Re: [DNSOP] Alias mode processing in auths for draft-ietf-dnsop-svcb-https-01

Mark Andrews <marka@isc.org> Wed, 12 August 2020 01:16 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9F853A0E2F for <dnsop@ietfa.amsl.com>; Tue, 11 Aug 2020 18:16:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mUN18anxrTto for <dnsop@ietfa.amsl.com>; Tue, 11 Aug 2020 18:16:04 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BFB83A0E2A for <dnsop@ietf.org>; Tue, 11 Aug 2020 18:16:04 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id EB5A73AB070; Wed, 12 Aug 2020 01:16:03 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id D9285160051; Wed, 12 Aug 2020 01:16:03 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id C619C16000C; Wed, 12 Aug 2020 01:16:03 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id zIGh6XcRRhyc; Wed, 12 Aug 2020 01:16:03 +0000 (UTC)
Received: from [1.0.0.3] (unknown [49.2.101.160]) by zmx1.isc.org (Postfix) with ESMTPSA id 78D33160051; Wed, 12 Aug 2020 01:16:02 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.6\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <CAHbrMsA3JyVR5PKGv9r99P9yoaFF5veskfqRnOMu1+V-61-02w@mail.gmail.com>
Date: Wed, 12 Aug 2020 11:15:58 +1000
Cc: Tony Finch <dot@dotat.at>, dnsop <dnsop@ietf.org>, Brian Dickson <brian.peter.dickson@gmail.com>, Pieter Lexis <pieter.lexis@powerdns.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <1CC367DE-4C2A-437C-9305-A57C072127D1@isc.org>
References: <00cfd965-bf69-d1cb-2df3-1a9bb110d7e0@powerdns.com> <CAHbrMsAJ-cbcW3v4T34f8-gzgzgHSkoBO545_Y3N8D6rof7Nmw@mail.gmail.com> <CAH1iCipZ25XaES0C4MFt3+aOm=d1U5LKigJe5AwKUWG-+yETFw@mail.gmail.com> <alpine.DEB.2.20.2008102304160.21650@grey.csi.cam.ac.uk> <CAHbrMsCePLp=vaw3fgf611TfnFpeUaV3xkCT5BSH3yzu-XZ1rg@mail.gmail.com> <alpine.DEB.2.20.2008112129160.21650@grey.csi.cam.ac.uk> <CAHbrMsBPyrgbbjx0_-w2Ysky63edtw3kKEBu7DrgDCfP_-GBBw@mail.gmail.com> <CAH1iCioL1JrCHo2yuu-90dy4MpRfwUF9iaK-S=NdaXRtvyteXA@mail.gmail.com> <CAHbrMsD8e0mXER0-R7YmjR6GR6kP4rwdoL3uJcB83GPt+XgHcA@mail.gmail.com> <alpine.DEB.2.20.2008112319240.21650@grey.csi.cam.ac.uk> <CAHbrMsA3JyVR5PKGv9r99P9yoaFF5veskfqRnOMu1+V-61-02w@mail.gmail.com>
To: Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3445.9.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/YTw1CNRELEJh56ubBbQboS-9sBw>
Subject: Re: [DNSOP] Alias mode processing in auths for draft-ietf-dnsop-svcb-https-01
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2020 01:16:06 -0000


> On 12 Aug 2020, at 10:25, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> wrote:
> 
> On Tue, Aug 11, 2020 at 6:18 PM Tony Finch <dot@dotat.at> wrote:
> Ben Schwartz <bemasc=40google.com@dmarc.ietf.org> wrote:
> ... 
> > In this procedure, "all returned records" for follow-up queries are added
> > to the Additional section.  Therefore, there could be SOA records in the
> > Additional section.
> 
> I thought the target types were just A, AAAA, SVCB, so where does the SOA
> come from?
> 
> If one of the follow-up queries for those types returns NODATA, there could be an SOA in the Authority section.  "all returned records" includes all sections, so it would be copied into the Additional section (in this procedure). 

The negative caching of NODATA/NXDOMAIN indication is tied directly the QNAME, QTYPE and rcode.  In the Additional section there is such linkage.  See RFC 2308.

If I have "example.net SVBC 0 www.example.net” and “example.net SOA …” what exactly does the SOA record mean?
There is no records at www.example.net?  There is no SVBC record at www.example.net?  There is no A or AAAA record at www.example.net? There is no CNAME at www.example.net?  What if one can’t fit some of these RRsets but can fit a SOA?

What happens when you know there isn’t a SVBC, have a A RRset and know nothing about AAAA?  Do you add the SOA or leave it out?  If you add it then what does it imply?

If one wants to have negative answers, included in the additional section then I would suggest defining a EDNS option the returns <SOA Record sans class and rdlen><target name><rcode><typelist-if-nodata> for unsigned zones and NSEC/NSEC3 negative data proofs for signed zones and require clients to be DNSSEC aware.  RFC 2308, while it doesn’t state it, only adds SOA records so non-DNSSEC clients/non-DNSSEC zones will get a cacheable response.  There is enough information in the NSEC/NSEC3 proofs to maintain a negative cache entries if all clients where DNSSEC aware.

> On Tue, Aug 11, 2020 at 6:38 PM Tony Finch <dot@dotat.at> wrote:
> ....
> 
> > It seems to me that returning a (downward) delegation could actually be
> > useful.  So why not include that?
> 
> Additional section processing does not normally include referrals.
> 
> Do you know why not?  It seems like a logical thing to include, if you predict that the resolver will be making a followup query for which you have a delegation.


> That
> would be weird and new. I thought the point of the SVCB record was to
> appear to existing auth and recursive DNS servers as much as possible like
> a bog standard RR type, i.e. just wire and presentation format and a bit
> of normal additional section processing.
> 
> Is there a standard for "normal additional section processing"?  My impression is that it is RR-type-dependent, so defining what should go there is in the purview of this draft.
> 
> Which is basically what the draft
> says now, though it unnecessarily respecifies additional section
> processing.
> 
> Yes, the intent is to work well with "normal additional section processing", but Pieter and Brian requested some behaviors or clarifications in this thread, related to CNAME and SOA records, that are either unclear or not supported with "normal additional section processing".  Hence this proposal, which would leave us in the following position:
> * Auths are not required to do any additional section processing
> * Auths SHOULD do some kind of additional section processing, details unspecified
> * Auths MAY do this specific form of additional section processing, which follows CNAME chains, enables negative caching, and (maybe) even provides referrals when appropriate.
> 
> Do you think this proposal would not actually work?  Or do you think that it is simply too inconvenient to implement?
> 
> I would also like to hear Pieter's perspective, since the proposal is based on his request in this thread.
> 
> 
> Tony.
> -- 
> f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
> Mull of Kintyre to Ardnamurchan Point: Variable, mainly north or northwest, 2
> to 4, occasionally 5 near the Mull of Kintyre and Tiree. Slight, occasionally
> smooth in shelter, becoming slight or moderate later. Fog patches developing.
> Moderate or good, occasionally very poor.
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org