IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

Brian Dickson <brian.peter.dickson@gmail.com> Mon, 17 July 2023 19:41 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E184C15198F for <dnsop@ietfa.amsl.com>; Mon, 17 Jul 2023 12:41:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q7ubEJqK-oRQ for <dnsop@ietfa.amsl.com>; Mon, 17 Jul 2023 12:41:30 -0700 (PDT)
Received: from mail-pf1-x429.google.com (mail-pf1-x429.google.com [IPv6:2607:f8b0:4864:20::429]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79F57C15198D for <dnsop@ietf.org>; Mon, 17 Jul 2023 12:41:30 -0700 (PDT)
Received: by mail-pf1-x429.google.com with SMTP id d2e1a72fcca58-668704a5b5bso4986489b3a.0 for <dnsop@ietf.org>; Mon, 17 Jul 2023 12:41:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1689622890; x=1692214890; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=foLWPmth0hy0B96NfllP6J/fwX7d7IOj2wGkeLgVbMY=; b=mRioWjmC+jytTbl85EydNV7Tmn+OtamGcZLto93j0ln5X8iWdssmyZac6sHh6yllMi Nl1bBdOtDV4hrM5x8+Z18KOsZ2tgHqXwlYIF0+v3knxIbTWtUpavdLHLaDxKnyKb68cX gkWVtZJn/s9MIJBvvn1O8XbRFwVoyN06Ih+8qhF9AIu4qnRq4mrp9P4gDZLtdIm9Diw9 alPuqn/iifiEdFkjVspzwbwm8wYmyXff7LoZH+dWP/I8f9Xdw2YX+MI20hU7KNpLSbDL uAYKwRZpMS+t7PWOYftkEb9CajTmPF+ac12xgBrZu63/jBUnBADOC6rqOFL9e+DL2ZCj rs7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689622890; x=1692214890; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=foLWPmth0hy0B96NfllP6J/fwX7d7IOj2wGkeLgVbMY=; b=JieQxqGnbDJoc8XFzVvlmq2RCz2bipsuAJDOxSwL2sYlqmMejRT0b/WpmFvuCXkFxl FPtHRhLnXpd15TvbJ/K0LEuRwZmsF7kIzGHClrk9DExySaKhitGtMuZDsTdxi0+FrJD/ SYEQacctrcDj92ZJe8jXuxAJC1vThbffhNQMPIsFlLf0B6cclrJeeVF/hEaYcvBXUee0 den3Wst0mv6f9Qxnwyw+GsjpZsEwHnTY20bmnnBjwie3P7hAUucuF6uZHudYGiN2Qxlw JJrB23ibotcTSLGsf2SUzJ1qxpIm0BSSf+FtScfpVP1UmurmSjtwQUTc7sq5gQNum1+s nuvw==
X-Gm-Message-State: ABy/qLZ4SUURGQXqbJURES5gUwnxiZmAoDThYs13VfyCslOR/r6XuXZm f1/6CX5zKK/UJ/1BklryemQ8EB+ijmRqagcdnzA8tqQPiF8=
X-Google-Smtp-Source: APBJJlHIIC+629BUbkwbCNZ35UdKa7uyrRheqMGUpARbS/wc25kMu2O9XA9npfVGaueJwbOjgbE5CkIC31W4NjbHcoE=
X-Received: by 2002:a17:90b:11c4:b0:267:6ee7:b8f3 with SMTP id gv4-20020a17090b11c400b002676ee7b8f3mr9932767pjb.0.1689622889651; Mon, 17 Jul 2023 12:41:29 -0700 (PDT)
MIME-Version: 1.0
References: <20230717164035.5668EFE31C0B@ary.qy> <m14jm2eaiz.fsf@narrans.de> <ff32cd62-849a-7d2a-3697-0b7a742d3619@nohats.ca> <ff30dd1e-2e4a-f037-5676-fa26c523acb1@taugh.com> <CAH1iCipMsZzu-VCXGvO0SU=ta07TKbiUSRZtYS1uFBWzKLVMnA@mail.gmail.com> <330deaf1-cf31-787a-8ca9-780fd68236d9@taugh.com>
In-Reply-To: <330deaf1-cf31-787a-8ca9-780fd68236d9@taugh.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Mon, 17 Jul 2023 12:41:17 -0700
Message-ID: <CAH1iCioy0_cOvrVA2S80JwzOGuDYukOXPCC+=edhyG=JCmoRwg@mail.gmail.com>
To: John R Levine <johnl@taugh.com>
Cc: dnsop@ietf.org
Content-Type: multipart/alternative; boundary="00000000000024656d0600b3fceb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/RpqW6kOjNtu12BnNEkhj6y7miM8>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2023 19:41:31 -0000

On Mon, Jul 17, 2023 at 12:20 PM John R Levine <johnl@taugh.com> wrote:

> Just to be clear, I think it's quite reasonable to encourage people to put
> tokens at _name but I still see it as a matter of taste, not a technical
> issue.
>
> On Mon, 17 Jul 2023, Brian Dickson wrote:
> > TCP being triggered on resolver-auth is much more of concern,
> particularly
> > when the underlying cause (large RRsets) is preventable.
>
> I take your point, but we're not talking about a lot of traffic.  If any
> particular token is checked as often as once a day, that's a lot.  At what
> scale does the TCP traffic become an issue?
>

The stuffed apex does not only include those tokens, e.g. SPF and friends,
which get queried A LOT.
So, adding validation tokens to the apex causes collateral damage via
non-token apex records.

TCP traffic is several orders of magnitude more expensive than UDP.
Anything that bumps up the proportion of TCP traffic in a statistically
meaningful way causes issues.

E.g. Suppose TCP is 1% of traffic. Something bumping it to 1.5% might seem
benign, but in reality is causing 50% extra cost.
Whatever the impact, if it does not have some corresponding benefit
overall, or particularly relative to op-ex vs revenue, that's a bad outcome.

DNSSEC is maybe a red herring, because there are operational benefits on
the overall query ecosystem.
Specifically, with aggressive NSEC, resolver-auth load (and particularly
DOS/DDOS triggered load) actually goes down A LOT, in the worst case
scenarios.


>
> >> The only somewhat plausible argument I see against stuffing the apex is
> >> that if people are sloppy, they might invent tokens that could be
> confused
> >> with each other.
> >
> > The technical term would be "collision" rather than "confusion".
> > One harm of collision is the impact on automation. Whether at the apex or
> > in underscore prefixes, the collision "space" suffers from the "birthday
> > paradox" scaling problem.
>
> The birthday paradox is relevant if you only have 366 birthdays, but not
> if people are using 20 character identifier strings which give you a
> 10^25 point name space.  (See the Cisco TXT records in my previous
> message.)  This is an aesthetic preference, not a technical one.
>

In the absence of the aforementioned draft, there is no specific guidance
that would lead ALL token issuers to use 20 character identifiers.
And without doing so, the likelihood of some issuers having conflicting
semantic choices (and thus token choices) is non-trivial.

E.g. any mail package that gets used, or hosting software, or third party
apps generally.

E.g. I've seen a software vendor "foo" with their registered domain
"foo.example", who have lots of customers running "foo" as a service.
The vendor was given guidance to use "_foo_example" (an encoding of their
domain) rather than "_foo", to protect themselves from collisions.
But there is also a likelihood of some non-zero subset of operators of "foo
as a service" picking "_foo" and causing collisions.
The draft would provide sufficient guidance to reduce the latter from being
relatively common (lots of assumptions etc., but better than no guidance.)

Brian

v2.23.0 | Report a Bug | By Email