Re: [DNSOP] AD Review of: draft-ietf-dnsop-dnssec-bootstrapping
Peter Thomassen <peter@desec.io> Thu, 11 April 2024 13:01 UTC
Return-Path: <peter@desec.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 996F9C14F68F; Thu, 11 Apr 2024 06:01:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=a4a.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CPrBeT6NY4Ti; Thu, 11 Apr 2024 06:01:21 -0700 (PDT)
Received: from mail.a4a.de (mail.a4a.de [IPv6:2a01:4f8:10a:1d5c:8000::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 520BEC14F610; Thu, 11 Apr 2024 06:01:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=a4a.de; s=20170825; h=Content-Transfer-Encoding:Content-Type:In-Reply-To:From: References:To:Subject:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=wT7J5v5CWhJpAxhm94b0cv9tS9pnnuLZdBmkLer8dMA=; b=PSbMJfrbdaKFf3FZrSIZxXFHez GGb8fGunWaDOXGoY9BqanmA0Ig/Vv8bQ40Osfzo5lpjgggdEY93+t983aEfTs9GuWvDEvib2LyRUX JkJ7aIi5LXm4oiNdcLlgvUOhWS2DV1BXHdNcpxsggkDTuNPwWHUbFGtJLmdRXFlaTrEQtNrSSeM/g GiT+VkKfII4t01kmAH36+m7zxcEfSnq3tgfvc+Od1FSYDQceMfcLzDfHJ2GvdAWWh16ejmLl7j5V5 D8FzcS771gNXUX7G5qGnOeh7XZKCTszsslYaNXUKdGwkYw07mNmIuqF32v+XaB2RhRx0TCcwEbaJK 64BxY5rw==;
Received: from [90.187.67.221] (helo=[192.168.55.171]) by mail.a4a.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from <peter@desec.io>) id 1ruu3J-00GhHz-Ad; Thu, 11 Apr 2024 15:01:17 +0200
Message-ID: <d899e306-db73-4b78-89f0-64c88fa71349@desec.io>
Date: Thu, 11 Apr 2024 15:01:16 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Warren Kumari <warren@kumari.net>, draft-ietf-dnsop-dnssec-bootstrapping@ietf.org, dnsop <dnsop@ietf.org>
References: <CAHw9_iJ2f_++4v+tjrFfxJv==a0FFJA=soTiPG5_V8PDuC4GaQ@mail.gmail.com>
Content-Language: en-US
From: Peter Thomassen <peter@desec.io>
In-Reply-To: <CAHw9_iJ2f_++4v+tjrFfxJv==a0FFJA=soTiPG5_V8PDuC4GaQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/aZRlfNDDJ14wjeR8WUr_77Pc6RU>
Subject: Re: [DNSOP] AD Review of: draft-ietf-dnsop-dnssec-bootstrapping
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2024 13:01:25 -0000
Hi Warren, Thank you for your helpful feedback, pls see below. On 4/5/24 22:42, Warren Kumari wrote: > Please SHOUT loudly once you've had a chance to address these, and I'll start IETF LC. SHOUTING! We've included your feedback in the -08 revision that I just submitted. The below essentially is a commented diff. > Comments / questions: > > 1: Please be consistent in capitalization of Parent, Child, Registry, Registrar. Yup, Paul Hoffman also mentioned this, and we changed all to lowercase upon his suggestion. It's now included in the new revision. > 2: "Signaling Domains SHOULD be delegated as zones of their own, so that the Signaling Zone's apex coincides with the Signaling Domain (such as _signal.ns1.example.net <http://_signal.ns1.example.net/>). While it is permissible for the Signaling Domain to be contained in a Signaling Zone of fewer labels (such as example.net <http://example.net/>), a zone cut ensures that bootstrapping activities do not require modifications of the zone containing the nameserver hostname." > Can you please try and reword this? I'm not entirely sure what "Signaling Domains SHOULD be delegated as zones of their own," actually *means*. I think I sort of do, but I don't think I could fully articulate it — perhaps "standalone zones"? Done > 3: "To keep the size of the Signaling Zones minimal and bulk processing efficient (such as via zone transfers), Child DNS Operators SHOULD remove Signaling Records which are found to have been acted upon." > This feels fairly hand-wavey (especially because it has a "SHOULD") — how would that child operators know that the signing records have been processed/consumed? (yes, I know, but it seems like some text it needed). Perhaps just rewording the sentence would help - something like: "Once a Child DNS Operator determines that specific Signaling Records have been processed (e.g by seeing the result in the Parent), they are advised to remove the Signaling Record. This will help keep the Signaling Zone smaller, and bulk processing (such as via zone transfers) more efficient."? Something like that… Done, in the following way: NEW Once a Child DNS Operator determines that specific Signaling Records have been processed (e.g., by seeing the result in the parent zone), they are advised to remove them. This will reduce the size of the Signaling Zone, and facilitate more efficient bulk processing (such as via zone transfers). > 4: "It is RECOMMENDED to perform queries within Signaling Domains (Section 4.2) with an (initially) cold resolver cache or to limit the TTL of cached records to the interval between scans, as to retrieve the most current information regardless of TTL." > This sentence doesn't really work - it says to "limit the TTL of cached records" so you have the most current information regardless of the TTL. Perhaps just adding "regardless of the original TTL" (or "actual TTL" or something...) Done NEW In order to ensure timely DNSSEC bootstrapping of insecure domains, stalemate situations due to mismatch of cached records (Step 4 of Section 4.2) need to be avoided. It is thus RECOMMENDED to perform queries into signaling domains with an (initially) cold resolver cache, or to disable caching for them (e.g., by limiting response TTLs to the interval between scans). > 5: "(When a batch job is used to attempt bootstrapping for a large number of delegations, the cache