Re: [DNSOP] I-D Action: draft-ietf-dnsop-resolver-information-00.txt
Neil Cook <neil.cook@noware.co.uk> Tue, 29 October 2019 07:54 UTC
Return-Path: <neil.cook@noware.co.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 528651200D8 for <dnsop@ietfa.amsl.com>; Tue, 29 Oct 2019 00:54:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.105
X-Spam-Level:
X-Spam-Status: No, score=-1.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RDNS_NONE=0.793, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MEsz3ZYwXxq5 for <dnsop@ietfa.amsl.com>; Tue, 29 Oct 2019 00:54:09 -0700 (PDT)
Received: from mail.noware.co.uk (unknown [IPv6:2604:a880:0:1010::add:2001]) by ietfa.amsl.com (Postfix) with ESMTP id BD5D91200BA for <dnsop@ietf.org>; Tue, 29 Oct 2019 00:54:09 -0700 (PDT)
Received: from [192.168.1.170] (unknown [81.156.224.111]) by mail.noware.co.uk (Postfix) with ESMTPSA id 06E4F1C228C; Tue, 29 Oct 2019 07:44:26 +0000 (UTC)
From: Neil Cook <neil.cook@noware.co.uk>
Message-Id: <7CFC51C0-27BF-4875-A18C-AC434B3A7248@noware.co.uk>
Content-Type: multipart/alternative; boundary="Apple-Mail=_EEC13A3D-4D47-4C67-9C53-5753C19C7169"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3594.4.19\))
Date: Tue, 29 Oct 2019 07:54:07 +0000
In-Reply-To: <CAMGpriWD_dOADk4=OKFzVZn8KT9RC_A1v3jQDq6oDLuRB3K9yg@mail.gmail.com>
Cc: dnsop@ietf.org
To: Erik Kline <ek.ietf@gmail.com>
References: <156624288737.19884.5252170663574668911@ietfa.amsl.com> <A8482079-FC91-414D-B0EF-E016606E9093@noware.co.uk> <34CACD4F-554A-4736-BD53-36D980B5A5A5@noware.co.uk> <CAMGpriWD_dOADk4=OKFzVZn8KT9RC_A1v3jQDq6oDLuRB3K9yg@mail.gmail.com>
X-Mailer: Apple Mail (2.3594.4.19)
X-VADE-SPAMSTATE: clean
X-VADE-SPAMSCORE: 0
X-VADE-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedufedruddttddguddugecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfpgffknfevqffqmfenuceurghilhhouhhtmecufedttdenucenucfjughrpefhkfgtggfuffgjvfhfofesrgdtmherhhdtjeenucfhrhhomheppfgvihhlucevohhokhcuoehnvghilhdrtghoohhksehnohifrghrvgdrtghordhukheqnecuffhomhgrihhnpehivghtfhhgmhgrihhlrdgtohhmpdhivghtfhdrohhrghenucfkphepkedurdduheeirddvvdegrdduuddunecurfgrrhgrmhepihhnvghtpeekuddrudehiedrvddvgedrudduuddphhgvlhhopegludelvddrudeikedruddrudejtdgnpdhmrghilhhfrhhomheppfgvihhlucevohhokhcuoehnvghilhdrtghoohhksehnohifrghrvgdrtghordhukheqpdhrtghpthhtohepvghkrdhivghtfhesghhmrghilhdrtghomhdprhgtphhtthhopegunhhsohhpsehivghtfhdrohhrghenucevlhhushhtvghrufhiiigvpedt
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/RZn9Qq4jZJDtpx6Nj3ZNAfVgh6k>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-resolver-information-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Oct 2019 07:54:12 -0000
The scenario I describe isn’t about discovering intermediate resolvers, it’s about ensuring that you can use the described protocol to get the actual resolver info when there’s an intermediate resolver in the path. That can be achieved with the DNS-based mechanism in the draft, but not with the HTTPS-based mechanism. Neil > On 28 Oct 2019, at 18:39, Erik Kline <ek.ietf@gmail.com> wrote: > > IIRC Ben Schwartz at the mic (Prague? Montreal?) mentioned he was interested in seeing something like "traceroute but for DNS", which (a) is what your described scenario sounds like to me and (b) is a separate objective from this draft. I think it's just...unrelated. I don't think we have DNS hop-by-hop -type semantics, which would make the discovery of intermediate resolvers/forwarders easier. > > On Mon, Oct 28, 2019 at 9:03 AM Neil Cook <neil.cook@noware.co.uk <mailto:neil.cook@noware.co.uk>> wrote: > I was quite surprised that there was no reaction to my comments. Are they not worth replying to, or is there just not enough interest in this draft? > > Resolver discovery seems like such an important topic given what is happening with DoH and DoT, I can’t believe that folks aren’t interested in progressing this, and I think ensuring that it works for the extremely widely deployed use-case of a DNS proxy/forwarder is very important. > > Neil > > > On 11 Oct 2019, at 14:41, Neil Cook <neil.cook@noware.co.uk <mailto:neil.cook@noware.co.uk>> wrote: > > > > I have some comments on this draft. > > > > I’m particularly concerned about the extremely common use-case where a DNS proxy is used in front of the actual resolver; this is the case for many home routers/CPEs, particularly those provided by ISPs. They tend to give out DNS via DHCP on a private IP address e.g. 192.168.0.x, and then use dnsmasq (or homegrown software) to proxy to the actual resolver of the ISP located in the network on a public IP address. > > > > TL;DR - there are two mechanisms defined in this draft. The first mechanism "Retrieving Resolver Information by DNS” seems like it would work ok with the above scenario. The second mechanism "Retrieving Resolver Information by Well-Known URI” would require changes to every CPE of the type described above, which IMO makes it unworkable for that scenario. (BTW for CPE insert any kind of DNS proxy/forwarder, which would have the same issue). > > > > My main concern is that given that there are two mechanisms specified, clients may choose only to implement one of them. The draft doesn’t appear to specify that client authors must implement one or the other, or both. So I’d like to see the draft mandate that if only one of the mechanisms is implemented, it must be the "Retrieving Resolver Information by