IETF Logo Mail Archive

Re: [DNSOP] Working Group Last Call draft-ietf-dnsop-refuse-any

神明達哉 <jinmei@wide.ad.jp> Thu, 22 December 2016 18:19 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BECC12943C for <dnsop@ietfa.amsl.com>; Thu, 22 Dec 2016 10:19:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k6BSxA2ENg76 for <dnsop@ietfa.amsl.com>; Thu, 22 Dec 2016 10:19:44 -0800 (PST)
Received: from mail-qt0-x232.google.com (mail-qt0-x232.google.com [IPv6:2607:f8b0:400d:c0d::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83F28129438 for <dnsop@ietf.org>; Thu, 22 Dec 2016 10:19:44 -0800 (PST)
Received: by mail-qt0-x232.google.com with SMTP id d45so19986272qta.1 for <dnsop@ietf.org>; Thu, 22 Dec 2016 10:19:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=iwbZqFkNd9V1xu5hBgDWLWD8rT7SMya/m5wavOy1KbQ=; b=P14cqzuxVNZLJtyUYYZ7rcHVA/Ca/rqxLzGnU5KbEZQGUs1qsiDweD1R6OmTNWOVfQ ri6kG5nO4Ol9YobORJWBAXc8FryVj/oIkYEL8mJhgSz2C9zgELb6KPmWG0BdxjLA45ss B54GJmFmPLKZv2JWHRmw5UNLug91xHJaR7g70ennaSB52vYD95XtSuAds1b0sa9i/bq7 A8+nXgOXuiFH00KjLbqlkrqHO7wUJ76c5htPgBRN8z5IyiEnMk1PSHS6sYcL0BO8fT5L lExsnJsX1r98+h1w1JgJKgHXkJg+oUBq/F8bvB9pQJuw+hREgMMJjPUIszAx+bsYMh6/ 0X9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-transfer-encoding; bh=iwbZqFkNd9V1xu5hBgDWLWD8rT7SMya/m5wavOy1KbQ=; b=QKQx5rQDuvkerJpyn0vyx0R62j6exxcOlYNkPmgDk/rluCUkkpCGA5XFzMO9qSDOEE 2gNVnMHTx2uEVpkEE+wJ8Yyp231dYotp2UdGR4JvFwUERnY3ym0B74MOGc7a0ju2vUrK M+2xoabegKMmbBbj1ZpxCcs9in4hUcNE43seqxeueDuw3DgRLG87WcwCLDAY+ZMmYCyA hfTy8EluwyRXmUYkidznue34IMnpcJv83FMQyZvJMxU1+fVJ4h7+Ud1SSkxRQNyjLj5I onKeK3MqFgBGzZh3b7tZRk/FdpPVMXtmXYl7OMH3Na74hgbWUS+U9Xggue9WcgRNPl3/ SG6A==
X-Gm-Message-State: AIkVDXKMvnVKLjHgWeI7dg5sA6gkUYLu6cxQh21wpSEish4YF8TfcZqcTmQDHml9d2rHpiXaOffLw9+VW0FWkQ==
X-Received: by 10.200.42.93 with SMTP id l29mr12478915qtl.289.1482430783382; Thu, 22 Dec 2016 10:19:43 -0800 (PST)
MIME-Version: 1.0
Sender: jinmei.tatuya@gmail.com
Received: by 10.200.51.154 with HTTP; Thu, 22 Dec 2016 10:19:42 -0800 (PST)
In-Reply-To: <BF2E17B4-7F29-45B0-83BC-8438C82F0B83@ogud.com>
References: <CADyWQ+FwGf66+HL3W46C2d1BJZoyRxBDPPw8Yuup8k0Haise=g@mail.gmail.com> <CAJE_bqeXL9tqs8jf-S=LyEiTT0PG6z_ELTrDAiJW2u065FKARg@mail.gmail.com> <BF2E17B4-7F29-45B0-83BC-8438C82F0B83@ogud.com>
From: 神明達哉 <jinmei@wide.ad.jp>
Date: Thu, 22 Dec 2016 10:19:42 -0800
X-Google-Sender-Auth: hItqT8T3ZI4L_rXyu0VClfsbJQE
Message-ID: <CAJE_bqczsRMBFG0sqD4QKBvFX_C1ibLq6VarHcKvshOB-W5Q1w@mail.gmail.com>
To: Olafur Gudmundsson <ogud@ogud.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/TPHpOKwySmlc5UGW3BdQxhvIwM8>
Cc: tjw ietf <tjw.ietf@gmail.com>, dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Working Group Last Call draft-ietf-dnsop-refuse-any
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Dec 2016 18:19:47 -0000

Sorry for the delayed response.  I've been unusually busy for these
several weeks...

At Sat, 3 Dec 2016 12:44:47 -0500,
Olafur Gudmundsson <ogud@ogud.com> wrote:

> > I've read the 03 version of the document.  I do *not* think this is
> > ready for publication since I still believe we should not abuse HINFO
> > for this purpose as I argued a year ago:
> > https://www.ietf.org/mail-archive/web/dnsop/current/msg16118.html
> > (But other than that I think the document is quite well written).
>
> We have some implementation experience with this and the fact that we return a
> Record that is parsed and displayed in human readable format has proven valuable in
> dealing with “interoperability” problems.
> A number of “abusers” of ANY queries have seen this read the draft and said
>        - yep I should have a fallback
> or    - asking for exactly what I need is better way
>
> So what other RFC1034/5 defined type are you willing to throw under the bus?

(If synthesizing an otherwise-non-existent type of RRset is non
debatable) personally, I'd rather propose introducing a new RR type
specifically for this purpose so it's guaranteed to not cause
conflict or confusion.  "human readability with currently available
tools (e.g., a currently distributed version of dig)" is a well-known
excuse in cases like this or TXT abusers, but at least for a standard
track IETF protocol I believe we should take a more long-term view;
once we define the new type it won't take too long until common tools
like dig, drill, etc will catch up.  Until then relatively skilled
users can google what 'TYPE259' means and finds it's returned as
defined in RFC83xx.


> > Some specific comments on the text:
> >
> > - Section 3
> >
> >   1.  A DNS responder can choose to select one or subset of RRSets at
> >       the QNAME.
> >
> >  'one or subset of RRSets' sounds a bit awkward to me, partly because
> >  'a subset of RRSets' should include 'one of RRSets' and can thus be
> >  redundant, and partly because 'subset of RRSets" might sound related
> >  to 'subset of an RRSet' (it's actually "a subset of set of RRSets").
> >  So I'd suggest changing this one of the following:
> >  - "one or a few of RRSets (but not all of them)"
> >  - "one or a few of RRSets"
> >  - "a subset of RRSets"
> >  I personally prefer the first most although it may be too verbose.
> >
> I  think the best way to address this to be consistent with Section 4 is to say
> “one RRset” and be done with it

Works for me.  (But some others might want to avoid to be too
restrictive).
>
> > - Section 4
> >
> >   If the DNS query includes DO=1 and the QNAME corresponds to a zone
> >   that is known by the responder to be signed, a valid RRSIG for the
> >   RRSets in the answer (or authority if answer is empty) section MUST
> >   be returned.
> >
> >  Does this also apply to a synthesized HINFO (if so, by dynamically
> >  signing it?)?
> >
> Yes

Okay.  My objection to using HINFO in the first place aside, as long
as this hack is documented I think the doc should explicitly note it.

--
JINMEI, Tatuya

v2.23.0 | Report a Bug | By Email