MIME-Version: 1.0
References: 
 <172047471396.458153.12797163404923712142@dt-datatracker-5f88556585-j5r2h>
 <CADyWQ+GMHrL2ABd6hMhWujMEO=pDtDXsc3tGDPx72uYqxa4JbQ@mail.gmail.com>
 <1E8C3D2F-0F69-4A4F-B29B-C4EA9A5566F3@verisign.com>
In-Reply-To: <1E8C3D2F-0F69-4A4F-B29B-C4EA9A5566F3@verisign.com>
From: Shumon Huque <shuque@gmail.com>
Date: Tue, 23 Jul 2024 14:36:39 -0700
Message-ID: 
 <CAHPuVdUWwpkeiFY=aWq1Yt_MXv8Kx=ToWrWyqn-5MwNKTeCK_A@mail.gmail.com>
To: "Wessels, Duane" <dwessels@verisign.com>
Content-Type: multipart/alternative; boundary="0000000000009d9ca1061df0f5aa"
Message-ID-Hash: GQ3XRJIYJJKALGXBJ7MNOP5DKGZRNE2C
CC: dnsop <dnsop@ietf.org>,
 "draft-ietf-dnsop-domain-verification-techniques@ietf.org"
 <draft-ietf-dnsop-domain-verification-techniques@ietf.org>
Precedence: list
Subject: =?utf-8?q?=5BDNSOP=5D_Re=3A_Fwd=3A_New_Version_Notification_-_draft-ietf-dns?=
	=?utf-8?q?op-domain-verification-techniques-05=2Etxt?=
Archived-At: 
 <https://mailarchive.ietf.org/arch/msg/dnsop/RWDwSiwfCtxvUeeWT2wx1SE0QQY>

--0000000000009d9ca1061df0f5aa
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Tue, Jul 9, 2024 at 2:54=E2=80=AFPM Wessels, Duane <dwessels@verisign.co=
m> wrote:

> I read through draft-ietf-dnsop-domain-verification-techniques-05 and hav=
e
> a few minor comments / suggestions.
>

Thanks Duane!


> > this may result in IP fragmentation, which often does not work
>
> While it=E2=80=99s true we have come to agree that fragmentation is bad f=
or DNS, I
> think =E2=80=9Coften does not work=E2=80=9D overstates the situation.  I=
=E2=80=99d say it works
> more often than not and I don=E2=80=99t see draft-ietf-dnsop-avoid-fragme=
ntation
> making the case that fragmentation does not work.


Yes, I agree that this is overstated, and that IP fragmentation often (and
maybe even mostly) works. I'm fine with walking this back, but let me tag
Paul Wouters here, who I believe added this specific text, for his thoughts=
.

> Depending on message size limits configured or being negotiated, it
> > may alternatively cause the DNS server to "truncate" the UDP response
> > and force the DNS client to re-try the query over TCP in order to get
> > the full response. Not all networks properly transport DNS over TCP
> > and some DNS software mistakenly believe TCP support is optional
> > ([RFC9210]).
>
> I have mixed feelings about this.  While perhaps factually true, I think
> broken DNS-over-TCP shouldn=E2=80=99t be a reason for not lumping validat=
ion
> records together.  There are other valid reasons to avoid that practice a=
nd
> networks with broken DNS-over-TCP shouldn=E2=80=99t be coddled.
>

Maybe more efficient operation of the DNS infrastructure is a better reason
to keep responses small rather than coddling to broken DNS/TCP
implementations. I'm okay with rewording this. But if you have specific
suggested text, please offer it up.


> > When multiple distinct services create domain Validation Records at
> > the same domain name,
>
> services don=E2=80=99t create records, users/administrators do.  Maybe re=
word as
> =E2=80=9CWhen multiple distinct services specify placing domain Validatio=
n Records
> at the same =E2=80=A6=E2=80=9D
>

Well automated applications can create DNS records too, not just users or
admins. But I get your point, and your rewording sounds good to me.

