IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-error-reporting-00.txt

Roy Arends <roy@dnss.ec> Tue, 26 October 2021 10:10 UTC

Return-Path: <roy@dnss.ec>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2CC73A0CA9 for <dnsop@ietfa.amsl.com>; Tue, 26 Oct 2021 03:10:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dnss.ec
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5FHk98ZaqSY8 for <dnsop@ietfa.amsl.com>; Tue, 26 Oct 2021 03:10:27 -0700 (PDT)
Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5A123A0C35 for <dnsop@ietf.org>; Tue, 26 Oct 2021 03:10:20 -0700 (PDT)
Received: by mail-pj1-x1032.google.com with SMTP id y1-20020a17090a134100b001a27a7e9c8dso1397705pjf.3 for <dnsop@ietf.org>; Tue, 26 Oct 2021 03:10:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dnss.ec; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=JIXE6rHUGv/zFzh/Afoz0WoOAxBwM/q1Sti3pXqV4jM=; b=Ued+cDuv4Ci7i7wbiOQ+ghf50kU7TII5JxO1ZrtroQjIEZVk5Jxuc+DzwqzwVbN8Vf NhkyJieYf0tu9lQLjysPDj7ETzWGJp/YgPgLfr5wI8cHRrvWhYy4Au/6yqpuc9e24/ie OPNAdv1QzH/rYMbc3+jf31H/Bh8N0U0NqV6aE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=JIXE6rHUGv/zFzh/Afoz0WoOAxBwM/q1Sti3pXqV4jM=; b=TJcsX92nQw4sLj3dSlOQxq1zN8vxL/s8yYFhUXMVMayQzfs+9LvWI8fCwghWXYLXGd Yc1IcybIqmJsoFXeMw19xvXsso1KDe9kLB0NNkhi7dIe6uTu3cXKChBGyerCcv7icf8v aKHCvcgYq8jsGnNycxgz+vgMJteowoUykZu/slKGLm6T6FdAJMHRa0dr59mj5v4eVXG+ Ji6nnw/dvkGonmUsIUfvV1zqxuNGd0RPgvaCMyJmFM0msGLT1H58DK3mTUOheu77wWqw Hjcj+BVbYKWX7rWgBkcgdqG2nX6wHfjnZP0gVbfqxO1MyUnTdQcLT+fLHAEbZmpKjmXQ x0QA==
X-Gm-Message-State: AOAM531Nz4w8cEj7Pug0L5nwiBd7CWKacckjGSXFdBaeVBhxaJcmSJlg QnB9PjKpWTowHqnNU8Xt0DvdUnO+Re2g5A==
X-Google-Smtp-Source: ABdhPJz6VMUzvgRA+O438qy/t3IM27611HK8ToM3mXYhhrxf8bLmjo7agGJxqfAoV63V8IWmbHPaIQ==
X-Received: by 2002:a17:90a:a8f:: with SMTP id 15mr27640183pjw.229.1635243018736; Tue, 26 Oct 2021 03:10:18 -0700 (PDT)
Received: from smtpclient.apple ([88.81.139.247]) by smtp.gmail.com with ESMTPSA id 125sm2591951pfv.155.2021.10.26.03.10.17 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 26 Oct 2021 03:10:18 -0700 (PDT)
From: Roy Arends <roy@dnss.ec>
Message-Id: <D2793C49-7951-494F-9B7C-CA7E0BD7619B@dnss.ec>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2247AC72-6438-4DE4-B661-E555940D9E39"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Date: Tue, 26 Oct 2021 11:10:14 +0100
In-Reply-To: <f3fca741-373e-c32d-9dbc-354cff3dfc9b@nic.cz>
Cc: dnsop@ietf.org
To: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
References: <161953482575.7668.10479553059119648994@ietfa.amsl.com> <f3fca741-373e-c32d-9dbc-354cff3dfc9b@nic.cz>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/TqRUl2gHJihyjwXR7bgwo9ufKuA>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-error-reporting-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Oct 2021 10:10:39 -0000


> On 26 Oct 2021, at 10:14, Vladimír Čunát <vladimir.cunat+ietf@nic.cz> wrote:
> 
> Hello.
> 
> 
>> DNS Error reporting SHOULD be done using DNS Query Name Minimization
>> [RFC7816 <https://datatracker.ietf.org/doc/html/rfc7816>] to improve privacy.
> 
> It's just a detail and "SHOULD" isn't strong, but I expect it might be worth elaborating here.  The name used in the reporting query adds a few labels to the failing QNAME and the whole reporting agent domain, so together that's lots of labels, and expending a packet for *each* of those labels would seem quite wasteful.  Perhaps we could agree on some boundary (e.g. around the "_er" label) under which minimization isn't recommended anymore, and put that as a suggestion into the text?
> 
> 

I have a slide ready to discuss the issue that DNS Query Name Minimization brings… A minimised query can’t be distinguished from a full query, so it may not be clear what name caused an issue. The current thinking (but will be discussed later today) is to start with _er as well. That way, the erroneous qname is “encapsulated” by _er labels.
>> The reporting resolver MUST NOT report about queries and responses
>> from an encrypted channel (such as DNS over TLS [RFC7858 <https://datatracker.ietf.org/doc/html/rfc7858>] and DNS
>> over HTTPS [RFC8484 <https://datatracker.ietf.org/doc/html/rfc8484>]).
> I believe this needs some explanation at least (in the text, ideally).  The failing query triggering the report is towards an authoritative server (i.e. unencrypted), and the reporting queries do not really carry more information.  They may travel by a different path, but on the whole I can't see significant motivation for the paragraph, especially in "MUST NOT" form.
> 
If, at any point, auth servers offer encrypted transport, a faulty query should not be replicated in clear text.
>> This method MUST NOT
>> be deployed by default on reporting resolvers and authoritative
>> servers without requiring an explicit configuration element.
> I'm not so sure about forbidding this on resolvers so strongly, but certainly OK if the WG prefers it that way.  (On auths it wouldn't make sense to enable by default; what agent?)  If the error-reporting is meant really seriously, I'd rather improve the mechanism to never induce significant overhead and encourage enabling it by default on resolvers (at some point).

Ack. 
> To make the error-reporting work, you need noticeable commitment to deploy on both sides, because otherwise the perceived benefit from deploying might be quite low.  On resolver side, I believe that it will be quite rare for operators to tweak such highly technical options[*].  So if this MUST be off by default, you at least need commitment from some significant operators - say, I'm not even sure if Quad9 by themselves would suffice to bootstrap this.
> 
I'm inclined to remove that text alltogether. Resolver implementations either do this by default, or not. No need to pedantically require config first and default off. Additionally, there is an issue where resolvers need to retry without the option when auth servers can’t handle the option… I’m inclined, just like Extended DNS errors itself, to have authoritative servers just set the option, unsolicited. It hasn’t caused any issue for extended DNS errors yet… but lets have that discussion this afternoon.

Roy
> 
> --Vladimir | knot-resolver.cz
> 
> - - -
> [*] and I support that.  I'm a big proponent of defaults.  They should work as good as possible, and deployments should operate as close to defaults as possible.
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email