IETF Logo Mail Archive

Re: [DNSOP] [Ext] [Tsv-art] Tsvart last call review of draft-ietf-dnsop-dns-error-reporting-06

Roy Arends <roy@dnss.ec> Tue, 17 October 2023 21:35 UTC

Return-Path: <roy@dnss.ec>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8943BC1782B5 for <dnsop@ietfa.amsl.com>; Tue, 17 Oct 2023 14:35:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dnss.ec
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id urE6gsFK-9IR for <dnsop@ietfa.amsl.com>; Tue, 17 Oct 2023 14:35:37 -0700 (PDT)
Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 725CCC15199D for <dnsop@ietf.org>; Tue, 17 Oct 2023 14:35:35 -0700 (PDT)
Received: by mail-qk1-x734.google.com with SMTP id af79cd13be357-77386822cfbso418517285a.0 for <dnsop@ietf.org>; Tue, 17 Oct 2023 14:35:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dnss.ec; s=google; t=1697578535; x=1698183335; darn=ietf.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=n3bMH3PCFJI3ibv1jv4QCwyZKsjPNkLcUs7gvXdd3PI=; b=ZILEiNl5u1BLz50mHvYo0+TuG75lb58jR78Bzt+QUimbD7RYW01Qh49nyfI7xUmvsz tNP2HoVIW9AMm7H+D67k3+WhPBEWOvHl4Zl7025NKT9LE3+OsBbjwbLegtf6LtW5NHL8 NxtgA2SNcz9ojTHulzHrqAaRYzV1jxMXCZSuo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697578535; x=1698183335; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=n3bMH3PCFJI3ibv1jv4QCwyZKsjPNkLcUs7gvXdd3PI=; b=anBXO1Htc8UuPqpgMkX7BD2yb/x1Yuidvevq62IgbAafni6Uz5rPakwIiWwP0QYpt8 Xj+6jY3Lo9mXyptYRVwrqWCDcMKY5XIjDWIgsTxpdXuOuCaAWNDKJ5QDM6+3Lxs10+eO c/wgHUdq9c4QG/08LMDNF2CCpoaIlWVcaHj1iy0tk7klzFyN97bJ9Yrn2ih5xcROfeh1 WlHDbE/5pvgHPC+A8mAS2Ofiz/X+XyLICgHf9LXOoYYKswFFV8Ern6pf48blGjdfpZJn e/YlLXry8tmceOMJmAdPCAXuCRPPXs7Kaq0+xblKG3Z3aKvzfHi9ElD2ZXrL62Vum8aP vFiA==
X-Gm-Message-State: AOJu0YxWKiykSURx0C4G5acohIKqVbfK6WMXbgPSfl/sluj31Zsgw3+A UMv+RB1Ab+4TW1nr0iC1uXSnLQ==
X-Google-Smtp-Source: AGHT+IGvimTpzB0R5so5c27W48rP77VGKGfM/5nqAj1UD7Vu38+LgZRq9yBIMoAfEESm1Fccrf0gYA==
X-Received: by 2002:a05:620a:4083:b0:76f:1ead:e4fd with SMTP id f3-20020a05620a408300b0076f1eade4fdmr4364908qko.40.1697578534887; Tue, 17 Oct 2023 14:35:34 -0700 (PDT)
Received: from smtpclient.apple ([89.33.15.144]) by smtp.gmail.com with ESMTPSA id h5-20020a05620a400500b0077413b342e9sm966701qko.128.2023.10.17.14.35.33 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 Oct 2023 14:35:34 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.100.2.1.4\))
From: Roy Arends <roy@dnss.ec>
In-Reply-To: <eb5e69b6-21c1-7625-d11c-7422f47439d7@erg.abdn.ac.uk>
Date: Tue, 17 Oct 2023 22:35:21 +0100
Cc: tsv-art@ietf.org, dnsop@ietf.org, draft-ietf-dnsop-dns-error-reporting.all@ietf.org, last-call@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <F49F112C-C703-4ACC-B69E-B7B9739BE63E@dnss.ec>
References: <169753457719.49641.9320126993042446652@ietfa.amsl.com> <A6822643-F01F-437A-A5DF-5EBB8F7EA523@dnss.ec> <eb5e69b6-21c1-7625-d11c-7422f47439d7@erg.abdn.ac.uk>
To: Gorry Fairhurst <gorry@erg.abdn.ac.uk>
X-Mailer: Apple Mail (2.3774.100.2.1.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/LUAzx8ltflQFrBiuj5f4yiSpqP4>
Subject: Re: [DNSOP] [Ext] [Tsv-art] Tsvart last call review of draft-ietf-dnsop-dns-error-reporting-06
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Oct 2023 21:35:41 -0000