> The presence of a Validation Record with a predictable domain name
> > (either as a TXT record for the exact domain name where control is
> > being validated or with a well-known label) can allow attackers to
> > enumerate utilized set of Application Service Providers.
>
> Not sure I buy this argument.  Doesn=E2=80=99t the draft recommend using
> predictable names anyway, just one per provider?
>

Arguably, there is a potential privacy concern here. But there are so many
other ways to determine what service provider(s) a domain is using, that
I'm not persuaded that we need to address this and obfuscate the
verification record too.

Erik Nygren - I think this was your proposed change. Can you elaborate on
your argument?

> 1) A domain name related to the domain name being validated 2) A
> > Validation Record, either directly in RDATA or as the target of a
> > CNAME (or chain of CNAMEs)
>
> It=E2=80=99s not clear to me if this an =E2=80=9COR=E2=80=9D list or an =
=E2=80=9CAND=E2=80=9D list?
>

I'd recommend inserting an "and" in there.


>
> > because base64 relies mixed case
>
> "utilizes mixed case=E2=80=9D?
>

Ok.


>
> > Application owners SHOULD consult the IANA "Underscored and Globally
> > Scoped DNS Node Names" registry [UNDERSCORE-REGISTRY] to confirm
> > there are no collisions with existing entries.
>
> maybe this could be less passive as =E2=80=9Cconsult =E2=80=A6 and avoid =
using underscore
> labels that already exist in the registry=E2=80=9D?
>

Ok.


>
> > either the RDATA or a domain name
>
> > The RECOMMENDED format for a Validation Record's domain name is
> >
>
>
> Here and in numerous other places I think =E2=80=9Cdomain name=E2=80=9D m=
ight be better as
> =E2=80=9Cowner name=E2=80=9D.  i.e.: "the owner name of a validation reco=
rd"
>

Yes, I agree.


>
>
> > without having to hand over full DNS access
>
> what is DNS access?  ;-)
>

We can reword this. I think we mean handing over full access to edit the
zone contents to the intermediary.


>
> > by letting the Intermediary place the random token in their DNS
>
> in their zone?
>

Yes, and ok.


>
> > APIs SHOULD be used to relay instructions.
>
> Not sure I follow this.  An API to relay instructions?
>

I think this means the application provider has an API that is used to
obtain the instructions for how to populate the validation record (owner
name, rdata content etc). Though this wasn't my text. I hope one of my
co-authors will speak up to confirm.


>
> > TTL Considerations
>
> If I were writing software to verify domain control, I probably wouldn=E2=
=80=99t
> use a caching resolver.  I=E2=80=99d just send queries to authoritative n=
ame
> servers to avoid caching.  The draft doesn=E2=80=99t seem to have any tho=
ughts on
> this one way or the other?
>

That would certainly avoid most of the TTL considerations stated. But it is
more work for the verifier (and requires more DNS knowledge), so I suspect
most applications don't do this today. I would be okay however with stating
that this one possible way a verifier could work.

> CNAME Records for Domain Control Validation
>
> I think the document could be more clear or explicit that a CNAME target
> must exist.  i.e., a random token in the owner name of a CNAME record is
> not sufficient and such a CNAME whose target does not exist should be
> treated as a failure, right?
>

I don't think this necessarily has to be the case, but in practice it
usually is.

> Application Service Providers MAY include the random token in a
> > domain name that is related to the domain name being validated. An
>
> proposed rewording: Application Service Providers MAY specify that a
> random token be included in the owner name of a validation record.
>

Ok.

Shumon.

