[DNSOP] Re: New Version Notification for draft-tdj-dnsop-associated-prefixes-for-domains-00.txt
Ben Schwartz <bemasc@meta.com> Mon, 14 July 2025 22:59 UTC
Return-Path: <prvs=3290970721=bemasc@meta.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 01FD44414307 for <dnsop@mail2.ietf.org>; Mon, 14 Jul 2025 15:59:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.793
X-Spam-Level:
X-Spam-Status: No, score=-2.793 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jjJjYCUgkuqn for <dnsop@mail2.ietf.org>; Mon, 14 Jul 2025 15:59:57 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) by mail2.ietf.org (Postfix) with ESMTP id 274A344142F6 for <dnsop@ietf.org>; Mon, 14 Jul 2025 15:59:56 -0700 (PDT)
Received: from pps.filterd (m0148461.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 56EMgCxT016935; Mon, 14 Jul 2025 15:59:53 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=s2048-2025-q2; bh=J8lU2bk94ttCBmcrEGVM Kxi7zKj9Rj//VD1QHaDksy0=; b=CpBwQpQDki5Hrdcdj//f7S56AsciBR0+T/yw 4OKStxVwt/AbyQmNTsjye15ZNasKnmdbSQOB+ody0AeO6kJoohrQTFjIKA7KGTrR rXu+T6dhh/QTmLqxK8ekIqDup7wyZuFCFJ5nAykRqV6TrKyvE44n31u/NRs/Q27L nETbSeKwZwoqtQatQoPr3ypYArNHZPcL8asdyG/TLx4lNwKR2zaOdesOJdiv8T+g lGyeENNRFJmYgGlIpmcC4ddIT61+mdsO6wRJcCfkVT7TPqEMPuNMXNzjSi0fk4qa I00GC4ca9XbxyuMtdxC3DDL6DdsCc24g+3Y+z1HniOTs7Q370A==
Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12on2058.outbound.protection.outlook.com [40.107.237.58]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 47w743htn5-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 14 Jul 2025 15:59:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=YYJTr1HknmrSFc4OwpvqyZwxXaoHkwE7Z73kGe3rfe/pNJ8cnOH1tQvHjO30VmAy19QH309+W+9Nv+ugtcOcv3qYYgF0sgA9jvzdnwEoefh8VgwM3kL7hh+fJSKLobOywbULW96hFOEx6sSWizxhn7GsdhLD9sfjaoT0p8JV7z1TAMaiSexWxklReWhv/gcaIvq9/WdgVJbkZcfcpLB0MLjoNRJ1SrP1q0aKSMfVDYVGW4+QMMdOBILLDb81DhrFt2eyn/yQpMW5e+ZWWM+sWAuJq+EBj6ISI90lHAAGnN4O/J4dc2DrHIobbtCkjjgKZBxJdygW76SmIUJfDS1H6g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=J8lU2bk94ttCBmcrEGVMKxi7zKj9Rj//VD1QHaDksy0=; b=AQBgwKT/UmIuWLBkfMtg4pkB2AdeTNjX+gsztTRojBhSc7o+s+S4JQlpeZ0vnXsKgO5vkqtPLYVW5AgHvFfwdAbnV2MSOH2Ia8LSKfLtct7HWZ4H3HVk54cEp6+0aE14QL6+XndREfN2dgx40zHJQ96D4NzTyPtmiaO+H2mKiNulybArLLkuPgFS31hSUxGUcx7g6PHsjIB76bnT1xcaki46A0G878V/Qi+1RK0cnZ+wxcOwKn9IEUrjAEkC1OD11lSQ50k21DbxD10KgO9LsyMnmQfxeejHYOxOKAXT8xaJx7XZPAZVbArMVrEzFhotf09zQULdNcjD8SOixgzoLA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from DM6PR15MB2361.namprd15.prod.outlook.com (2603:10b6:5:82::33) by PH0PR15MB4575.namprd15.prod.outlook.com (2603:10b6:510:89::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8922.33; Mon, 14 Jul 2025 22:59:50 +0000
Received: from DM6PR15MB2361.namprd15.prod.outlook.com ([fe80::33bb:f6d1:d19f:95b6]) by DM6PR15MB2361.namprd15.prod.outlook.com ([fe80::33bb:f6d1:d19f:95b6%7]) with mapi id 15.20.8901.033; Mon, 14 Jul 2025 22:59:50 +0000
From: Ben Schwartz <bemasc@meta.com>
To: Tommy Jensen <tojens.ietf@gmail.com>
Thread-Topic: [DNSOP] New Version Notification for draft-tdj-dnsop-associated-prefixes-for-domains-00.txt
Thread-Index: AQHb8B2FZNc5xNt620Wk9LhMexkPmrQwjWwAgAG4TgA=
Date: Mon, 14 Jul 2025 22:59:50 +0000
Message-ID: <41AA8A7E-C8CF-4E93-A0F1-00EAB5094902@meta.com>