> On 17 Oct 2023, at 12:33, Gorry Fairhurst <gorry@erg.abdn.ac.uk> wrote:
> 
> On 17/10/2023 12:05, Roy Arends wrote:
>> Thanks Gorry,
>> 
>> Comments inline.
> See a quicjk response as GF:
>>> On 17 Oct 2023, at 10:22, Gorry Fairhurst via Datatracker <noreply@ietf.org> wrote:
>>> 
>>> Reviewer: Gorry Fairhurst
>>> Review result: Not Ready
>>> 
>>> This document has been reviewed as part of the transport area review team's
>>> ongoing effort to review key IETF documents. These comments were written
>>> primarily for the transport area directors, but are copied to the document's
>>> authors and WG to allow them to address any issues raised and also to the IETF
>>> discussion list for information.
>>> 
>>> When done at the time of IETF Last Call, the authors should consider this
>>> review as part of the last-call comments they receive. Please always CC
>>> tsv-art@ietf.org if you reply to or forward this review.
>>> 
>>> Thank you for a well written document, and it's description of the service to
>>> be provided.
>>> 
>>> This is proposed as a "lightweight" reporting mechanism.
>>> 
>>> The method states it can be used over TCP. In this case, TCP provides the
>>> necessary congestion control, flow control and segmentation. I did not see
>>> additional transport concerns.
>>> 
>>> The method also states it can be used over UDP - which is equally recommended.
>>> However, the specification for use over UDP is incomplete and raises some
>>> transport concerns:
>> I want to stress here that the reporting mechanism is using DNS.
>> 
>> Subsequently, it relies on existing methods of transport that DNS relies on. As an application that uses DNS to send a report, additional requirements such as mechanisms for flow control, segmentation, fragmentation, packet reassembly, order, congestion control, buffering, etc, feel like a layer violation.
>> 
>> With that in mind, I suggest the following:
>> 
>>> 1. There is a recommendation to use DNS COOKIEs [RFC7873] over UDP (PS), but no
>>> statement about how to mitigate the effects when these are not used.
>> There is a statement in the security section:
>> 
>> "The monitoring agent SHOULD respond to queries received over UDP that have no DNS COOKIE set with a response that has the truncation bit (TC bit) set to challenge the resolver to re-query over TCP.”
>> 
>> Let me know if that is sufficient.
> GF: I think it might be wise to include this in the body, so it is not overlooked?

Good point. I’ve added that to the reporting resolver specification section, and the monitoring agent specification section, respectively.

I’ll leave it in the security section as well.


>>> 3. I think this method can in some uses could generate a stream of reports at a
>>> rate that could be more than a few UDP datagrams per RTT, (e.g., if implement
>>> automated responses). In this case, I think method would need to provide some
>>> basic rate limiting or implement a form of congestion control.
>> DNS software have mitigations for these kind of streams. DNS is a well known method to be abused for DDoS purposes, and mitigation strategies have been wide and far. Any rate limiting methods in this document would require special casing in the DNS software to deal with error reporting. This is wholly unnecessary. As far as the transport and application layers are concerned, this is just a DNS query going out.
>>> I understand the rate is usually "damped" by caching to one message/TTL per
>>> report, but I am unsure this is sufficient to mitigate any congestion control
>>> concerns.
>>> 
>>> One potential remedy could be to require/recommend use over a
>>> congestion-controlled transport (such as TCP) when using an Internet path;  an
>>> alternative would be to be define appropriate mechanisms to provide at least
>>> starvation prevention for UDP services. See RFC 8085 section 3.1.
>> We simply can’t. It would require special casing: a DNS query that happens to contain a DNS-error-report in its QNAME, should now only be send over TCP. An application that asks a stub resolver can’t do this. It would require a full “DNS-stack” that makes sure that these reports go over TCP.
> GF: I think you likely undertand the gist of my review point 3. Generally -  there would be a problem in repeatedly sending with a UDP transport (i.e. for something that is more than a query/response protocol), which results in multiple packets per RTT.

I understand what you are referring to. The bulk of resolver implementations have implemented query-deduplication to upstream servers. This specifically targets the case where you have multiple packets per RTT. In addition, standard DNS caching will deal with multiple queries for the same qname/qtype/qclass tuple per (DNS) TTL.

> Now it might be also that I simply don't fully understand the expected interaction, in which case, it might also be easy to  add a little to help avoid this line of questions....

I have added the following line to -07 abstract per request of Warren Kumari:

"The error is encoded in the QNAME, thus the very act of sending the query is to report the error.”

Thanks Gorry! 

Roy

v2.23.0 | Report a Bug | By Email