does not need to get cleared in between queries pertaining to different Children.)" > Is this always true? I'm not sure, but it feels like there could be cases where there are delegations to domain early on in a run, which you later discover later in a run is also being bootstrapped. E.g you start with example.com <http://example.com/> and it uses ns1.example.net <http://ns1.example.net/>. Later on you discover than example.net <http://example.net/> is also bootstrapping, but it is already in the cache…. This might be a really uncommon corner case (and I might be completely wrong about this causing an issue!), but it seems like unless we are 100% sure we should just drop this sentence (and implementers can figure out if the optimization is worth potentially stepping on a rake :-P). > I'll happily note that I cannot figure out if my concern is valid, but it *feels* like there is something scary here… Good point! Sometimes, less is more. (Done.) > Nits: > 1: s/involes/involves/ Done > 2: s/For lack of a comprehensive DNS-innate/Due to the lack of a comprehensive DNS-innate/ Done > 3: "The Parent can then use this signal to cryptographically validate the CDS/CDNSKEY records found at an insecure Child zone's apex, and upon success secure the delegation." > Suggest: "The Parent can then use this signal to cryptographically validate the CDS/CDNSKEY records found at an insecure Child zone's apex and, upon success, secure the delegation." (I generally avoid noting comma-related nits, but this one triggered my OCD, so…) Done > 4: > O: "Other applications might arise in the future, such as publication of API endpoints for third-party interaction with the DNS Operator or of other operational metadata which the DNS Operator likes to publish." > P: "Other applications might arise in the future, such as publishing API endpoints for third-party interaction with the DNS Operator or other operational metadata that the DNS Operator likes to publish." > C: Flow / readability. I gave it another shot: NEW Other applications might arise in the future, such as publishing operational metadata or auxiliary information which the DNS operator likes to make known (e.g., API endpoints for third-party interaction). > 5: "To publish a piece of information about the Child zone" > s/a piece of// (I think that this works better, without changing the meaning / intent). Done > 6: "If, however, an error condition occurs, in particular: [many many things] the Parental Agent MUST abort the procedure." > This seems somewhat tricky to read / parse — by the time you get down to the "the Parental Agent MUST abort the procedure" bit you've forgotten where the sentence starts. I recommend: > "If an error occurs in any of the following steps, the Parental Agent MUST the procedure: > Step 1:... " (just a suggestion) Done NEW However, the parental agent MUST abort the procedure if an error condition occurs, in particular: > 7: This seems a little clumsy: > "The Parental Agent does not use in-bailiwick Signaling Names during validation because they cannot have a pre-established chain of trust at bootstrapping time, so are not useful for bootstrapping." > Perhaps: "In-bailiwick Signaling Names do not have a pre-established chain of trust at bootstrapping time, and so the Parental Agent cannot use them during validation." ? Done NEW As in-bailiwick signaling names do not have a chain of trust at bootstrapping time, the parental agent does not consider them during validation. > 8: I had to read this multiple times to figure out what it meant: "For example, when discovering Signaling Names by performing an NSEC walk or zone transfer of a Signaling Zone, the Parental Agent MUST NOT assume that the nameserver(s) under whose Signaling Domain(s) a Signaling Name appears is in fact authoritative for the corresponding Child." > Perhaps s/appears is in fact authoritative/appears is, in fact, authoritative/ or, perhaps better yet "appears is actually authoritative…" ? Done > 9: "In this case (and in other cases alike where some list of "bootstrappable domains" is retrieved from elsewhere), the Parental Agent MUST" > Perhaps: "In this, and other cases where a list of "bootstrappable domains" is retrieved from elsewhere, the Parental Agent MUST…"? Done NEW Instead, whenever a list of "bootstrappable domains" is obtained other than directly from the parent, the parental agent MUST > 10: "The protocol is further restricted by the fact that the fully qualified Signaling Names fit within the general limits that apply to DNS names (such as their length and label count)." > I found this somewhat confusing — it is "In addition, fully qualified Signaling Names must by valid DNS names (e.g length, label count, etc.)" ? Done NEW Fully qualified signaling names must by valid DNS names. Label count and length requirements for DNS names imply that the protocol does not work for unusually long child domain names or NS hostnames. > Thank you again; I know that making edits to address nits can be annoying, but we are expecting many people to read and review the document, and so having it polished is important and polite (also, once people start commenting on nits, they seem to continue :-) ) No worries, actually I like polishing a near final product -- so thanks a bunch! Best, Peter and Nils
- [DNSOP] AD Review of: draft-ietf-dnsop-dnssec-boo… Warren Kumari
- Re: [DNSOP] AD Review of: draft-ietf-dnsop-dnssec… Peter Thomassen