References: <175183418815.1744815.1561666887911963527@dt-datatracker-6fcb845cd4-p6tkq> <41f5c0ca-4b2d-467c-9173-ae23c03cca5d@gmail.com> <DM6PR15MB23616BCBB3197EE17B91DB31B34FA@DM6PR15MB2361.namprd15.prod.outlook.com> <dc3a2afe-3ef2-47bd-add8-37aca529dfb2@gmail.com> <DM6PR15MB2361CE9FFC138A175EB130A8B34FA@DM6PR15MB2361.namprd15.prod.outlook.com> <539ba166-aa60-4b59-bd2b-5af5a81c2b35@gmail.com> <8CE1EC18-B4EC-49B5-9B14-E5942A8F0997@meta.com> <e714e885-f5ef-420b-9144-2a7b24513649@gmail.com>
In-Reply-To: <e714e885-f5ef-420b-9144-2a7b24513649@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR15MB2361:EE_|PH0PR15MB4575:EE_
x-ms-office365-filtering-correlation-id: 5bc16155-faae-4411-f288-08ddc32a237f
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|10070799003|366016|1800799024|376014|8096899003|38070700018|13003099007|7053199007;
x-microsoft-antispam-message-info: 58dHuP9NuOMYql/DHvWnFWzP4kq9YO6tbI9sesxF4Fmh5Auc/I6huivq1BiDo1n+ofwskIa3Pehl6CJlZo/EjbqqNh2hXtwxg45CSEURSfdeAt68+ApbdvuM0kKX/anSIMLPVUa8N3AY0rJuiXBWZ0kGOndzizleRHap0sejXiKh3cL+OhH8HvxDApDWxaLV7DbG7G/lFrT3T4Rt3Amvivlbo7vEk4+JqwUtUEgHZXVPLn8ck11ukqApPVftDxWvAtEFhuOrOhNdDXrxdVXUCn8KE+Ggcog/Q4JXXWn0vOSeJUui94XryqJsBSBlTgWXYV+C5InHSs3eT1cakp7XUn+NkYr9b7LtY2Lp9WM9mjpBhRi+r/I68EZUE2HGC1ErKFveRFTMLMcihHip/wOxjLYd9jEDGrjl3ZRYUmyqXkb2IvwGmZs5QVK6Jx0MyAOchELMlkDEyA01hrQFsQcm1bG0pjB7I4Ud+piFa3oa9tYVVj+h5YKJKtREj6G3ud7lMMTbeKHkQNKMLk7MqB6hqLP6hr/h1GNcGQfB41ObyyFMqlbkI/Am4XIL9Dbgrq/ZbxVi1MpNRSGDYpbL1+HAkgGqNRaVpldaRmOiocE+KGKfbr4qlRTIavAyGULYHrbpgK/VePnRDHQfLDZcwzneF2Wya8w3Fx6l9XIUaro7YA52U7w1P6muP6ZeBpb7e+zkxepQh5BhOuwn5r6SBbB2Fm0ge0NJQM6GJ8BOQ9BGhgVuEFlYucz5zyBTr5qPL2JWgbSLNnDDLXEZVD/SIZQQGMsp8zkZt0A7egpki3VjCewQRuzhQ0GBnbYp5QQbjINCFVer3Y2AE/8S5VS/p21cMimVb0bVFyRL9t++w4o5WSLb7LFzIT3SzVTXeDgLmNDaEM1Goytq4PlsbYDGEKsG9nwDlYvYsFMFIaqLy2zX8uAfY96ESAAA54jefcD7GYPw8aY4xGuwc6oVndPg31EJU0/Qhu7qSm23b9rRX6UpnKFD2WX6xzzR/D02MGbxph8TGk1bwMkg75rPRri9wYlWLTjLdPpBt4C18lS8i0x1rlPF3gnVgg2GdgxsepZfqr8SzTMYA3/CX9jzzz/296IaIEY/ck813GvPJyPYxPGd7TgV+NovGRoZ4TMpotGclbmSAkDhoiUf+zUg/RfuAeuwKxZ4BNnCLxDylFYTqCqg2Vhn7YR8+uwrUwe7X3Oj/v61PUfqEhoqpNSuF98LAmskRpqj2xK10GWTuwmnhdyIc/H64FD7Qhw7nrM2s4pgAtm3/ZowWcve3EnLHGWuaswDbNantfJLFyHt4XC2ZmfuHB+rjJV7oJZhq6kJo6w5IYF3qlrvqNSts5bTrFc+nO2dbQHd3s00hQMD8JkYO4+2EeXUBTCQskhmujzuBy/CU9U0S63N9z+i+cMCwt1rxBGkut2YyXA0Ynx9qpzhmI0qbI8=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DM6PR15MB2361.namprd15.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(10070799003)(366016)(1800799024)(376014)(8096899003)(38070700018)(13003099007)(7053199007);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: +XdV7AFQUPlUV9lbgLoIkqx3VSXUSDXwPk6iS/x+MEnDoI8hKXXjCBXJXWj5wostUnlMR8mhMNAjtm3/G5vXWkeORgHc2Vykd9P/Y/yXXkoUshnXdReKBz/KJOgaLUvDHC6X/Ujkiau5YLmAhqVEI1mWBzs7c8gLxWztTX0HYh5wOj9kzqxhzArWDJXXNuuuIzEuX3QSVtMOkV4M7q9yqwJkaiLmdc98OXW6nJIDRAQQhb28/GdK2HTBMEioF4n2JBM0I9AR6Y6MvZ4T080/hs1f8ijvIPYZUxdCYGtSMiajNZIK593GiTvE0WmIdrTU+t+yD6fRoffMBxppd8gRcl28pTCetQxWjSYywQ5a+c6KNZpTm8813dLnzbGfp9B8KxgZBSwezBRSuWAWG4fQVFQMYyJ4fwWg8UoMghusOw9EnKXiK093D88XjX3hIuvhWM8nP/NJGeDncnfAVcZKOvw32pWF9230EjAwTI00SDRsWL0ByATSiTIbU2whSNkm6CQU+nd2Pvqf7wEb1NnX7tgHtTWrS66xZny2t4xXVzhujn/T6Px31AEwHGbt/nUSgULaWwmyXE8sIlzARP9D1cs9kG5STnPoK8vrRjwpPd4K6lCGVQCT7i65voUlBznXLcyDF0RH1L5fA37iWHNGBHAawaloLO8dIDryM4fM8xEwLlF2Q04DpRcCuNNaRZDFj0E9kwxDs1nWLavcNrLi1BVaC8MsQcPP9OTMdR32Tj9LFLPTXY8IIRxmUabHCi7d+5yfRDeDbduX+yBd3Ke9zi/jM1hZIH/I16R3r48axmj1TpQXGVXPbVA4uNeeprxdikdvpO4B7T65vwCgNVBMWmin1acaGNWVQlbmLUYdGDOWigK3px+b0ECsQg6X5wmeO0IfC5cBxinDgAAKBX0KssQQVSbeEOlSCxw2vkUsIwKowIqeSWOXJtCzqmW799BptvRAc8VqYcltrOpYSlkVCuKQsUzFa/bMYU+KvhkiUZQ0/tcSb4wDjU6EVtHL8K4lcYQgH6KIabrXhg/rb6VmxJiyQgEhkKKJNqaJUJ0+E9hrCQlXN77kUgDE6wI7ljpDC0Xcr7mH4iOdAm5iwE6pQ7esqdikHm1d20CbHV4l+w0qD2CvSdVT4epu3BoabwG6p98Qb6FXFh9oa5gO9F0hVOwL/uijLz9+N6oi6FBK7/KfYb8RwBXa6zorYRYDg4Y5B7khmGKzevngbtgcNxFlGwVl3bBUvjBq1iIJbAlg5Vpl+QforzEDx+bu+S8Qt51PZS/Cw/ZqqgSbMJMScEzkJFmFk+06TmiudOcBtehiQfaKRZ+wyJs0kVyfY/dZPIj5oiMH5ngCgpBPm8sW5QXnh9YOFYvEtRdnS2vjwAJY5BgTy3rMCx6ODLpI7Ye+LK11BfJZ9EqKnnUqqW2L9ihCIoevjRp2kP01OvrCzErkuAoS6fRTF2DCJmkPZMRwL15bf4QQPEqb2QHM6haZ1pf2DBHw2TcoYar+DuJTh/b57qT3HAZPZHXkpTcZZd5eRsP9SoX+ldU+EsEpJbDoFgigyvS3TgMXT50zTmeMdiXJ0l2DpJDNfMIgdVjtB1rz4hqydgcpSuphOcFfcxOlv516LeyTFW0uVrtNYkW+B0UPgA1eHgUrsmv8mQh0A9RdLcCo
Content-Type: multipart/alternative; boundary="_000_41AA8A7EC8CF4E93A0F100EAB5094902metacom_"
MIME-Version: 1.0
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR15MB2361.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5bc16155-faae-4411-f288-08ddc32a237f
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jul 2025 22:59:50.7479 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: N7qmyedWS0Z1LIBPx667PBXvxHzrh73XVvCZv/0Wagb2r8XvKzX5ulYAl9fl/Soj
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR15MB4575
X-Proofpoint-GUID: 3vSIvmSNCu2H5BE1ysNfkm6BRK1PbC0M
X-Proofpoint-ORIG-GUID: 3vSIvmSNCu2H5BE1ysNfkm6BRK1PbC0M
X-Authority-Analysis: v=2.4 cv=Et7SrTcA c=1 sm=1 tr=0 ts=68758be9 cx=c_pps a=v3uwRdJz/LzFJJSJ0Q8Vdg==:117 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=Wb1JkmetP80A:10 a=vggBfdFIAAAA:8 a=QDMGMP2zAAAA:8 a=pGLkceISAAAA:8 a=A1X0JdhQAAAA:8 a=SwcmUKYSdRZHpIdXGqUA:9 a=QEXdDO2ut3YA:10 a=hFSpOlezQQAA:10 a=VabnemYjAAAA:8 a=UqCG9HQmAAAA:8 a=3FMNNS47gEbpE6M-y_YA:9 a=OhbAWFLAHwz1fftj:21 a=_W_S_7VecoQA:10 a=gKebqoRLp9LExxC7YDUY:22
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNzE0MDE2MCBTYWx0ZWRfX6lRqZN+gRCJC VXa3P8HtkSqB8u4LjBuxs63GBphC9RNdd4nq+41BBoYNR8fETFmZdlnVKxOsuo9ZtuleRlvH92X 8ZAv7+nWOgkNVcoLhs+ypWNa+TdSBFo8xtTa5niOzphxgNa4A6z+bnhaFZX3kpYFeJAgQ0DhllH /5njRlL1s+6PN+zv3MiMjI/1k3K1OoANatpTqJLCrLOJSA20SO6ih7w2wG2aqe+rWZTaiQsr0qS Hd4nukXMp5ICVJspbFVv9ZWvMwVgh16PgcwOO1lCF7R/O3KZ2t0PudCOOZo3Kz4qSHjIo9Z3Txz IK9igZfZWarYTB04gnDCKcchxXeCMcYA8/YRcF7EM5iEnoAop7ckNqEnFHasvQYyjdAo0FfF41A XASUrvJ+EeOjQL7fDlnDoGU+KICd6oZTTBgRsclqWnNrTo7UHGSwb3rKj4NqtRWE0jKtvvgP
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.1.7,FMLib:17.12.80.40 definitions=2025-07-14_02,2025-07-14_01,2025-03-28_01
Message-ID-Hash: CBHG3YJGCZCP4FENN4NMXBQNAZ2SI3KQ
X-Message-ID-Hash: CBHG3YJGCZCP4FENN4NMXBQNAZ2SI3KQ
X-MailFrom: prvs=3290970721=bemasc@meta.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "dnsop@ietf.org" <dnsop@ietf.org>, "david.ietf@adamnet.works" <david.ietf@adamnet.works>, John Todd <jtodd@quad9.net>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: New Version Notification for draft-tdj-dnsop-associated-prefixes-for-domains-00.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/X92gXrfpF0YVdCrtwoxfzyWBecc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
