Re: [DNSOP] Paul Wouters' Discuss on draft-ietf-dnsop-dns-catalog-zones-08: (with DISCUSS and COMMENT)
Willem Toorop <willem@nlnetlabs.nl> Mon, 06 February 2023 11:26 UTC
Return-Path: <willem@nlnetlabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8BA4C1524AE for <dnsop@ietfa.amsl.com>; Mon, 6 Feb 2023 03:26:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IkFQUhgLc6ay for <dnsop@ietfa.amsl.com>; Mon, 6 Feb 2023 03:25:57 -0800 (PST)
Received: from mail-il1-x135.google.com (mail-il1-x135.google.com [IPv6:2607:f8b0:4864:20::135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66976C1522D7 for <dnsop@ietf.org>; Mon, 6 Feb 2023 03:25:56 -0800 (PST)
Received: by mail-il1-x135.google.com with SMTP id v1so491699ilg.5 for <dnsop@ietf.org>; Mon, 06 Feb 2023 03:25:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nlnetlabs.nl; s=google; h=content-transfer-encoding:in-reply-to:subject:from:references:cc:to :content-language:user-agent:mime-version:date:message-id:from:to:cc :subject:date:message-id:reply-to; bh=Ql23VvJYy6o+FFMfJsjTvRSpSUWbHptYUrh0/FIA2sA=; b=XKfLUZ1QF/YkiwWYk0/taP1rGAKHIhvB4iA1ZjqJPJ4/tkEszsXMkqg9QvokHKEMBm COrJSY1tcPUWuhru/CWrq9UaMSwYUvfsnXRBDMmXYrN379rQxISjHV4NcdD6Ko8+eRv5 uGkxY6/A7DqWvtnqpg+lCe+9r1+Tk1G1qpndwBGwg9xx1kLTQ4NwPtR6u5qsHIxOSm1b /orh7dw0loyhqa8Fa9mb9KlHeOsNXfx4eNPPSrswxnPxMqO0PVJPMKxY9F2E8h7ESTfQ iKZcCznEzqJD5JngdI8pjFZSs6L9AujQvp5zECDrQFw/4A9jswgCI86DenazHuPoTWBa Bhbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:subject:from:references:cc:to :content-language:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Ql23VvJYy6o+FFMfJsjTvRSpSUWbHptYUrh0/FIA2sA=; b=tWJL7GOe1JoJ2eIZnUO1UGvDq78LGnzso+fOI/KJgZtOAbxiizOIm5XD6W7yfyPwiG 0zffSY3vmeUVvhHyJfZpa9t6kIxU46JdxENchgInsJmu6YayXXxEw5zm/EjSyvuHUZn7 FMq4sMdc14nr7NNnsv5JRA+IGlPrm1NV6EWSSx6jOy4cBjukI4HWckzmkljSESOu+ntI XgDBnn/JPM+e1fKnigD6sAyz7UZOrJxaKJQxsYHyHQiGDvwW5yUSz5SJ5ypg1TLSdxgP r5A8POHomOuofr35QOsnPyZ+ORz4n31Ssmyqeua+J/JWvQzuzpShJa6uJaryUYpRBGXr 8bcA==
X-Gm-Message-State: AO0yUKVk+W7kL4j0IuVc4KYu7oNaV3oswSLwBcd/rWWqOG835tlg+wLr 3GJBjnmOtkZAA8msBC95xL8qiA==
X-Google-Smtp-Source: AK7set/2EwOCKpZUhgIKFHPuCWM4MVae5QiB9g1YOpJK+hUnwoIcCr0c45F6pOF4LviAzojM6y9G4A==
X-Received: by 2002:a05:6e02:20e1:b0:310:a935:46ef with SMTP id q1-20020a056e0220e100b00310a93546efmr15757563ilv.3.1675682755854; Mon, 06 Feb 2023 03:25:55 -0800 (PST)
Received: from ?IPV6:2a04:b900::7d0? ([2a04:b900::7d0]) by smtp.gmail.com with ESMTPSA id h14-20020a02c4ce000000b003a96d8a5fa3sm3415875jaj.174.2023.02.06.03.25.54 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 06 Feb 2023 03:25:55 -0800 (PST)
Message-ID: <c27c4c94-abd6-4d6f-20eb-f03a51334ef8@nlnetlabs.nl>
Date: Mon, 06 Feb 2023 12:25:52 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.7.1
Content-Language: en-US
To: Paul Wouters <paul.wouters@aiven.io>, The IESG <iesg@ietf.org>, Murray Kucherawy <superuser@gmail.com>
Cc: draft-ietf-dnsop-dns-catalog-zones@ietf.org, dnsop-chairs@ietf.org, dnsop@ietf.org, tjw.ietf@gmail.com
References: <167280514240.63137.14589626604956505878@ietfa.amsl.com>
From: Willem Toorop <willem@nlnetlabs.nl>
In-Reply-To: <167280514240.63137.14589626604956505878@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/_LfuYCgm1CyMywOAZCj5Fw6ZFaA>
Subject: Re: [DNSOP] Paul Wouters' Discuss on draft-ietf-dnsop-dns-catalog-zones-08: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Feb 2023 11:26:02 -0000
Hi Paul, Hi Murray, Hereby the responses to Paul's review. I've CC'ed you Murray, because you mentioned explicitly that you support Paul's DISCUSS positions. Op 04-01-2023 om 05:05 schreef Paul Wouters via Datatracker: > DISCUSS: > ---------------------------------------------------------------------- > ## DISCUSS > > ### Section 4.3.1 Versioning > > What should one do if the version supported is lower than the version of zone > received? Attempt to understand it? preventively fail? > > Are version 1 and 2 compatible? In what ways are they not? Should perhaps > version 1 catalog zones always be ignored ? Version 1 and 2 are not compatible. Version 1 was