Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-capture-format-05.txt

Richard Gibson <> Thu, 01 March 2018 03:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2CAF712E054 for <>; Wed, 28 Feb 2018 19:52:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.012
X-Spam-Status: No, score=-2.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Vkluyvm0daZj for <>; Wed, 28 Feb 2018 19:52:19 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C27A9120454 for <>; Wed, 28 Feb 2018 19:52:19 -0800 (PST)
Received: from pps.filterd ( []) by ( with SMTP id w213qHLq186579; Thu, 1 Mar 2018 03:52:17 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=subject : to : references : from : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=corp-2017-10-26; bh=yT8/ccWwBEAy6KuK9B10V2m0R5H4jHx1DUATVxTulLg=; b=BnY3NS81fDJOVJ6cYj326kNvtOE+bnsw2rszLvNUMFwvFgv1Qs2ky16PUNv48wZMRW5j kdAPXfpb6XxMU3rGqVVQ+uG6C1Is/QB2bAnNCWJAwVODB+aWxwil8kJCnzl5w0cOQZQU FoMxXWC0S3B3Nx52zenZEgR+uWSMOI9PX4Y2K3KD7O6RjQTCPk1Y0ItsVdPvBVsWRFax wiM85YQsDTinQhgMz7ZW4HcnQXfbI/rOtPziktLw7tt4YJCiKIQ17es8pIcE4vdta1xJ atU0hjrfMo6h9TGarJstGdLjgo+xpvANhSrjl8gYIDoxDBY61vZc3KxQSyj6OAA6QH8s GQ==
Received: from ( []) by with ESMTP id 2ge8xgr51w-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 01 Mar 2018 03:52:17 +0000
Received: from ( []) by (8.14.4/8.14.4) with ESMTP id w213qGqx022222 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 1 Mar 2018 03:52:16 GMT
Received: from ( []) by (8.14.4/8.13.8) with ESMTP id w213qE0I023023; Thu, 1 Mar 2018 03:52:14 GMT
Received: from [] (/ by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 28 Feb 2018 19:52:14 -0800
To: Jim Hague <>, Sara Dickinson <>, IETF DNSOP WG <>
References: <> <> <> <>
From: Richard Gibson <>
Message-ID: <>
Date: Wed, 28 Feb 2018 22:52:13 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8818 signatures=668682
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1803010048
Archived-At: <>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-capture-format-05.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 01 Mar 2018 03:52:21 -0000

On 02/28/2018 12:21 PM, Jim Hague wrote:
> We'll discuss this. We absolutely meant for negative keys to be
> restricted to closed systems. Allowing string keys in addition is an
> interesting idea; off the cuff, I wonder whether folk will want to pay
> the file space penalty.
The cost of interoperability. An understandable concern for raw files, 
but repetitions of the same string keys would compress extremely well.
>> * Section StorageParameters fields "opcodes" and "rrtypes"
>> could be defined better... are they values /recorded/ (i.e., that were
>> actually observed) or values that are /recordable/ (i.e., that the
>> collection application was looking for)? And shouldn't they be optional
>> (in either case, but *especially* the latter, lest implementations write
>> out every possible rrtype value).
> The intention is that they should be /recordable/ values - in line with
> the rest of the StorageParameters fields, they let a reader distinguish
> values that aren't present because the writer didn't understand them and
> values not present because they didn't occur in the data stream. And
> yes, we're thinking implementations should explicitly write each opcode
> and rrtype they understand.
Especially in our closed system, I don't see us keeping current another 
list of supported RR types. So we'd probably leave the array empty, 
violating the spirit of the spec if not the letter of it. But on the 
plus side, the size of the complete list in CBOR was smaller than I 
anticipated—less than 100 bytes.
> The thinking here is that
> if, say, an rrtype the writer does not know how to decode contains a
> compressed label, it's not going to be correctly handled, and we should
> not be recording potentially known-broken data in the file as not malformed.
I sure hope that no new types violate RFC 3597 section 4. The problems 
with corrupted data in captures pale in comparison to the problems with 
corrupted data in live messages.
> We need to clarify the language. qr-transport-flags is a single bit
> IPv4/v6, a 4 bit number indicating the protocol, and a final single bit
> indicating the presence of trailing data in the query. The protocol
> values are (currently) UDP=0, TCP=1, TLS=2, DTLS=3. We did consider a
> UDP/TCP bit and a !TLS/TLS bit, but felt this (a) might imply a closer
> connection between TLS and DTLS than is the case, and (b) would not
> easily extend to possible future schemes like DOH and DNS over QUIC. So
> we went for a number with sufficient range to add another 12 options
> before trouble happens. We considered breaking the number out to a
> separate integer, but felt that this was likely, in practice, to be
> unnecessary and so space efficiency considerations took precedence.
Thank you, that explanation greatly clears things up and the reasoning 
is sensible. I would recommend updating the text to something like "Bit 
1-4. Transport. 0000 = plain-text UDP, 0001 = plain-text TCP, 0010 = TLS 
[over TCP?], 0011 = DTLS [over UDP?]" (with a note in Section 7.2 that 
bit sequences are presented in descending significance).