On Jul 13, 2025, at 4:43 PM, Tommy Jensen <tojens.ietf@gmail.com> wrote: ... For logging and audit purposes the standard practice is to use PTR records, which are more precise than CIDRS and have clearer semantics. Tying into what I've said further down about : this implies JIT queries at every connection. For enforcement, this introduces unnecessary latency at connection time wherever this is introduced versus the ability to independently refresh the candidate CIDRs that can JIT be consulted as a local cache. The proposed semantics in the draft are not equivalent to what is achieved using PTR records. Perhaps that relationship could be adjusted. For example, if a CIDRS record means “all addresses in these ranges carry PTR records that fall under this name”, that would be easier to understand than something about application behaviors of clients that resolve the owner name. ... When I create an IP addressed based firewall rule, I did so based on some assumption such as a reputation lookup (is this ASN trustworthy?). That is history, unless someone out there is re-consulting ASN reputation JIT. The concern I was expressing here was about complex, surprising, hidden state (“hysteresis”) based on previous local activity. “ASN reputation" state feeds the configuration, so it should be legible to the administrator. If someone asks the helpdesk “why can’t I ssh to 2001:db8::1 anymore", and the answer is “you need to re-run ‘dig ssh.example.com’ first to re-prime the firewall”, this is a bad firewall design. ... It also messes with DNS (which is a lookup protocol, not a signaling protocol). For example, it creates perverse interactions with DNS stub caching, which one might have to disable in order to generate the DNS query activity that will cause a block to be lifted. Implementations may end up doing this, sure, but it isn't inevitable. I know my previous employer's implementation of DNS-based allowlisting has a long-term approval time period that well exceeds most TTL values, because in real life, everyone continues using resolutions for as long as possible. Breaking connectivity just because a cache was cleared (for any reason) was deemed unacceptable. In other words: this is up to the implementation of the enforcement. This seems like a great example of how this is going to fail in nasty, confusing ways. QUIC connections will happily live for days, for example, but this mechanism means that _sometimes_ those connections are going to fail because of an invisible timeout. Those failures will probably exhibit blackhole behavior, resulting in an outage (of probably at least 30 seconds) while the connection attempts to get through, eventually gives up, and falls back to an application-level reconnect (which may also be user-visible). No matter the mechanism used, any attempt to validate a policy decision point's opinion on the access rights of a given destination are more and more encouraged to be time bound. I'm not buying "momentary need to reconnect" once per ones of days as an argument against anything in common networking scenarios. This could easily mean that my client hangs for 30 seconds every morning when I