Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-error-reporting-00.txt
Roy Arends <roy@dnss.ec> Tue, 26 October 2021 10:18 UTC
Return-Path: <roy@dnss.ec>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 652AB3A0D6C for <dnsop@ietfa.amsl.com>; Tue, 26 Oct 2021 03:18:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dnss.ec
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id khxMillphQYc for <dnsop@ietfa.amsl.com>; Tue, 26 Oct 2021 03:18:33 -0700 (PDT)
Received: from mail-pf1-x42f.google.com (mail-pf1-x42f.google.com [IPv6:2607:f8b0:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 214B83A0D3D for <dnsop@ietf.org>; Tue, 26 Oct 2021 03:18:32 -0700 (PDT)
Received: by mail-pf1-x42f.google.com with SMTP id m14so13860009pfc.9 for <dnsop@ietf.org>; Tue, 26 Oct 2021 03:18:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dnss.ec; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Mt5KCX+5su3+rCAYIwrlYTnm+jsnBJjQzx79qmWy0p0=; b=TJfLAnpfxWbyM6tPIwHJz8hS6qCe7e90355ERhV/pqmCRc8aWJLweAlg9dy836MoM+ /quCWLxbyKsxI9CfaIejRJY+EhX0TglQbA7Y5+oU+x4fnCe7aTlcgTGPPJXFpuvt9ixT DIFRRvs3F7rrLPX/nN14VmTx/UqPvZPTFt1YA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Mt5KCX+5su3+rCAYIwrlYTnm+jsnBJjQzx79qmWy0p0=; b=mvQEIy/IHizrJqLbM6fcsUdXmKtNl9oncgGjwNzOs9VcKEeFXHYP+Ya0Y0nNxNEqhy Uy7Wwa6C2LF0vf0IOVB1LN17PX0JKSOXWC9MCR1Q4PtWHs5D3utHlFNQrFlKroLCee7F fcD2BNfmsRemo1rvhbQigfGqGoW1Ljh0AMAqwB+xzToXX+KilQz34SJaMCeMMEoI7uF8 SpdyBRr3Ln1QW17DwUf+YKsOgf9VCrC1T4vW8QaiKYroQMJmmOCix25/lIHQ5wXTXu0C 9uRpO6G2jFxqMgWZEw/qAPPzUliGcRmByXSWPo1G6/6KvhY9ifCw58bhOst5R2RytiAF HM2w==
X-Gm-Message-State: AOAM531pXW6gZSvAyWWCdtv/BT/HqGBEHMwkeCNe6sZaYiZYglltDNTf MlDwJhErIeo7glTaa0uHpuDlRBGQu4rvDQ==
X-Google-Smtp-Source: ABdhPJzDnS4uyV7sTAjX9GpI9548dRFw0hSxX5guHr9VN1Dn6Bb5Hpm55a1RgswVDZWD39gr0hCdtw==
X-Received: by 2002:a63:af09:: with SMTP id w9mr17946677pge.323.1635243509856; Tue, 26 Oct 2021 03:18:29 -0700 (PDT)
Received: from smtpclient.apple ([88.81.139.247]) by smtp.gmail.com with ESMTPSA id n16sm10196887pfa.128.2021.10.26.03.18.28 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 26 Oct 2021 03:18:29 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Roy Arends <roy@dnss.ec>
In-Reply-To: <a896a7c2-881f-b197-320c-9c53511b9b63@isc.org>
Date: Tue, 26 Oct 2021 11:18:26 +0100
Cc: dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <7C68E67E-B41D-4CEA-9E25-782EFCBC5DF5@dnss.ec>
References: <161953482575.7668.10479553059119648994@ietfa.amsl.com> <f3fca741-373e-c32d-9dbc-354cff3dfc9b@nic.cz> <a896a7c2-881f-b197-320c-9c53511b9b63@isc.org>
To: Petr Špaček <pspacek@isc.org>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/V3uVVC_b9vuViDFu1KfE8pvRRaQ>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-error-reporting-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Oct 2021 10:18:38 -0000
Hi Petr, > On 26 Oct 2021, at 11:02, Petr Špaček <pspacek@isc.org> wrote: > > On 26. 10. 21 11:14, Vladimír Čunát wrote: >> Hello. >>> DNS Error reporting SHOULD be done using DNS Query Name Minimization >>> [RFC7816 <https://datatracker.ietf.org/doc/html/rfc7816>] to improve privacy. >> It's just a detail and "SHOULD" isn't strong, but I expect it might be worth elaborating here. The name used in the reporting query adds a few labels to the failing QNAME and the whole reporting agent domain, so together that's lots of labels, and expending a packet for *each* of those labels would seem quite wasteful. Perhaps we could agree on some boundary (e.g. around the "_er" label) under which minimization isn't recommended anymore, and put that as a suggestion into the text? > > We need to consider & document interaction between Query Name Minimization and NXDOMAIN processing as per RFC 8020. If minimization & RFC 8020 are on default then it might very easily happen that most of _er subtrees (which are presumably empty) will be cut out by cache and nothing will be sent out when an error is detected. Ack, lets discuss this afternoon. > All in all, I think the text should warn about this interaction instead of mandating query