Re: [DNSOP] Working Group Last call for draft-ietf-dnsop-dns-error-reporting
Ben Schwartz <bemasc@meta.com> Fri, 23 June 2023 01:27 UTC
Return-Path: <prvs=9538b799dd=bemasc@meta.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D82CC169537; Thu, 22 Jun 2023 18:27:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.093
X-Spam-Level:
X-Spam-Status: No, score=-7.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hRWI87EgfHNM; Thu, 22 Jun 2023 18:27:25 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B812EC137372; Thu, 22 Jun 2023 18:27:25 -0700 (PDT)
Received: from pps.filterd (m0109334.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 35MHQShg027825; Thu, 22 Jun 2023 18:27:25 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=s2048-2021-q4; bh=htkQYvEVq3O7tvlAtEhiKaz3dU8qzWJdlxS3NB2xN9s=; b=bAMZFLWyP/S48xQ3zR40EwwULgfxIi+hoXDm4w4vJGP6wOZ9ZiW4Ux+8jwEX1imRHOWP /TxQ0T18EPiZKp7ldUnpXg5T1i3EreeR82M3n+QOw2m2O2h4QukaSzB+dWsvljesbGIz HUgUmf2Q1J5esb3gP6dQcK1hOC1VZbpCaqTkpnCz9FfjP2YTXzQ3NdI2AiWBVao6WcBi wMoJCKDkYM+CxDCXXoCfP/LQmKoJa8+Kh8DfM/glmpw/Uehr4FevT5Y2GAAuQE5Dk2xd lg9UrpSrCT+LSLGdLr4zOLMCWbJj/mkFCe30GzVsIBpFWtWpgZ63uJmgjDZoKsFKSx8S tg==
Received: from nam11-bn8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2168.outbound.protection.outlook.com [104.47.58.168]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3rby4d0aam-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 22 Jun 2023 18:27:24 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HjE4ZAZY/bnr8ngKf93D5x0+nea7zx9cPrSckht8jjs48hvucKJD+4U8/SDPKzm15vl//jxuBKtdUbG388mN4Yl7KL+ryHN7i6Mrj1y66E3dvL8uvHcD2JF2cs+fANDpT2pzEDGvXmuLMnUvbYOAnX3y6vs2wcgFQ0hSwFe7VKafBfJw/TiaRvBh5oSFg0uQ0Ov+pVmkjNmRseD9OT4uy3ggM0L4wQ3P3amBIIPCQNSAF5w48RiKrWwBToIeOWgtEakk6q0Jgc5bF3qcFOTCMFhoDsiNLaJD4QaUTmOFQBWeFSxvVUe6setyE45mJPMgnjh31kGRdZ+RTl4IvoKP7g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=fTCBA5P/yC7zsVAusXcRc3QPsTWcm5SdbiDg1uaZoAc=; b=MLyi7aO45+v69Wc2zhJV4uyjboRLJLPouKTqRaj1wghTrHxq3ql4OYgixOwU8ZPdRDdQCkFEkU7DV1R91K/8eFlHuViyqVd69DxsVODQ603NFMT9anN2bHLeC1iv8ZHbVAjomvnbe5QoOfqlvqrv+ORia+PXYSyGGoJbDIMnZERBwYsnS7kOEFwKPmAj5uCE5D6wsDcx/GQSOY7MusDmdhaGt5irXX5TjVLOGNjKeNfJqF2fr+vwGbmWBKq6ohxpS3TjvGlJwkVDEP7NEDjv85EWFJsEdfDkXqw6WhaSmx6p4OPCMjUjbKmPMRe06QQEEjqSQ/pCXcKF+86f/4qKlA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from BN8PR15MB3281.namprd15.prod.outlook.com (2603:10b6:408:aa::24) by MW4PR15MB4601.namprd15.prod.outlook.com (2603:10b6:303:10a::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6521.24; Fri, 23 Jun 2023 01:27:22 +0000
Received: from BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::f44a:f5d7:be15:88e1]) by BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::f44a:f5d7:be15:88e1%3]) with mapi id 15.20.6521.024; Fri, 23 Jun 2023 01:27:22 +0000
From: Ben Schwartz <bemasc@meta.com>
To: Benno Overeinder <benno@nlnetlabs.nl>, DNSOP Working Group <dnsop@ietf.org>
CC: DNSOP Chairs <dnsop-chairs@ietf.org>
Thread-Topic: [DNSOP] Working Group Last call for draft-ietf-dnsop-dns-error-reporting
Thread-Index: AQHZmfAJny+/7BI3tUyfCW5NhYgymK+Xq3pX
Date: Fri, 23 Jun 2023 01:27:21 +0000
Message-ID: <BN8PR15MB32811A729AA0F3D979C7B6EBB323A@BN8PR15MB3281.namprd15.prod.outlook.com>
References: <fa6ec641-0eab-dec6-2267-3ca818402812@NLnetLabs.nl>
In-Reply-To: <fa6ec641-0eab-dec6-2267-3ca818402812@NLnetLabs.nl>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN8PR15MB3281:EE_|MW4PR15MB4601:EE_
x-ms-office365-filtering-correlation-id: efb39f25-405b-430f-d70a-08db7388fe25