sit down at my workstation. How would a policy decision point decide to revoke permission to access a given network segment if a node in that segment is known to be compromised if it's afraid it might break a long-running connection? Presumably by re-checking the permission instead of revoking it. This is the problem I’m trying to highlight: the firewall doesn't maintain its own state in this design, but only updates it as a side effect of the client’s DNS activity, which was _not_ designed for this purpose (and therefore lacks support for things like “refreshing the lease”). ... When an app developed by Foo Enterprises offers data backup integration with DropBox, OneDrive, or whatever else, is Foo Enterprises supposed to push app updates when they divine that DropBox or Microsoft changes their associated CIDRs? No, it’s supposed to use DropBox or Microsoft endpoints by their domain name, as is the norm. That would be ideal, but not in line with real-world expectations, similar to saying all uses of remote IP addresses must be A/AAAA values for a domain name. That seems like a fine rule for an ultra-paranoid enterprise network that wants to allowlist access by domain names. ... Your step 3 brings me back to this draft. Communicating these IP addresses to the firewall, wherever it resides, is simplified if the CIDRs for a name (the thing consistent access policy is referencing) can be looked up rather than regularly scraped manually from a hodge podge of sources. Manual firewall config by the admin is very different from what I see in this draft, which appears to rely on monitoring of the client’s DNS queries to trigger a fetch for the associated CIDRS records. Perhaps I’m not understanding your intended use case correctly. For manual firewall config, I would strongly recommend leaving DNS out of this entirely, and instead use a URL for a JSON blob like AWS does: https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-syntax.html. That avoids the need to assume one “service” per domain name, DNSSEC, etc. The majority of use cases I directly learned about are under NDA, but one easy example that isn't is WhatsApp. Predictable domain name lookups followed by contact to hard-coded IP addresses. Why? From what I’ve seen of the various types of entities and their goals, I don’t think WhatsApp is going to be a good motivating use case for this draft. (See e.g. https://faq.whatsapp.com/1299035810920553) —Ben
- [DNSOP] Fwd: New Version Notification for draft-t… Tommy Jensen
- [DNSOP] Re: Fwd: New Version Notification for dra… Ben Schwartz
- [DNSOP] Re: Fwd: New Version Notification for dra… Tommy Jensen
- [DNSOP] Re: Fwd: New Version Notification for dra… Ben Schwartz
- [DNSOP] Re: Fwd: New Version Notification for dra… Tommy Jensen
- [DNSOP] Re: New Version Notification for draft-td… Ben Schwartz
- [DNSOP] Re: New Version Notification for draft-td… Tommy Jensen
- [DNSOP] Re: New Version Notification for draft-td… Ben Schwartz
- [DNSOP] Re: Fwd: New Version Notification for dra… Petr Špaček
- [DNSOP] Re: Fwd: New Version Notification for dra… Ben Schwartz
- [DNSOP] Re: Fwd: New Version Notification for dra… Michael Richardson
- [DNSOP] Re: Fwd: New Version Notification for dra… Michael Richardson