IETF Logo Mail Archive

Re: [DNSOP] [Ext] Call for Adoption: draft-sah-resolver-information

Paul Hoffman <paul.hoffman@icann.org> Sat, 03 August 2019 14:37 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A31712009C for <dnsop@ietfa.amsl.com>; Sat, 3 Aug 2019 07:37:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2k6H0vgG_6su for <dnsop@ietfa.amsl.com>; Sat, 3 Aug 2019 07:37:39 -0700 (PDT)
Received: from out.west.pexch112.icann.org (out.west.pexch112.icann.org [64.78.40.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6012612008C for <dnsop@ietf.org>; Sat, 3 Aug 2019 07:37:39 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Sat, 3 Aug 2019 07:37:37 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1473.005; Sat, 3 Aug 2019 07:37:37 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: Martin Thomson <mt@lowentropy.net>
CC: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [Ext] [DNSOP] Call for Adoption: draft-sah-resolver-information
Thread-Index: AQHVSgj+oQtMw2aHREubidWEnewQgg==
Date: Sat, 03 Aug 2019 14:37:36 +0000
Message-ID: <CDF505A0-09FE-41C6-A197-46C407BE1AFF@icann.org>
References: <CADyWQ+EUk_Qmnk=x3-om1OMjSMFrhd9qFUKTEBk6qWjh6fgRXQ@mail.gmail.com> <93191ae0-39e9-4a0f-9750-b553292266bd@www.fastmail.com>
In-Reply-To: <93191ae0-39e9-4a0f-9750-b553292266bd@www.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.32.234]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <1F42BC4FEC7ADC479E48FC05F1FD7D96@pexch112.icann.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/OUgKwPcpNGrmATIUQ3cSno75UnI>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-sah-resolver-information
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Aug 2019 14:37:41 -0000


> On Aug 2, 2019, at 8:35 PM, Martin Thomson <mt@lowentropy.net> wrote:
> 
> On Sat, Aug 3, 2019, at 01:04, Tim Wicinski wrote:
>> This starts a Call for Adoption for draft-sah-resolver-information
> 
> I think that I might have said this before, but I don't think that asking an HTTP server about a DNS server is the right solution.  

It is not "the" right solution, but it is one of them. That's why there is also a DNS-based solution in the same document.

> If this is information about the operation of a participant in the DNS protocol, then I think that this needs to use the DNS protocol.

Agree. See above.

> For connection-oriented interactions, having the information associated with a connection (and not a server identity) would be even better.

Not sure what you mean by "connection-oriented interactions". DNS is not connection-oriented at all.

> This also bakes in the notion that a DNS resolver is identified by IP address.  

Not at all: the resolver must have an IP address, but can also have a domain name. In the case of an application that is doing it's own stub resolution, the stub could use the OS's stub to get the address of the resolver's domain name. Such an application-based-stub could then use all of its own HTTPS-based security policies to get the resolver's information.

> The domain name part is probably OK, but I don't know which trust anchors to use.  I think that the document is assuming that we'll use the Web PKI, but it doesn't say that (nor does RFC 8310, as far as I can tell).

The TLS and HTTP2 documentes also don't say which trust anchors to use. :-)

> If you can answer the question "why not DANE?" then you might start to understand my concerns here.

Allowing the use of a domain name in an environment where DANE is used is exactly one intended use case.

> The RESINFO RRtype seems OK, but I have less confidence in my ability to assess that aspect of this.  The only thing that bothers me is the potential for 1.0.0.10.in-addr.arpa and friends to leak and ruin the protocol for everyone.  

Please say more here. Who do you think would be publishing at 10.0.0.1? 

> I realize that there are no good solutions here, but it would be good if there were a little more clarity on the constraints this group thought applied to the design.

Sure.

> The inventory thing is fairly irregular.  The names of fields are right there already, why insist on repeating them in an array?

The document says that the response does not need to include all the name-value pairs that a resolver knows. The use case is that someone might define a name-value pair that they only want to emit if asked for, such as if the data is large.

If the WG finds this to be too much of an edge case, we can certainly eliminate the inventory, but it feels to me that requiring that every response always contain every known name-value pair is onerous.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email