Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-chain-query-03.txt
Paul Wouters <paul@nohats.ca> Mon, 19 October 2015 23:51 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4A491B2F1A for <dnsop@ietfa.amsl.com>; Mon, 19 Oct 2015 16:51:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vF_VJm6su1BM for <dnsop@ietfa.amsl.com>; Mon, 19 Oct 2015 16:51:44 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD8541B2F16 for <dnsop@ietf.org>; Mon, 19 Oct 2015 16:51:43 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3nfvxm13Gyz3QP; Tue, 20 Oct 2015 01:51:40 +0200 (CEST)
Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=TEJC6sl1
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id G7CGwrY0qCDt; Tue, 20 Oct 2015 01:51:38 +0200 (CEST)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 20 Oct 2015 01:51:38 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPS id 82B7380309; Mon, 19 Oct 2015 19:51:37 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1445298697; bh=IYyZszZ6iUWWCppDM+KmrKcDuoQklR/lJPw4YztCNCM=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=TEJC6sl1yFdDJ0WkoXngQx6mR5VgGZfCNFDvBXUqcJhYxINAWgGGZiqpTxXoSHL8Q FBPtK7PFxglkUNbISDXh6BGyEfu+cyal+cHJSet9EXx3GWsGFEwkCK9epJmxkoC3wR T15gtZv5Yi6YuUpYD23n6qpmLmnUnipsZnqJVpB4=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.15.2/8.15.2/Submit) with ESMTP id t9JNpaJu002519; Mon, 19 Oct 2015 19:51:37 -0400
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Mon, 19 Oct 2015 19:51:36 -0400
From: Paul Wouters <paul@nohats.ca>
To: Shane Kerr <shane@time-travellers.org>
In-Reply-To: <20151006150506.1935afdc@casual>
Message-ID: <alpine.LFD.2.20.1510191943290.31967@bofh.nohats.ca>
References: <20151003203753.29292.37650.idtracker@ietfa.amsl.com> <20151006150506.1935afdc@casual>
User-Agent: Alpine 2.20 (LFD 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/QRngBVHYdzLOFRaUf9za0pPgfF8>
Cc: dnsop mailing list <dnsop@ietf.org>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-chain-query-03.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Oct 2015 23:51:46 -0000
On Tue, 6 Oct 2015, Shane Kerr wrote: >> A New Internet-Draft is available from the on-line Internet-Drafts directories. >> This draft is a work item of the Domain Name System Operations Working Group of the IETF. >> >> Title : Chain Query requests in DNS >> Author : Paul Wouters >> Filename : draft-ietf-dnsop-edns-chain-query-03.txt >> Pages : 15 >> Date : 2015-10-03 I've updated the draft based on your review and that of Evan Hunt. > * I note that the terminology section has been superseded a bit by the > terminology draft, now approved for an informational RFC. I didn't > follow that work too closely, but I notice that that document > declares that "validating resolver" is referred to but not defined > anywhere... and then uses the term "validating resolver" later in the > document! :P > > Anyway, the soon-to-be-RFC still doesn't seem to define the two terms > you want, so you may be stuck with defining them. > > You may want to also use "Forwarder" rather than "DNS Forwarder", as > that seems to be what is in the terminology draft. I've cleaned this up a bit, and will try to find PaulH tomorrow to talk about the lack of a term for full resolver. > * It's not clear whether answers should always be limited to TCP or > something like DNS cookies, or whether this is only for answers more > than 512 bytes. I assume always, but this text implies only sometimes: I clarified it to be always. > * I guess that the "Last Known Query Name" disallows compression as > part of a general rule for queries. That's fine. It might be > worthwhile changing "No compression is allowed for this value." to > say "No DNS name compression is allowed for this value." just to be > completely clear. done. > * The discovery mechanism seems to imply that a DNS Forwarder that has > not done discovery MUST NOT use this option. My own feeling is that > this is not true (a forwarder could just add the option to the first > packet and do just-in-time discover, as it were). Perhaps this should > be clarified? (Reading forward to section 5.3 shows that this is > actually discussed!) That is what I meant. I clarified the text. > * I don't understand the motivation for keeping query size to less than > 512 bytes. I removed that text. > * I'm not sure about handling large responses. The advice seems to be > to to send a REFUSED response. Should a client try again without the > EDNS option? There are other reasons for REFUSED, and maybe it makes > more sense to have a way for a resolver to signal to the forwarder > the reason for the refusal, so the forwarder knows this is the best > way to react. Evan suggested returning partial chains, from the top down, so clients can send multiple requests to gain the complete chain. The answer now also contains the lowest trust point included in the CHAIN answer. So that should address this issue. > * There doesn't seem to be advice for a resolver when support for Chain > Query is disabled when it was previously working. Probably something > like "A resolver MUST handle the case where a Chain Query does not > return the full chain. It MAY change resolvers in this case. It MAY > periodically attempt to try getting a Chain Query at that server." I didn't address this yet. Isn't this more of a local implementation kind of thing? > * A comment: It is possible for DNSKEY and RRSIG to time out at > different intervals (and DS, I suppose), right?. It seems that this > will result in a bit of extra data now and then, the resolver needs to > specify an entire "last known query name". I think this is okay, but > it might be possible to avoid this by specifying which particular > records are needed. Probably that is unneeded complication for this > case. Evan suggested I define the Trust Point as the lowest FQDN for which you have both DS and DNSKEY records, so that case should be covered now. I don't think DNSKEY and RRSIGs can have a different TTL? But if they do, then I guess the resolver will define that as "not having a validated copy". > * A wayward thought: this technique reveals a small amount of > information about the cache on the forwarder side in the "last known > query name". Maybe not worth mentioning because this is basically > irrelevant when compared to, well, all the DNS resolution the > resolver is doing? I did not any text for it. It's true it could leak some data if it used more than one resolver to feed its cache, but it's pretty arbitrary. the privacy leak is using the forwarders, whether it is one or more. > Anyway, I support it moving forward with or without any changes. Thanks! Paul
- [DNSOP] I-D Action: draft-ietf-dnsop-edns-chain-q… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-cha… Shane Kerr
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-cha… Paul Wouters
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-cha… Paul Wouters
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-cha… Shane Kerr