IETF Logo Mail Archive

[DNSOP] Re: Comments from IETF Last Call about draft-ietf-dnsop-structured-dns-error

tirumal reddy <kondtir@gmail.com> Tue, 06 May 2025 10:57 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id DF505254DE22 for <dnsop@mail2.ietf.org>; Tue, 6 May 2025 03:57:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kyVkIfeSkcSZ for <dnsop@mail2.ietf.org>; Tue, 6 May 2025 03:57:57 -0700 (PDT)
Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E2CF6254DB8E for <dnsop@ietf.org>; Tue, 6 May 2025 03:57:43 -0700 (PDT)
Received: by mail-ej1-x630.google.com with SMTP id a640c23a62f3a-acbb85ce788so28813466b.3 for <dnsop@ietf.org>; Tue, 06 May 2025 03:57:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1746529063; x=1747133863; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Rpz6FB0xNWQxCN5/34X00EyvYF8YqWmqSGUYQxBhdhE=; b=QbgbkX2XV5ph/t39BmxGKAO9sIxu0+utw60Z/M3zbFTTw178P1Sd9aggoIASq++HEg Bp0dTIPVmCt6D+FZ8eHczjvxrWjI0+xq04dni3HhIKQlUXendeVW7c9zu+5RhY5k5wnL 45td4rZSOizct1GAuC2Icw67OXZpP/onYLPPpPvYJgIjMg6l2JT+dDqQpDYsUBX9o5Vc 6BtA2r8yYXPK5hyPXcY6ivrxYA/Ve+1UKLhY1tsjqDvm8GTX7RcIVGYJIprcmeTM3fyi DBR130NDDTiHPOclbTo7qT1RwWWTPDu2qPtlVjCrBJwfnIJJSRzI/5kVK8zxnjQpyx/z bIIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746529063; x=1747133863; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Rpz6FB0xNWQxCN5/34X00EyvYF8YqWmqSGUYQxBhdhE=; b=DNRGmzi0CQhh89w25W+y1E2JLACDjWMx55Lc/LmehuzSuyIJIfp2xzqZ95lOp2DDJz b6hn2FWEYGhHVwL6GZvZCdEV8tPSe6jjSFwqHm4Dh8/kOcJulYeI7DcK1jCCYIqKLZ2q /f/eO6Y/hwLy0L6GnJXUXGIfN/kmwpxEru1476B2PZGDlsetsQr4IBIOebnFsVa1a5jp mK5Nj/I8jrg6JRRGSGMclQ+oGGdh9jgOfkN9ySQwKWGBj95ZDF7xdQ18+f28yjHzqO+G G+eKBwO2Tzr4V4+tpvxrUvqZBWSQU21ausxNqAJ90KXpKdOODmDlmvDF3lzd5DGT1TKm CNew==
X-Forwarded-Encrypted: i=1; AJvYcCX/aFCXvXRTbjJAqXo49gkmhCk+fmoz86tJJ87s1OIXqNWJRBNQHbGsR3EKrKzWkLejjaDayg==@ietf.org
X-Gm-Message-State: AOJu0YxVcRus6og2Fs0QwTePt1zsDFwK974/O731N65+VYLaRtaT34wV yPXNWk81SnEcUnRE3F976mCFMI+Ztxtz8DjTC38mR2Tm+P5EhYsdjnnZyWSpPfL4r8NI7CMdKJ1 nOF1Nc9qil72Av3qLPBeju8KrFyj78mPfa7891A==
X-Gm-Gg: ASbGnctwIMIAQQOQnnhI0vUDWozp5M5aBPkhTnuX5lkhQGBtBo57aVM9tozhC99tkop uuYwJEv39yEFwGyCCyhHhNlygU6TJT22rzOHtCDxnyAFro5V/IyiBuhPF14YUmra1Ent8fL22rG HsegB74iuegf0ZvbUz4ODzSDgt
X-Google-Smtp-Source: AGHT+IGy7EHvZ696XXYetEebNvhpzs0wUJRgsN0JckzfgIgbIyv8dzNTVMaX0Pq5zbAgR1dqm0SxoPu2gYn0/feFaX0=
X-Received: by 2002:a17:907:8990:b0:ac8:179a:42f5 with SMTP id a640c23a62f3a-ad1d4532875mr211558566b.14.1746529062538; Tue, 06 May 2025 03:57:42 -0700 (PDT)
MIME-Version: 1.0
References: <PH0PR11MB49666C9FAA1DC4C04EB7AEDBA98E2@PH0PR11MB4966.namprd11.prod.outlook.com> <53398b3c-98a2-4282-92eb-b694761b8875@isc.org> <CAFpG3gchc9JGHbDnpit5ib+Vg8j737QLczfAB7UTmQYvpE+F3g@mail.gmail.com> <568c86cc-235b-4213-80ad-086449e4a984@isc.org> <CAFpG3gfxKVfuDoLJwMbiwcb+DUZ89doCQCGaXRgzakU7aQ=ziw@mail.gmail.com> <21500b57-43f0-4a37-a790-8f0f0db06731@isc.org>
In-Reply-To: <21500b57-43f0-4a37-a790-8f0f0db06731@isc.org>
From: tirumal reddy <kondtir@gmail.com>
Date: Tue, 06 May 2025 16:27:05 +0530
X-Gm-Features: ATxdqUE3d1SxS8LJANLFCCDh6y7hDbjIF_MHaHuiu9dtFbLN4FAeKWhSNEfmwYk
Message-ID: <CAFpG3gdU35S1MWTe_Hx=7bw9+bRHXNdFNLMoWDaB=fZJtiJwSw@mail.gmail.com>
To: Petr Špaček <pspacek@isc.org>
Content-Type: multipart/alternative; boundary="0000000000005cd5310634757cb8"
Message-ID-Hash: HEGEDBJ4JYGCPSU5XU7VRA3VH26GZIF3
X-Message-ID-Hash: HEGEDBJ4JYGCPSU5XU7VRA3VH26GZIF3
X-MailFrom: kondtir@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Eric Vyncke (evyncke)" <evyncke=40cisco.com@dmarc.ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Comments from IETF Last Call about draft-ietf-dnsop-structured-dns-error
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/_6MdHrj9ns1Havr_VKaw5_w25fo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Tue, 6 May 2025 at 14:20, Petr Špaček <pspacek@isc.org> wrote:

