IETF Logo Mail Archive

Re: [DNSOP] "flagday" again, was Re: Wrapping up draft-ietf-dnsop-dns-tcp-requirements

Mark Andrews <marka@isc.org> Wed, 03 July 2019 02:18 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 369651200F6 for <dnsop@ietfa.amsl.com>; Tue, 2 Jul 2019 19:18:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OerWQv-F4bf0 for <dnsop@ietfa.amsl.com>; Tue, 2 Jul 2019 19:18:39 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09A161200CE for <dnsop@ietf.org>; Tue, 2 Jul 2019 19:18:39 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 06F053AB000; Wed, 3 Jul 2019 02:18:38 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id E8EB4160044; Wed, 3 Jul 2019 02:18:37 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id D025716005B; Wed, 3 Jul 2019 02:18:37 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 4Y89RScS6slZ; Wed, 3 Jul 2019 02:18:37 +0000 (UTC)
Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id CE6CD160044; Wed, 3 Jul 2019 02:18:36 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <alpine.LRH.2.21.1907021019280.20572@bofh.nohats.ca>
Date: Wed, 03 Jul 2019 12:18:32 +1000
Cc: Petr Špaček <petr.spacek@nic.cz>, dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <0DED96DD-67AE-4959-ADD6-BD2E08192195@isc.org>
References: <20190625101020.3c601691@p50.localdomain> <cdb97d93-4480-08eb-436b-574fe22c4981@nic.cz> <alpine.LRH.2.21.1907011349190.28830@bofh.nohats.ca> <15467755.7jdABhfuui@linux-9daj> <c7d0a3df-68ea-bafa-f43b-e373fa791a58@nic.cz> <alpine.LRH.2.21.1907021019280.20572@bofh.nohats.ca>
To: Paul Wouters <paul@nohats.ca>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/U4W7t0hxe9IJdYU6mjyku2AWfWg>
Subject: Re: [DNSOP] "flagday" again, was Re: Wrapping up draft-ietf-dnsop-dns-tcp-requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jul 2019 02:18:41 -0000


> On 3 Jul 2019, at 12:31 am, Paul Wouters <paul@nohats.ca> wrote:
> 
> On Tue, 2 Jul 2019, Petr Špaček wrote:
> 
>> Let me clarify that we (as DNS flag day organizers) are not even
>> touching any RFC language because all the necessary pieces are already
>> standardized (madatory TCP support + mechanism to handle EDNS buffer size).
> 
> If there is a security issue with fragmented DNS packets, perhaps that
> warrants a new RFC document, possibly a BCP, that instructs implementers
> what to do.

Defeating fragmentation attacks requires more than a BCP.

https://tools.ietf.org/html/draft-andrews-dnsop-defeat-frag-attack-00

>> Some people claim that IETF cannot put requirements on operators, only
>> on implementations. We (as software and service vendors) are now saying
>> "if you want to interoperate, you as an operator have to follow
>> standards mandated for implementations", because in the end, what's
>> mandated for implementation does not matter if operators ignore these
>> requirements.
> 
> That is not different from the examples I gave earlier for those RFCs.
> You can encourage/discourage or obsolete features. The good thing of
> doing that in an RFC is that organizations and goverments and vendors
> can point to it for compliance or policy and explain why it is done
> a certain way.
> 
>> Of course it has to be explained to non-IETFers in many more words to
>> eliminate requirement to read all the RFCs, but that's it.
> 
> If you think that, you haven't properly informed implementers via
> existing RFCs. A new one is apparently needed. I don't see why this
> should not be done here. This is dnsops. If you find an operational
> issue, you write a clarifying or correcting RFC.

Awaiting last call

https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-13

>> Changing default EDNS buffer size is, I believe, in competency of
>> individual implementations, so we as implementors will do a thing we
>> deem sensible.
> 
> No one is saying you are not sensible. My point was that none of this
> is a flag day, and the promotion to reach a few implementations via
> "flag days" is better directed at writing a new or updated RFC that
> explains the issue and recommends implementors what (not) to do. That
> also helps downstream with customers wanting RFC ABC compliance, which
> is a much stronger signal than compliance to "dnsflagday.net/2020”.

Winding back the default EDNS buffer size will break interoperability
with servers that now send TC=1 responses that otherwise didn’t happen
and do not accept TCP.

The key point of a flag day is that it is the day after which
interoperability fails, not the rate at which it is deploy which
you appear to be concentrating on.

The DNS 2019 not only had ON THE DAY changes (thanks to Google changing
their 8.8.8.8 service on the day) but introduce interoperability changes
between servers that where not compliant (failed to answer) and clients
that no longer worked around the non compliance.

>> Let's continue discussion about dns flag day 2020 at mailing list
>> dns-operations@lists.dns-oarc.net, please.
> 
> I'd rather not. Operational issues related to the DNS protocol
> (mis)implementations or standard behaviour are well within the
> charter of this group. DNS-OARC is a good venue to look at what
> is happening, discuss why certain operational things are happening,
> maybe brainstorm on how to fix it. Then coming to this group with
> a proposal for a document to inform everyone and improve everything
> is the right venue. It seems the problem and solution are already
> well defined. It just needs to be written down in an RFC, and then
> gradually software can implement the new behaviour. And again, if
> for reasons vendors decide to implement it all on the same day to
> ensure strict vendors are not unreasonably punished by being blamed
> for failures, that's a reasonable goal. But seeing how upstream
> vendors have no control over when downstream vendors pick up new
> versions, the term "flag day" is just not the correct term to use,
> and only brings up negative connotations in people being misled
> into thinking IETF protocols needs flag days to continue running.
> 
> Paul
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email