Re: [DNSOP] some 2015-era thoughts about RFC 7706 -bis
Evan Hunt <each@isc.org> Thu, 25 July 2019 05:44 UTC
Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 145661202C2 for <dnsop@ietfa.amsl.com>; Wed, 24 Jul 2019 22:44:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id onxEKcF_VCtN for <dnsop@ietfa.amsl.com>; Wed, 24 Jul 2019 22:44:53 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2271C1202B0 for <dnsop@ietf.org>; Wed, 24 Jul 2019 22:44:53 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed2.isc.org [IPv6:2001:4f8:1:f::88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 9C1443AB00E; Thu, 25 Jul 2019 05:44:50 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id 70AC64A489; Thu, 25 Jul 2019 05:44:50 +0000 (UTC)
Date: Thu, 25 Jul 2019 05:44:50 +0000
From: Evan Hunt <each@isc.org>
To: Paul Vixie <paul@redbarn.org>
Cc: dnsop@ietf.org
Message-ID: <20190725054450.GC92610@isc.org>
References: <3673081.H4C9ml97Qf@linux-9daj>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <3673081.H4C9ml97Qf@linux-9daj>
User-Agent: Mutt/1.11.4 (2019-03-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/KRnw_5mELXaiXXA1R3lS171jfHg>
Subject: Re: [DNSOP] some 2015-era thoughts about RFC 7706 -bis
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jul 2019 05:44:55 -0000
On Tue, Jul 23, 2019 at 10:18:20PM +0000, Paul Vixie wrote: > at the one-hour DNSOP meeting in montreal on monday evening, the authors > of RFC 7706 described some of the use case questions they were hoping to > answer in their -bis document, and one of them hit squarely on a topic i > spoke about frequently between 2005 and 2015. i've attached a copy of the > 2015 proposal, which was reviewed by warren kumari and then presented in > a non-IETF meeting on these topics, organized by warren and i, in hong > kong. > > i was opposed to RFC 7706 as written, but there is no permanent record of > my reasoning since RFC documents don't include a "dissenting views" > section, so let me briefly recapitulate here. Thanks. I've never understood your objection to 7706, as it wasn't a new protocol, it just informed people of a way to use what already existed. > first, all complexity comes at a cost. the new code and configuration > needed to support "mirror zones" will be a life long source of bugs and > vulnerabilities, because that's true of every new feature. the desired > benefit should be weighed against this cost. "by running one on the > loopback" fails this important test, mostly because it only applies to > the root zone. A couple of points here: first, mirror zones were developed as a way to make it simpler to configure a 7706-style local root mirror, and to mitigate certain failure cases that could occur in the wake of a failed transfer, but mirror zones are not RFC 7706. You can set up 7706 on *any* name server; the examples in that document were written without mirror zones. Second, this is mostly just nitpicking, but the statement about mirror zones isn't really correct. In BIND, at least, "type mirror" can be used for any zone that allows transfers. However, admittedly, one probably wouldn't want to do it for large zones, and I don't know of any TLD's that allow transfer in the first place, so for the purposes of the current discussion, you're right enough. Third, and more pertinently, this work may have spin-off benefits. I've thought for a long time that a mechanism to use DNSSEC to validate zone transfers would be a useful addition to BIND. While that feature, per se, still doesn't exist, the mirror zone developemnt invovled writing a lot the code that's needed for it, and I expect it to exist fairly soon. So I don't think 7706 will have been a waste of time even if it turns out not to have been particularly effective at its original use case. > second, RDNS name servers who wanted to support this feature, which all > must, due to the competitive nature of the open source infrastructure > community, have to add features very much like authority DNS. we have > been moving away from the so-called "hybrid server" model for three > decades now, and this was a move in precisely the wrong direction. This confuses me. There's nothing in particular for RDNS implementations to support. Set up your root hints to point at a local address, run an auth server at that address, configure that server as a secondary for the root zone - presto, 7706 is supported. What server can't do that? Some implementations may wish to support 7706 internally as BIND has done, but it isn't mandatory. In any case, it would't be the first time it's been useful to mix RDNS and auth (consider empty RFC 1918 reverse zones, for example). I've never agreed that mixing auth and RDNS functions was a bad idea, actually, but that's another conversation. > third, access patterns of root zone data are an important input to > internet governance, and the 7706 proposal included no recommendations by > which access patterns could still be globally shared in any way -- and > for reasons of scale, they will not be participating in Day In The Life > exercises. This bit's legit. > in summary, RFC 7706 solves the wrong problem, in the wrong way, with an > inverted cost:benefit model compared to similar conceptions with similar > implementation costs. As far as I know, 7706 hasn't had much benefit with respect to latency in most environments, and I'm skeptical about its utility with random-query attacks. (Unfortunately, I hear negative answer synthesis isn't working as well at that as we'd hoped, either.) But, it's Mostly Harmless. The implementation cost can be zero if you want it to be; it's just a server configuration. At worst, it's a waste of the time that's been spent talking about it (with the zone transfer code that fell out of it turning the effort to a net positive, I hope). -- Evan Hunt -- each@isc.org Internet Systems Consortium, Inc.
- [DNSOP] some 2015-era thoughts about RFC 7706 -bis Paul Vixie
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Brian Dickson
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Tony Finch
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Evan Hunt
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Paul Vixie
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Vladimír Čunát
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Shumon Huque
- Re: [DNSOP] some 2015-era thoughts about RFC 7706… Evan Hunt