> On 5/6/25 10:28, tirumal reddy wrote:
> > On Mon, 5 May 2025 at 21:23, Petr Špaček <pspacek@isc.org
> > <mailto:pspacek@isc.org>> wrote:
> >
> >     On 5/5/25 17:27, tirumal reddy wrote:
> >      > On Mon, 5 May 2025 at 20:32, Petr Špaček <pspacek@isc.org
> >     <mailto:pspacek@isc.org>
> >      > <mailto:pspacek@isc.org <mailto:pspacek@isc.org>>> wrote:
> >      >
> >      >     On 5/5/25 14:49, Eric Vyncke (evyncke) wrote:
> >      >      > Dear authors and WG,
> >      >      >
> >      >      > There have been substantive IETF Last Call comments once
> >      >     extending the
> >      >      > review outside of DNSOP. On my own read of the comments,
> there
> >      >     are two
> >      >      > critical ones:
> >      >      >
> >      >      >   * Are full-text explanations better or worse from UX or
> >      >     security point
> >      >      >     of view ?
> >      >      >   * Should the draft merge/include/... with draft-
> >     nottingham-public-
> >      >      >     resolver-errors ?
> >      >
> >      >     Shameless plug: There is also a technical objection in
> >      > https://mailarchive.ietf.org/arch/msg/last-call/ <https://
> >     mailarchive.ietf.org/arch/msg/last-call/>
> >      >     dsouS0lgD8UK36rWgqBkq8LKSWo/ <https://mailarchive.ietf.org/
> >     arch/msg/ <https://mailarchive.ietf.org/arch/msg/>
> >      >     last-call/dsouS0lgD8UK36rWgqBkq8LKSWo/>
> >      >
> >      >     under "Issue #1".
> >      >
> >      >     The current text breaks assumptions about EDE Option usage
> >     defined in
> >      >     RFC 8914 and does not state a good reason for it.
> >      >
> >      >
> >      > This topic was discussed within the WG, and there was consensus
> >     to reuse
> >      > the EDE Option in the request as a signal of client interest in
> >      > structured data, please see slide 4 in https://
> >     datatracker.ietf.org/ <https://datatracker.ietf.org/>
> >      >
> meeting/115/materials/slides-115-dnsop-structured-data-for-filtered-
> >      > dns-01
> >
> >     Could you please point me to the the decision, please?
> >
> >     I did not find this being discussed on the mailing list. IETF 115
> dnsop
> >     minutes for this draft say only this:
> >     -----
> >     https://datatracker.ietf.org/doc/minutes-115-dnsop/ <https://
> >     datatracker.ietf.org/doc/minutes-115-dnsop/>
> >
> >     Structured Data for Filtered DNS
> >           draft-wing-dnsop-structured-dns-error-page, Tirumal Reddy
> >           Lots of industry interest
> >           **Chairs Action: CfA**
> >     -----
> >
> >     To refresh my mind I went to IETF 115 dnsop recording here
> >     https://meetecho-player.ietf.org/playout/?session=IETF115-
> >     DNSOP-20221108-0930 <https://meetecho-player.ietf.org/playout/?
> >     session=IETF115-DNSOP-20221108-0930>
> >     and listened to block starting at 1:52:00. What I hear is call for
> >     adoption a minute or two before the session ended and everyone went
> >     home, not a technical discussion.
> >
> >     Did I miss some other place where it was discussed? It's been a long
> >     time so I might have missed something, obviously.
> >
> >
> > It has been a long time, and I recall discussing this with resolver