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2mDCWE91lxLvkD+cvbBsZCWpLxu6VeqRs5BoaeDOCie9zZxHQ/vPHbNxRw02hFq/4gUKC/2iV/RRKGKWybue7LC+xscxf4u+Xq0mSHvMswV/qifpUVTA4weA2BAViUsjHtV/uT3cgYGIUipNXsMnP9iwW5WVBbLc58/mY6vO2OPDYE0e3Rvo6UOxCWht4XigTMWkuy+ZmqFc0KIAOzx7sA1qnci5edSdtbuLe3lwXExgZI6Se4pYmb9aYYKpwFneEtocMayYGEIJ++wZDI7ac5/qQ2324XWQIGpKrhBqcMR/vSPJirIliux7u1/nsxLLzaZi34oYdVGRUlrgSIrUhJPLW/QJhNXAhiFwQoMuYnxqb4VtonVeCMu3r8CQxjJH7YFvdPIfadVjrVuBPAr21ObCCYbjyZC7OMx0mj+qC5nKCk+nL2PYq4osXovwqA3qhIWdVYiJjuMj8hdT1IrlXXaxYWi3Ujb3ey/vKAFDBIHA+E1HXlLlhruN0R/rFIgvfCasndvXQt7patnYrScfW4yHRBeVk6SnKk5I3E1yA2kdQJY0FU2I2h8QrE7cf6lOtsU9cOlafJh/w/coAAyXNk8o16PTfk/OtJ8n6CfeZSk=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN8PR15MB3281.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(376002)(346002)(396003)(366004)(39860400002)(136003)(451199021)(8676002)(41300700001)(8936002)(91956017)(2906002)(110136005)(66556008)(66476007)(66446008)(76116006)(478600001)(66946007)(64756008)(71200400001)(52536014)(5660300002)(4326008)(316002)(53546011)(19627405001)(83380400001)(122000001)(38100700002)(55016003)(66899021)(33656002)(6506007)(7696005)(966005)(9686003)(186003)(166002)(38070700005)(86362001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: pqJIvC4jFtojaO1aTXc0BpmCiyKSOiX1+TwoHVFlBJAuE4ykOkz2UbenGoB6MsRRJXMurl8mUNiEAm20mNw5roo5HVJeOJ+uaZziCPzdfnw3rrxiQCzjx0FpAMj8ofPYicKEr8UELUnOoNSEcbRL6n3t2ZYFYD4ktLhT4gwFRy5Z/O9A5HmLWoZjMZj+vGcsy/SbBVcqc9InfzHbYW2NNgjxwNHt1oFwIoI2MqE4yJ2DA03EFB6pmyxxKj/BwR8z5pVtvZO6WZTxZlLdRVbo1R/voMsGVlxXajoWAvD06mOe+ZoT5TEiaOeuucM3FicySwJfStAauU8HdBCCjfjQsTG3HgnnfG1Oeyio9VytMeCe96dxVAASjX8yJVnOZNwkZ2qvX2p1PSd0FQztrD0EYgbQlK5o47VW7RCx1MzK4JBMmdfWPPKnKq4XxDjRSuYlSwxu9gdRJ+yjizwgUk0q194lNOh3J10oKxeMVl/BrR/jsH+hZ7x4p7UsZBKBKBABzoMZ5FRfyGdPelMGaziiyyafwwkrnyQR1Oj1sGihXotUt5Yt1hFgaROEPC0Dg3IUSwDi9y5qRzrHIGdLBj1BLqJJaS/f+DEZi5wPf9MfGqiVhdTKv3rr2P3Ue8W6a9ItJKmz5VQYsiwzvd+kzVhZ28tdFeEba4k13SOmDmXBi3QHrloyOneOSrI6QRYdD1xPz6Gal/trZPFin7ACEq9KIH6D8kVt7rG0dcZ8uM1hTc7FZ5p/VPOOcjkKV9Fe3NCIV5xZGzSlxy+FMkli9xooM/kvhNgCBHj26XMxA3U6sNMalb4xdKqRRd3zbc3fq0+bMzvCIkEplX5WP1AOtUy4A+HGWe6niWh/H22lBEj7kfhpxjRx31r/j++ko8bJAqvIvUlKGmKWmXmvBpWE3sLsnRCV0RnM4Rlnc8ay4QsGJNQtdD7UyRekTxK0X8OgBmHGcvzOKxpimpZBo48vTDpA/XDDEr/WzI8ROADCEfG4H4k/4evXCBzIyBRKMrsBR6WxbGMlXbWRY6RFskwNbKgdwPnwX/jaGxgeAPqXYx7xAQeMPw+nSGkOPLb1Xrd+50sJ1SclZrYzpZMNQ7ys51zAgjK9JScl1GNcb0Wv4bfOjhKS1Pclgq0zeb41mMvwbjpGe+VbaQ9/CTL8ajJdSIWl3HubrDBTbsnyIYsRCiyqpP2YVTf5Sdu+tjBKMPAJCyRrfLs0sRZTJlYITrEOq+gRfcx4CWq18heg+vuOcf+fsSGkaSn6qpj83W/NVOnvQW13Bc8FOB59LLZOl5MBi1Z48d9g8qg47JLuJVHx9b7WnVeTsAzyUKNBcswlIH5x5L/HQ/BzX0y9wBehOefw0pJvFcbRGZyaDxMvniKtslPP0wtUgHPeQexsK/5XQpdHB51S5fjG8SDEGDZ+ZjmIiidEURvWv9b12iQxYSNosao8se4sJjrMi8T+Ge610Yk2plFnIRwbRKKjq8PVbNnyJU+hEPSRdrthxWwZf9OABC/KoJUJJ4DEfBbIWlVlpGF+WxC2WfcdZEL0/5+uH/H95cUjQXyMYuwx1vWJ/EAuhBVSohGm4+/FlLMKQvWfC1+k8l7O
Content-Type: multipart/alternative; boundary="_000_BN8PR15MB32811A729AA0F3D979C7B6EBB323ABN8PR15MB3281namp_"
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN8PR15MB3281.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: efb39f25-405b-430f-d70a-08db7388fe25
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jun 2023 01:27:21.9135 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wOLRvuC3SqcC6/R2udumk6NWC/VFIBt9a9dnns5OZZScUSPnyrJZPVKy6uh5mZ+B
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR15MB4601
X-Proofpoint-GUID: m5tKPiM4w-P9TXj1kPNSNcp71HOSAMRn
X-Proofpoint-ORIG-GUID: m5tKPiM4w-P9TXj1kPNSNcp71HOSAMRn
X-Proofpoint-UnRewURL: 8 URL's were un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-06-22_18,2023-06-22_02,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ZoTFXnyvYYsRB10xj_lSftfBZi4>
Subject: Re: [DNSOP] Working Group Last call for draft-ietf-dnsop-dns-error-reporting
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jun 2023 01:27:29 -0000
