Re: [DNSOP] Consensus check on underscore names and draft-ietf-dnsop-rfc7816bis

Petr Špaček <> Wed, 14 July 2021 08:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 414F63A17F2 for <>; Wed, 14 Jul 2021 01:17:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key) header.b=AeORhPw+; dkim=pass (1024-bit key) header.b=Z/h10Rot
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gtQ3nEAhrjDX for <>; Wed, 14 Jul 2021 01:17:19 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 50AC93A17EC for <>; Wed, 14 Jul 2021 01:17:19 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPS id 3134C3AB024 for <>; Wed, 14 Jul 2021 08:17:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=ostpay; t=1626250638; bh=P2hc0JE5e17YUVavxPBO8hmHgCkOumwaERNpLIn60gM=; h=To:References:From:Subject:Date:In-Reply-To; b=AeORhPw+6LAwDGc1gRkEb0y8fp9c/Y835i0qP68bcVbzzrm933LpCU+RB4vq1O6cu eZ9Y4CcvXjPPRoKSlmORzf9bZbfR8hO7+3htJvIsY6Cn9j/vLYlO4qn/B/gokudOJ7 SBWq3gTRNZAW5/UNj+G3QnTeCnAqWQwssmM48yVQ=
Received: from (localhost.localdomain []) by (Postfix) with ESMTPS id 01DF9160044 for <>; Wed, 14 Jul 2021 08:17:18 +0000 (UTC)
Received: from localhost (localhost.localdomain []) by (Postfix) with ESMTP id A22AC160079 for <>; Wed, 14 Jul 2021 08:17:17 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.9.2 A22AC160079
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1626250637; bh=18iZVu0HryiSYhMkDcVGhV+gcul6orc+ueV8kkymM+8=; h=To:From:Subject:Message-ID:Date:MIME-Version:Content-Type: Content-Transfer-Encoding; b=Z/h10Rot/whxdZJKWkW2yKF6jlq1U4G659KqN0pE+T+4bdRnqA9WzmPYfX9qkOftt 1Av7U8XFor4nGZXBfbL1lrRLENRVhGsyygI9s4jmsaT09K7D4bI48VL8iH2QH5uAd5 4UXZsDzwdfOHj9fft2BMf8Maozug22FfcvsMU6Xc=
Received: from ([]) by localhost ( []) (amavisd-new, port 10026) with ESMTP id FX8T7e43TnHW for <>; Wed, 14 Jul 2021 08:17:17 +0000 (UTC)
Received: from [] ( []) by (Postfix) with ESMTPSA id DD7EF160044 for <>; Wed, 14 Jul 2021 08:17:16 +0000 (UTC)
References: <> <> <> <> <> <> <> <>
From: Petr Špaček <>
Message-ID: <>
Date: Wed, 14 Jul 2021 10:17:15 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [DNSOP] Consensus check on underscore names and draft-ietf-dnsop-rfc7816bis
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 14 Jul 2021 08:17:24 -0000

On 14. 07. 21 5:13, Brian Dickson wrote:
> On Tue, Jul 13, 2021 at 10:01 AM Viktor Dukhovni < 
> <>> wrote:
>      > On 13 Jul 2021, at 6:22 am, Petr Špaček <
>     <>> wrote:
>      >
>      > As Viktor pointed out in
>     <>
>     , it seems that this problem plagues roughly tens out of 150k
>     domains he surveyed. I think this makes further discussion about
>     _necessity_ of the workaround kind of moot.
> The plural of anecdotes is not data... unfortunately.
> So, I don't recall who presented it, where, or when, but it was some 
> time in the last couple of years, maybe at an IETF or OARC meeting.
> But, the gist of the presentation was that the presenters studied query 
> sources from a number of vantage points, over a period of years, and 
> concluded there are approximately 3 million resolvers.
> Those resolvers are not all directly connected to the Internet, and 
> some/many are configured as forwarders (with potentially multiple 
> forwarders in chains/trees).
> The point here is, that Viktor represents one out of three million 
> vantage points, which undoubtedly have different characteristics in 
> terms of resolver software and version, and intermediate servers (e.g. 
> forwarding to resolvers, or forwarding to forwarders).
> Additionally, Viktor's data set was TLSA, which is already a niche set 
> that is self-selected to be on DNSSEC-signed zones, meaning relatively 
> new and mainstream code bases (possibly over-generalizing admittedly.)
> Examining larger data sets on domains that are not DNSSEC-signed, may 
> show a different prevalence of the ENT problem.
> The other distinction is that the problems leading to bad ENT results, 
> may not be on the authoritative servers, but may be in front of them 
> (close to the authoritatives), or may be other middle-boxes closer to 
> the resolvers, or between forwarders and resolvers, etc. Thus the scope 
> of the ENT problem may vary based on the vantage point being used to 
> collect results.
> Thus, in the absence of any statistically meaningful data, I disagree 
> with the mootness of the issue.
> That doesn't mean we can't reach consensus, of course, and given that 
> this is a -bis document, and we are discussing how to handle the corner 
> case of underscore ENTs, some focus should be given to the impact rather 
> than the prevalence. This includes both the impact on code paths, and on 
> the effects to client apps affected by ENT broken-ness.
> It may be helpful to note that the draft itself already differentiates 
> behavior by the number of labels, in section 2.3 (in a MAY context) 
> using the MAX_MINIMIZE_COUNT logic. Thus, if an implementation is 
> already doing that work, adding underscore handling might not be a large 
> burden (and might mesh nicely in terms of coding). For example, in 
> evaluating the break-points when partitioning the labels to limit the 
> total number of queries, the sequence COULD treat any contiguous 
> sequence of underscore labels as if it were a single label, and then do 
> its partitioning of labels using the same relative logic.
> The main point being, if the implementer is already doing anything other 
> than literally iterating over all the labels one at a time, under all 
> circumstances, then adding underscores into its handling isn't likely 
> significantly burdensome.

Maybe, or maybe not. We cannot know for sure until it's implemented in a 
real resolver. In my experience, major resolver implementations contain 
little but important details that make even seemingly simple tweaks way 
harder to implement than it looks on paper.

Not having running code to support this proposal this late in 
publication process is IMHO another reason why it should stay at MAY level.

Petr Špaček

> The difference between the many-labels problem and the underscore 
> situation, is the difference between weakness against attacks and 
> inefficiency (many labels), versus actual brokenness (for some 
> indeterminate fraction of the namespace from some indeterminate portion 
> of the resolvers on the Internet).
> I'm hoping to advance the discussion even if no one is persuaded.
> Brian
>     Full disclosure, I only tested TLSA records.  I can't speak to what
>     one might expect with SRV or other record types.  Yes, failures are
>     not that common, for what is worth another example:
>     <>
>     <>
>     Here the "A" query for the ENT was unexpectedly "REFUSED". :-(
>     If implementations at least seriously consider the advice to treat
>     special-use labels *specially*, I'll declare victory...
>     -- 
>              Viktor.