> > providers who did not see any issues with implementing it. For instance,
> > it is already implemented byAdGuard’s DNS SDE extension <https://
> > github.com/AdguardTeam/dns-sde-extension> and by Akamai (see DNS Errors
> > <https://datatracker.ietf.org/meeting/116/materials/slides-116-dnsop-
> > dns-errors-implementation-proposal-slides-116-dnsop-update-on-dns-
> > errors-implementation-00>).
>
> Apparently we don't understand each other. I will try to explain
> differently.
>
> Use of JSON in EDE EXTRA-TEXT in DNS _responses_ is okay as EXTRA-TEXT
> did not have defined content before.
>
> What I consider to be a problem is sending empty EDE option in _DNS
> requests_ because the option is defined for use in _responses_.
>
> I checked the AdGuard extension briefly and it does not seem to talk DNS
> at all. It uses HTTP API call to get the data - see here:
>
> https://github.com/AdguardTeam/dns-sde-extension/blob/5d95e1b327675826703c8b0ae709bc5651849e77/src/index.js#L53C13-L53C66
> so by definition it cannot send empty EDE option in DNS request, because
> there is no DNS request in the first place.
>
>
> Second example in the slides (slide 9) show this command:
> dig malw.scalone.eu +https @cns01-euce-4haj15.002.dev.4haj15.spscld.net
>
> This 'dig' invocation does not send empty EDE option in request either.
>
> In other words, there is prior art of sending JSON in EXTRA-TEXT answers
> - and that's perfectly okay!
>
> I could not find prior art of even a technical discussion of sending
> empty EDE in _DNS requests_, which is what I'm objecting to.
>
> Petr Špaček
> Internet Systems Consortium
>
> >
> >      > The same EDNS(0) option is
> >      > permitted in both requests and responses, for example, RFC7828
> >     (edns-
> >      > tcp-keepalive) specifies the use of the option in both request/
> >     response.
> >      >
> >      > It also maintains symmetry between signaling support for this
> >     feature
> >      > and delivering structured error information using the same option.
> >     Just to be clear: I'm fine with using an option in both directions.
> >     What
> >     I object to is overloading meaning of an existing EDE option for
> >     different purpose. Specifically EDE spec in RFC 8914 section 2 says:
> >
> >       > The Extended DNS Error (EDE) option can be included in any
> response
> >     (SERVFAIL, NXDOMAIN, REFUSED, even NOERROR, etc.) to a query that
> >     includes an OPT pseudo-RR [RFC6891].
> >
> >     It does not say anything about use in queries. I can't see a
> technical
> >     reason for this overloading, and as resolver implementer I don't
> >     want to
> >     deal with complicated spec and resulting code if it can be made
> simpler.
> >
> >     Hopefully I explained myself clearly now.
>

Yes, thank you for the clarification. Is your concern that this usage
would break
existing resolver implementations that support RFC8914 but do not
implement this
draft ?

My understanding is that a resolver implementing only RFC8914 would ignore the
EDE option if it appears in a query, as RFC 8914 does not define EDE for use
in requests. It should not introduce any backward compatibility issues.
-Tiru

v2.31.3 | Report a Bug | By Email | System Status