bind's original but not standardized idea/implementation. New implementations are better of implementing version 2 because the exact details of version 1 are not standardized (and thus kind of unknown). Commit https://github.com/NLnetLabs/draft-toorop-dnsop-dns-catalog-zones/commit/8eed29f adds the explicit mention that version 1 catalog zones should also be considered broken by catalog consumers that only have version 2 implemented to the enumeration of section 4.3.1. Schema Version (version property). > ### Group Properties > > It seems like Section 4.4.2 defines "group properties" that are standardized, > while Section 4.5 specifies Private Use group properties. There are no "group properties", only "group property *values*". The values listen in 4.4.2 are only examples and not standardized. Section 4.5 is about private use properties and is not involved in group values. > But there is actually > no registry created for Group Properties, and no definitions other than > "examples" are given. This makes the status of, for example "nodnssec", > unclear. Is this a custom (eg bind implementation only) property or is this > really a custom private use entry, in which case the example is bad as it > belongs under .bind.ext. > > Since "nodnssec" seems a real use case, why does this document not create an > IANA registry for Catalog Zone Group Properties and places "nodnssec" in it? We have done several modifications to the draft to clarify this better. - We refer to the values of group properties now as "group property values" or even simply as "group values". - The group values now have non-descriptive names as to not suggest that they have meanings in implementations (it's the operator that determines the "meaning" and not the implementation) - We have extended the lines about catalog producers publishing at two consumer operators and how mapping of group values is a matter of those producer/consumer relationships, so it now reads: "Implementations MAY facilitate mapping of a specific group value to specific configuration configurable on a per catalog zone basis to allow for producers that publish their catalog zone at multiple consumer operators. Consumer operators SHOULD namespace their group values to reduce the risk of having to resolve clashes." The co-authors do recognize that a registry for *properties* is a good idea and have added that to the draft (with PR https://github.com/NLnetLabs/draft-toorop-dnsop-dns-catalog-zones/pull/67 ) > ### 5.3 "MUST be removed"? > ``` > Only when the zone was configured from a specific catalog zone, > and the zone is removed as a member from that specific catalog > zone, the zone and associated state (such as zone data and DNSSEC > keys) MUST be removed. > ``` > > What is "removed" here? I think perhaps it should be limited to "MUST no longer > be served". For example, it would be bad if the operator made an error, and > ended up briefly removing the zone and "removing" (aka destroying) some private > DNSSEC keys, complicating the zone restoration. Also, perhaps the > implementation wants to simply keep the state on disk but move it to a > /var/lib/xxx/zones/archived/ directory. The use of "remove" sounds like that > might not be allowed. We have added a line explicitly stating this operational consideration to Section 5.3. Member zone removal: "Consumer operators may consider to temporarily archive associated state to facilitate mistake recovery." > ### Operational Considerations > > What are the risks and benefits of Extension group properties? > > Should one try to standardize these instead? Why is this document not doing > that based on its operational experience with eg bind and knot and powerdns ? This document will standardize three properties: "version", "coo" and "group". Implementations can create their own custom properties below the "ext" label. Bind9 has several custom properties ("primaries", "allow-query" and "allow-transfer"), but the other implementations don't have them yet. When the other implementations will create similar custom properties (from operator feedback) they can be considered to be standardized as regular (and not custom) properties and don't need to be below the "ext" label. > if one is experimenting with further properties in the extension part, will these ever move to the standard part? or will non-standard extensions become a defacto standard? But I guess these could end up in a separate followup document. Custom properties will remain in the specific implementation that made them I suppose (for backwards compatibility). Our document says that custom properties should be namespaced, quoting: "Implementations SHOULD namespace their custom properties to limit risk of clashes with other implementations of catalog zones. This can be achieved by using two labels as the <property-prefix>, so that the name of the implementation is included in the prefix: <some-setting>.<implementation-name>.ext.$CATZ." If more than one implementation define a similar custom property, they can be standardized via RFC or via a lower barrier procedure. In the new version of our document, there will be a IANA registry request for properties, with assignment policy "Expert review" ( https://github.com/NLnetLabs/draft-toorop-dnsop-dns-catalog-zones/pull/67 ) > ### Security Considerations > > Dealing with high value domains eg gmail.com is missing. If a large DNS hoster > would enable catalog zones for its customers, how can it prevent rogue > takeovers? If fully automated, it can never be safely deployed. If each zone > needs a manual check, well than we don't really have "catalog zones" > auto-populating name servers. > > Is there an expectation that nameservers can do some authorization call before > adding a new domain that is already delegated elsewhere? Eg if GoDaddy uses > catalog zones, and I am their tiny customer with "nohats.ca" and then add a new > zone "gmail.com", that could cause a significant disruption. Especially if the > malicious person would create another domain that depends on "gmail.com" in > such a way that GoDaddy's servers will start sending "gmail.com" data in their > additional data reply for other domains. The section only has a "consumer(s) > MAY <do custom smart things>", which in my opinion, is far too weak as a > security control. As the above example shows, it is just too easy to start > poisoning nameservers via implementations that skip this one MAY clause in the > Security Considerations. We have made the "MAY clause" stronger with a SHOULD: "To prevent unintended provisioning of zones, consumer(s) SHOULD scope the set of admissible member zones by any means deemed suitable (such as statically, via regular expressions, or dynamically, by verifying against another database before accepting a member zone)." > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > ## Comments > > ### Appendix A > > The appendix implementation status only mentions version 2 for bind. > Presumably, the other implementations never supported version 1, but this could > be made more clear (although granted, it is a little weird so late in the > process to do this as it will get cut out before publication anyway, but if a > new draft is done based on IESG review comments, please also clarify this. We've extended the Appendix with this commit: https://github.com/NLnetLabs/draft-toorop-dnsop-dns-catalog-zones/commit/527e7ee > ### NITS > > ``` > such properties MUST be represented below the label ext. > ``` > I would use quotes, eg "ext." to make it clear this is literal string. > > ``` > Implementation and operational Notes > ``` > > Weird capitalization ? Thanks, the NITS are addressed in this commit: https://github.com/NLnetLabs/draft-toorop-dnsop-dns-catalog-zones/commit/2a0f8a4 We're once more reviewing all the changes we've made and will probably (if all is well) upload a version -09 with them tomorrow. Regards, Willem on behalf of the draft-ietf-dnsop-dns-catalog-zones co-authors
- [DNSOP] Paul Wouters' Discuss on draft-ietf-dnsop… Paul Wouters via Datatracker
- Re: [DNSOP] Paul Wouters' Discuss on draft-ietf-d… Willem Toorop