DNS” method. > > > > I’d like to see the draft give due consideration to this very common use-case, (both CPEs and the more general case of DNS proxies/forwarders). > > > > A few additional comments which I think need to be considered: > > > > - For the Well-Known URI mechanism by resolver IP, clearly private IP addresses can never get valid certificates, so even if CPEs were to implement this mechanism, they can never be authenticated. > > > > - For the DNS method, given that a resolver never knows if DNS proxies are being used (in CPEs or elsewhere) or indeed what IP addresses are being used behind those proxies, I would imagine that at a minimum it would need to answer RESINFO queries for *all* RFC1918 addresses. This does then lead to the question, why include the IP address in the query at all? I assume the answer is “DNSSEC”, but see below for some more questions/comments on that. > > > > - There is an acknowledgement "Erik Kline suggested using "<reverse-ip>.{in-addr,ip6}.arpa" as the > > domain name to allow for the possibility of DNSSEC-signed responses.” > > > > I think it’s worth noting that RESINFO queries for private IP addresses will never be able to generate DNSSEC-signed responses. Also given the restriction "Authoritative servers MUST NOT answer queries that are defined in this protocol.” it seems unlikely that many resolvers would be capable of generating DNSSEC-signed responses, especially given that resolvers and authoritative servers tend to be completely separate entities these days. > > > > This also begs the question, why create that restriction at all? Why must Authoritative Servers not answer those queries? The draft also states that "if the resolver can be configured to also be authoritative for some zones, it can use that configuration to actually be authoritative for the addresses on which it responds.” Which seems to contradict the previous MUST NOT - surely this is an implementation detail that should not be mentioned in an IETF draft? > > > > Neil Cook > > > >> On 19 Aug 2019, at 20:28, internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> wrote: > >> > >> > >> A New Internet-Draft is available from the on-line Internet-Drafts directories. > >> This draft is a work item of the Domain Name System Operations WG of the IETF. > >> > >> Title : DNS Resolver Information Self-publication > >> Authors : Puneet Sood > >> Roy Arends > >> Paul Hoffman > >> Filename : draft-ietf-dnsop-resolver-information-00.txt > >> Pages : 9 > >> Date : 2019-08-19 > >> > >> Abstract: > >> This document describes methods for DNS resolvers to self-publish > >> information about themselves, such as whether they perform DNSSEC > >> validation or are available over transports other than what is > >> defined in RFC 1035. The information is returned as a JSON object. > >> The names in this object are defined in an IANA registry that allows > >> for light-weight registration. Applications and operating systems > >> can use the methods defined here to get the information from > >> resolvers in order to make choices about how to send future queries > >> to those resolvers. > >> > >> > >> The IETF datatracker status page for this draft is: > >> https://datatracker.ietf.org/doc/draft-ietf-dnsop-resolver-information/ <https://datatracker.ietf.org/doc/draft-ietf-dnsop-resolver-information/> > >> > >> There are also htmlized versions available at: > >> https://tools.ietf.org/html/draft-ietf-dnsop-resolver-information-00 <https://tools.ietf.org/html/draft-ietf-dnsop-resolver-information-00> > >> https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-resolver-information-00 <https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-resolver-information-00> > >> > >> > >> Please note that it may take a couple of minutes from the time of submission > >> until the htmlized version and diff are available at tools.ietf.org <http://tools.ietf.org/>. > >> > >> Internet-Drafts are also available by anonymous FTP at: > >> ftp://ftp.ietf.org/internet-drafts/ <ftp://ftp.ietf.org/internet-drafts/> > >> > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org <mailto:DNSOP@ietf.org> > https://www.ietf.org/mailman/listinfo/dnsop <https://www.ietf.org/mailman/listinfo/dnsop> > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- [DNSOP] I-D Action: draft-ietf-dnsop-resolver-inf… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-resolver… Bob Harold
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-re… Paul Hoffman
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-resolver… Neil Cook
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-resolver… Neil Cook
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-resolver… Ben Schwartz
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-resolver… Erik Kline
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-resolver… Neil Cook
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-resolver… Neil Cook
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-resolver… Paul Wouters
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-resolver… Ben Schwartz
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-resolver… Erik Kline
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-resolver… Ben Schwartz
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-resolver… Neil Cook
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-resolver… Brian Dickson