name minimization on/off. Yes, one way of dealing with it is to have the reporting agent server (where the reports go), deploy a wildcard under their reporting agent zone. Additionally, I think we should never require additional complexity to query name minimisation. The issue caused by query name minimisation can be solved by prepending an _er label, so the erroneous qname is encapsulated by _er’s. > > >>> The reporting resolver MUST NOT report about queries and responses >>> from an encrypted channel (such as DNS over TLS [RFC7858 <https://datatracker.ietf.org/doc/html/rfc7858>] and DNS >>> over HTTPS [RFC8484 <https://datatracker.ietf.org/doc/html/rfc8484>]). >> I believe this needs some explanation at least (in the text, ideally). The failing query triggering the report is towards an authoritative server (i.e. unencrypted), and the reporting queries do not really carry more information. They may travel by a different path, but on the whole I can't see significant motivation for the paragraph, especially in "MUST NOT" form. > > I will use stronger language: This is under-specified to the point where it starts causing confusion. I agree. > * Is the paragraph considering channel from stub to resolver? No. > * From resolver to auth? Yes. > * Both? No. > * What to do with queries executed by resolver on its own (prefetch)? They’re not special. > * What if multiple clients are waiting for the same query, using different channels? (query deduplication in the resolver) > etc. Assuming you’re referring to stubs (not sure if you do, apologies): The reporting is independent of the client. i.e. the report will not go to clients, but to authoritative servers. > > I think this should go to Security Considerations section and be left for implementations to decide. MUST mandate is way too strong and does not accommodate implementation- and deployment- specific circumstances. Ack. > > >>> This method MUST NOT >>> be deployed by default on reporting resolvers and authoritative >>> servers without requiring an explicit configuration element. >> I'm not so sure about forbidding this on resolvers so strongly, but certainly OK if the WG prefers it that way. (On auths it wouldn't make sense to enable by default; what agent?) If the error-reporting is meant really seriously, I'd rather improve the mechanism to never induce significant overhead and encourage enabling it by default on resolvers (at some point). >> To make the error-reporting work, you need noticeable commitment to deploy on both sides, because otherwise the perceived benefit from deploying might be quite low. On resolver side, I believe that it will be quite rare for operators to tweak such highly technical options[*]. So if this MUST be off by default, you at least need commitment from some significant operators - say, I'm not even sure if Quad9 by themselves would suffice to bootstrap this. > > I agree. Mandating "disabled by default" configuration on _resolvers_ sounds like a way to get to a working-but-never-deployed protocol. I agree. Roy > > -- > Petr Špaček @ ISC > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- [DNSOP] I-D Action: draft-ietf-dnsop-dns-error-re… internet-drafts
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Paul Hoffman
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Bill Woodcock
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… libor.peltan
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Roy Arends
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Brian Dickson
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Roy Arends
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Vladimír Čunát
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Matthijs Mekking
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Petr Špaček
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Roy Arends
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Vladimír Čunát
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Roy Arends
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Vladimír Čunát