Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-error-reporting-00.txt
Vladimír Čunát <vladimir.cunat+ietf@nic.cz> Tue, 26 October 2021 09:14 UTC
Return-Path: <vladimir.cunat+ietf@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FB853A134A for <dnsop@ietfa.amsl.com>; Tue, 26 Oct 2021 02:14:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.229
X-Spam-Level:
X-Spam-Status: No, score=-5.229 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-3.33, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bXxxabb2njnw for <dnsop@ietfa.amsl.com>; Tue, 26 Oct 2021 02:14:44 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61A5D3A1347 for <dnsop@ietf.org>; Tue, 26 Oct 2021 02:14:43 -0700 (PDT)
Received: from [IPV6:2a02:768:2d1c:226::a2e] (unknown [IPv6:2a02:768:2d1c:226::a2e]) by mail.nic.cz (Postfix) with ESMTPSA id CC84F1409DB for <dnsop@ietf.org>; Tue, 26 Oct 2021 11:14:35 +0200 (CEST)
Content-Type: multipart/alternative; boundary="------------JUA3l0Km9m9eqDUX8zWdJD0B"
Message-ID: <f3fca741-373e-c32d-9dbc-354cff3dfc9b@nic.cz>
Date: Tue, 26 Oct 2021 11:14:35 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.1.1
Content-Language: en-US
To: dnsop@ietf.org
References: <161953482575.7668.10479553059119648994@ietfa.amsl.com>
From: Vladimír Čunát <vladimir.cunat+ietf@nic.cz>
In-Reply-To: <161953482575.7668.10479553059119648994@ietfa.amsl.com>
X-Virus-Scanned: clamav-milter 0.102.4 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/VAha-_30EyqC7BHeeNebyFqq2Sw>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-error-reporting-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Oct 2021 09:14:49 -0000
Hello. > DNS Error reporting SHOULD be done using DNS Query Name Minimization > [RFC7816 <https://datatracker.ietf.org/doc/html/rfc7816>] to improve privacy. It's just a detail and "SHOULD" isn't strong, but I expect it might be worth elaborating here. The name used in the reporting query adds a few labels to the failing QNAME and the whole reporting agent domain, so together that's lots of labels, and expending a packet for *each* of those labels would seem quite wasteful. Perhaps we could agree on some boundary (e.g. around the "_er" label) under which minimization isn't recommended anymore, and put that as a suggestion into the text? > The reporting resolver MUST NOT report about queries and responses > from an encrypted channel (such as DNS over TLS [RFC7858 <https://datatracker.ietf.org/doc/html/rfc7858>] and DNS > over HTTPS [RFC8484 <https://datatracker.ietf.org/doc/html/rfc8484>]). I believe this needs some explanation at least (in the text, ideally). The failing query triggering the report is towards an authoritative server (i.e. unencrypted), and the reporting queries do not really carry more information. They may travel by a different path, but on the whole I can't see significant motivation for the paragraph, especially in "MUST NOT" form. > This method MUST NOT > be deployed by default on reporting resolvers and authoritative > servers without requiring an explicit configuration element. I'm not so sure about forbidding this on resolvers so strongly, but certainly OK if the WG prefers it that way. (On auths it wouldn't make sense to enable by default; what agent?) If the error-reporting is meant really seriously, I'd rather improve the mechanism to never induce significant overhead and encourage enabling it by default on resolvers (at some point). To make the error-reporting work, you need noticeable commitment to deploy on both sides, because otherwise the perceived benefit from deploying might be quite low. On resolver side, I believe that it will be quite rare for operators to tweak such highly technical options[*]. So if this MUST be off by default, you at least need commitment from some significant operators - say, I'm not even sure if Quad9 by themselves would suffice to bootstrap this. --Vladimir | knot-resolver.cz - - - [*] and I support that. I'm a big proponent of defaults. They should work as good as possible, and deployments should operate as close to defaults as possible.
- [DNSOP] I-D Action: draft-ietf-dnsop-dns-error-re… internet-drafts
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Paul Hoffman
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Bill Woodcock
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… libor.peltan
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Roy Arends
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Brian Dickson
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Roy Arends
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Vladimír Čunát
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Matthijs Mekking
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Petr Špaček
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Roy Arends
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Vladimír Čunát
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Roy Arends
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Vladimír Čunát