--0000000000009d9ca1061df0f5aa
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Tue, Jul 9, 2024 at 2:54=E2=80=AFPM We=
ssels, Duane &lt;<a href=3D"mailto:dwessels@verisign.com">dwessels@verisign=
.com</a>&gt; wrote:<br></div><div class=3D"gmail_quote"><blockquote class=
=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rg=
b(204,204,204);padding-left:1ex">I read through draft-ietf-dnsop-domain-ver=
ification-techniques-05 and have a few minor comments / suggestions.<br></b=
lockquote><div><br></div><div>Thanks Duane!</div><div>=C2=A0</div><blockquo=
te class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px =
solid rgb(204,204,204);padding-left:1ex">
&gt; this may result in IP fragmentation, which often does not work<br>
<br>
While it=E2=80=99s true we have come to agree that fragmentation is bad for=
 DNS, I think =E2=80=9Coften does not work=E2=80=9D overstates the situatio=
n.=C2=A0 I=E2=80=99d say it works more often than not and I don=E2=80=99t s=
ee draft-ietf-dnsop-avoid-fragmentation making the case that fragmentation =
does not work.=C2=A0</blockquote><div><br></div><div>Yes, I agree that this=
 is overstated, and that IP fragmentation often (and maybe even mostly) wor=
ks. I&#39;m fine with walking this back, but let me tag Paul Wouters here, =
who I believe added this specific text, for his thoughts.</div><div><br></d=
iv><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bord=
er-left:1px solid rgb(204,204,204);padding-left:1ex">
&gt; Depending on message size limits configured or being negotiated, it<br=
>
&gt; may alternatively cause the DNS server to &quot;truncate&quot; the UDP=
 response<br>
&gt; and force the DNS client to re-try the query over TCP in order to get<=
br>
&gt; the full response. Not all networks properly transport DNS over TCP<br=
>
&gt; and some DNS software mistakenly believe TCP support is optional<br>
&gt; ([RFC9210]).<br>
<br>
I have mixed feelings about this.=C2=A0 While perhaps factually true, I thi=
nk broken DNS-over-TCP shouldn=E2=80=99t be a reason for not lumping valida=
tion records together.=C2=A0 There are other valid reasons to avoid that pr=
actice and networks with broken DNS-over-TCP shouldn=E2=80=99t be coddled.<=
br></blockquote><div><br></div><div>Maybe more efficient operation of the D=
NS infrastructure is a better reason to keep responses small rather than co=
ddling to broken DNS/TCP implementations. I&#39;m okay with rewording this.=
 But if you have specific suggested text, please offer it up.</div><div>=C2=
=A0<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px =
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
&gt; When multiple distinct services create domain Validation Records at<br=
>
&gt; the same domain name,<br>
<br>
services don=E2=80=99t create records, users/administrators do.=C2=A0 Maybe=
 reword as =E2=80=9CWhen multiple distinct services specify placing domain =
Validation Records at the same =E2=80=A6=E2=80=9D<br></blockquote><div><br>=
</div><div>Well automated applications can create DNS records too, not just=
 users or admins. But I get your point, and your rewording sounds good to m=
e.</div><div><br></div><blockquote class=3D"gmail_quote" style=3D"margin:0p=
x 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
&gt; The presence of a Validation Record with a predictable domain name<br>
&gt; (either as a TXT record for the exact domain name where control is<br>
&gt; being validated or with a well-known label) can allow attackers to<br>
&gt; enumerate utilized set of Application Service Providers.<br>
<br>
Not sure I buy this argument.=C2=A0 Doesn=E2=80=99t the draft recommend usi=
ng predictable names anyway, just one per provider?<br></blockquote><div><b=
r></div><div>Arguably, there is a potential privacy concern here. But there=
 are so many other ways to determine what service provider(s) a domain is u=
sing, that I&#39;m not persuaded that=C2=A0we need to=C2=A0address this and=
 obfuscate the verification record too.</div><div><br></div><div>Erik Nygre=
n - I think this was your proposed change. Can you elaborate on your argume=
nt?</div><div><br></div><blockquote class=3D"gmail_quote" style=3D"margin:0=
px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
&gt; 1) A domain name related to the domain name being validated 2) A<br>
&gt; Validation Record, either directly in RDATA or as the target of a<br>
&gt; CNAME (or chain of CNAMEs)<br>
<br>
It=E2=80=99s not clear to me if this an =E2=80=9COR=E2=80=9D list or an =E2=