I want this draft to move forward, but upon review I noted with concern the security section text: DNS error reporting is done without any authentication between the reporting resolver and the authoritative server of the agent domain. Authentication significantly increases the burden on the reporting resolver without any benefit to the monitoring agent, authoritative server or reporting resolver. Strong authentication (e.g. to a zone identity with DNSSEC) is probably excessive, but the current draft appears to have no defense against even trivial IP spoofing. Anyone in the world who can spoof IP addresses can impersonate a reputable resolver and pollute the error reports sent to authoritative servers. As an authoritative server operator, I would place a lot more trust in reports from reputable resolvers than from unrecognized sources. I think the draft should probably say something like: "To defend against spoofing of source IP addresses used for error reports, reporting resolvers MUST use DNS over TCP [RFC 7766], DNS COOKIE [RFC 7873], or another procedure that defeats IP address spoofing." --Ben Schwartz ________________________________ From: DNSOP <dnsop-bounces@ietf.org> on behalf of Benno Overeinder <benno@NLnetLabs.nl> Sent: Thursday, June 8, 2023 5:59 AM To: DNSOP Working Group <dnsop@ietf.org> Cc: DNSOP Chairs <dnsop-chairs@ietf.org> Subject: [DNSOP] Working Group Last call for draft-ietf-dnsop-dns-error-reporting !-------------------------------------------------------------------| This Message Is From an External Sender |-------------------------------------------------------------------! Dear DNSOP WG, The authors and the chairs feel this document has reached the stage where it's ready for Working Group Last Call. This starts a Working Group Last Call for: draft-ietf-dnsop-dns-error-reporting. Current versions of the draft is available here: https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-error-reporting/ . The Current Intended Status of this document is: Standards Track. Please review the draft and offer relevant comments. If this does not seem appropriate please speak out. If someone feels the document is *not* ready for publication, please speak out with your reasons. Supporting statements that the document is ready are also welcome. This starts a two week Working Group Last Call process, and ends on: June 22nd, 2023. Thanks, -- Benno _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
- [DNSOP] Working Group Last call for draft-ietf-dn… Benno Overeinder
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] DNSOPWorking Group Last call for draf… Wes Hardaker
- Re: [DNSOP] Working Group Last call for draft-iet… Benno Overeinder
- Re: [DNSOP] DNSOPWorking Group Last call for draf… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
- Re: [DNSOP] Working Group Last call for draft-iet… Willem Toorop
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
- Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
- Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Paul Wouters
- Re: [DNSOP] DNSOPWorking Group Last call for draf… Wes Hardaker
- Re: [DNSOP] Working Group Last call for draft-iet… Ben Schwartz
- Re: [DNSOP] Working Group Last call for draft-iet… Viktor Dukhovni
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Viktor Dukhovni
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Ben Schwartz
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Viktor Dukhovni
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Viktor Dukhovni
- Re: [DNSOP] Working Group Last call for draft-iet… Benno Overeinder
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Roy Arends