IETF Logo Mail Archive

Re: [DNSOP] Ben Campbell's No Objection on draft-ietf-dnsop-resolver-priming-09: (with COMMENT)

"Paul Hoffman" <paul.hoffman@vpnc.org> Tue, 06 December 2016 19:08 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8188129ADC; Tue, 6 Dec 2016 11:08:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ivvf89V3Rno4; Tue, 6 Dec 2016 11:08:57 -0800 (PST)
Received: from mail.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE3D2129AF8; Tue, 6 Dec 2016 11:08:27 -0800 (PST)
Received: from [10.32.60.83] (50-1-51-163.dsl.dynamic.fusionbroadband.com [50.1.51.163]) (authenticated bits=0) by mail.proper.com (8.15.2/8.14.9) with ESMTPSA id uB6J80X4094860 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 6 Dec 2016 12:08:01 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: mail.proper.com: Host 50-1-51-163.dsl.dynamic.fusionbroadband.com [50.1.51.163] claimed to be [10.32.60.83]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: The IESG <iesg@ietf.org>
Date: Tue, 06 Dec 2016 11:08:25 -0800
Message-ID: <339F67B8-B76F-469C-9E22-8EAB8B2E672B@vpnc.org>
In-Reply-To: <148046227837.11642.8747586791761273945.idtracker@ietfa.amsl.com>
References: <148046227837.11642.8747586791761273945.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.6r5310)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ZD1jMV4R1JrKgnwBuQ8U0x5RmyE>
Cc: dnsop@ietf.org, dnsop-chairs@ietf.org, draft-ietf-dnsop-resolver-priming@ietf.org
Subject: Re: [DNSOP] Ben Campbell's No Objection on draft-ietf-dnsop-resolver-priming-09: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Dec 2016 19:08:59 -0000

Thanks for your comments and for having no objections to the document. 
This message follows up on the comments.

--Paul Hoffman

On 29 Nov 2016, at 15:31, Ben Campbell wrote:

> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> In section 3.1, is there a reason the requirement in paragraph 2 does 
> not
> get a 2119 keywords, when the requirement in the first paragraph does?
> They seem similar in impact.

The paragraph is:
    If a priming query does not get a response, the recursive resolver
    needs to retry the query with a different target address from the
    configuration.
The "needs to" is there because it describes the steps given in RFC 
1035. It does not create a new requirement.



On 30 Nov 2016, at 6:06, Stephen Farrell wrote:

> - intro: References for directions that fail "disastrously"
> would be good, if only to decrease the chances that other
> implementers choose known-bad approaches.

Documenting worst practices is usually not part of a BCP. :-) We will 
modify the sentence to give a common example of a bad practice.

> - section 5, 2nd para: such an attacker can also see what
> queries are being emitted by the resolver, and, in the
> absence of qname minimisation, that can be quite privacy
> sensitive. I think it'd be well worth noting that with a
> reference to RFC7816 as a possible mitigation.

This paragraph is about the priming query, not about future queries. You 
cannot do QNAME minimization on the name of the root (a null string), 
nor would you want to.


On 30 Nov 2016, at 9:24, Terry Manderson wrote:

> I also support Stephen's request to identify the scenarios in which 
> "Some
> implementers have chosen other directions, some of which work well and
> others of which fail (sometimes disastrously) under different
> conditions." An appendix would be fine IMHO.

See above.

> Given you raise some (awareness) issues in the security consideration
> section, if an administrator implements RFC7706 would that alter any 
> of
> those concerns? (admittedly, potentially buying others that are well
> documented in 7706)

RFC 7706 did not deal with priming queries, and in retrospect probably 
should have. I think adding security considerations to this document 
about RFC 7706 might be a bad idea, but maybe a rev to RFC 7706 would be 
good.


On 30 Nov 2016, at 22:48, Spencer Dawkins wrote:

> I find myself curious about both SHOULDs in
>
>    Resolver software SHOULD treat the response to the priming query as 
> a
>    normal DNS response, just as it would use any other data fed to its
>    cache.  Resolver software SHOULD NOT expect exactly 13 NS RRs.
>
> Do you think these SHOULDs (especially the first one) are required for
> interoperation?

Yes.

> I'm wondering (1) why they aren't MUSTs, and (2) why RFC
> 2119 language is actually needed at all. If they are RFC 2119 SHOULDs,
> what happens if the resolver software violates them?

We cannot tell. For the first one, if a resolver treats the response to 
the priming query in a special way, we don't know what "special" means. 
For the second one, if a resolver expects exactly 13 NS RRs and gets 
fewer, we don't know what it will do (fail to come up? retry 
incessantly? ...?)

v2.23.0 | Report a Bug | By Email