=80=9CAND=E2=80=9D list?<br></blockquote><div><br></div><div>I&#39;d recomm=
end inserting an &quot;and&quot; in there.</div><div>=C2=A0</div><blockquot=
e class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px s=
olid rgb(204,204,204);padding-left:1ex">
<br>
&gt; because base64 relies mixed case<br>
<br>
&quot;utilizes mixed case=E2=80=9D?<br></blockquote><div><br></div><div>Ok.=
</div><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0p=
x 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
&gt; Application owners SHOULD consult the IANA &quot;Underscored and Globa=
lly<br>
&gt; Scoped DNS Node Names&quot; registry [UNDERSCORE-REGISTRY] to confirm<=
br>
&gt; there are no collisions with existing entries.<br>
<br>
maybe this could be less passive as =E2=80=9Cconsult =E2=80=A6 and avoid us=
ing underscore labels that already exist in the registry=E2=80=9D?<br></blo=
ckquote><div><br></div><div>Ok.</div><div>=C2=A0</div><blockquote class=3D"=
gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(20=
4,204,204);padding-left:1ex">
<br>
&gt; either the RDATA or a domain name<br>
<br>
&gt; The RECOMMENDED format for a Validation Record&#39;s domain name is<br=
>
&gt; <br>
<br>
<br>
Here and in numerous other places I think =E2=80=9Cdomain name=E2=80=9D mig=
ht be better as =E2=80=9Cowner name=E2=80=9D.=C2=A0 i.e.: &quot;the owner n=
ame of a validation record&quot;<br></blockquote><div><br></div><div>Yes, I=
 agree.</div><div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"ma=
rgin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:=
1ex">
<br>
<br>
&gt; without having to hand over full DNS access<br>
<br>
what is DNS access?=C2=A0 ;-)<br></blockquote><div><br></div><div>We can re=
word this. I think we mean handing over full access to edit the zone conten=
ts to the intermediary.</div><div>=C2=A0</div><blockquote class=3D"gmail_qu=
ote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,20=
4);padding-left:1ex">
<br>
&gt; by letting the Intermediary place the random token in their DNS<br>
<br>
in their zone?<br></blockquote><div><br></div><div>Yes, and ok.</div><div>=
=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0=
.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
&gt; APIs SHOULD be used to relay instructions.<br>
<br>
Not sure I follow this.=C2=A0 An API to relay instructions?<br></blockquote=
><div><br></div><div>I think this means the application provider has an API=
 that is used to obtain the instructions for how to populate the validation=
 record (owner name, rdata content etc). Though this wasn&#39;t my text. I =
hope one of my co-authors will speak up to confirm.</div><div>=C2=A0</div><=
blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l=
eft:1px solid rgb(204,204,204);padding-left:1ex">
<br>
&gt; TTL Considerations<br>
<br>
If I were writing software to verify domain control, I probably wouldn=E2=
=80=99t use a caching resolver.=C2=A0 I=E2=80=99d just send queries to auth=
oritative name servers to avoid caching.=C2=A0 The draft doesn=E2=80=99t se=
em to have any thoughts on this one way or the other?<br></blockquote><div>=
<br></div><div>That would certainly avoid most of the TTL considerations st=
ated. But it is more work for the verifier (and requires more DNS knowledge=
), so I suspect most applications don&#39;t do this today. I would be okay =
however with stating that this one possible way a verifier could work.</div=
><div><br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0=
px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
&gt; CNAME Records for Domain Control Validation<br>
<br>
I think the document could be more clear or explicit that a CNAME target mu=
st exist.=C2=A0 i.e., a random token in the owner name of a CNAME record is=
 not sufficient and such a CNAME whose target does not exist should be trea=
ted as a failure, right?<br></blockquote><div><br></div><div>I don&#39;t th=
ink this necessarily has to be the case, but in practice it usually is.</di=
v><div><br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px =
0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
&gt; Application Service Providers MAY include the random token in a<br>
&gt; domain name that is related to the domain name being validated. An<br>
<br>
proposed rewording: Application Service Providers MAY specify that a random=
 token be included in the owner name of a validation record.<br></blockquot=
e><div><br></div><div>Ok.</div><div><br></div><div>Shumon.</div><div><br></=
div></div></div>

--0000000000009d9ca1061df0f5aa--