paragraph is unnecessarily too verbose.  Now that the
  mitigation effect is just a better-than-nothing kind of measure
  rather than a major sales point of the technique, I don't think we
  have to provide detailed discussions on cases where it may not work
  well, etc (and, however hard we try it, it won't be complete
  anyway).  I'd make it much more concise, e.g.:

   The technique described in this document may also mitigate so-called
   "random QNAME attacks", in which attackers send many queries for
   random sub-domains to resolvers.  As the resolver will not have the
   answers cached it has to ask external servers for each random
   query, leading to a DoS on the authoritative servers (and often
   resolvers).  Aggressive NSEC may help mitigate these attacks by
   allowing the resolver to answer directly from cache for any random
   queries which fall within already requested ranges.  It will not
   always work as an effective defense, not least because not many
   zones are DNSSEC signed at all, but it will still provide an
   additional layer of defense.

 (I also made the "recursive server to resolver" cleanup here).

- Section 7: s/recursive resolvers/validating resolvers/

   |  Once the records are validated, DNSSEC enabled recursive    |
   |  resolvers MAY use wildcards and NSEC/NSEC3 resource records |

  This is also more consistent with the text shown in Section 5, and
  more compatible with RFC4035 itself (in my understanding the RFC
  doesn't unnecessarily limit discussions to recursive servers).

- Section 9

   Aggressive use of NSEC / NSEC3 resource records without DNSSEC
   validation may cause security problems.  It is highly recommended to
   apply DNSSEC validation.

  This paragraph is awkward.  I pointed this out several times, so I
  won't repeat it here - please refer to my previous comments.  One
  possibly new perspective is that this tries to cover cases where
  NSEC or NSEC3 is somehow cached before/without DNSSEC validation and
  note that such records shouldn't be used for the purpose of
  nsec-aggressiveuse.  If so, it might make some sense, but in that
  case it should be totally rephrased to avoid confusion or
  misleading.

--
JINMEI, Tatuya