IETF Logo Mail Archive

Re: [DNSOP] [Ext] Call for Adoption: draft-sah-resolver-information

Brian Dickson <brian.peter.dickson@gmail.com> Mon, 05 August 2019 17:43 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BE311202A5 for <dnsop@ietfa.amsl.com>; Mon, 5 Aug 2019 10:43:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BxoA7J3uVxSg for <dnsop@ietfa.amsl.com>; Mon, 5 Aug 2019 10:43:13 -0700 (PDT)
Received: from mail-vk1-xa29.google.com (mail-vk1-xa29.google.com [IPv6:2607:f8b0:4864:20::a29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE1341202E5 for <dnsop@ietf.org>; Mon, 5 Aug 2019 10:43:12 -0700 (PDT)
Received: by mail-vk1-xa29.google.com with SMTP id v68so13097930vkd.1 for <dnsop@ietf.org>; Mon, 05 Aug 2019 10:43:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=I8gm+NYUU0/jXXR3qcbPY8g+O+kUN3vHLTdVYE56NPI=; b=HOIYCweFzZ+Im/aWiaI/0AS+7LOEgyHremDU9tJNF68VjuJpXN0MGlDo3H+m1ke5Zx H9Mx/iaxqTs/1emT5jVyD/K8Omgk1YyFDruwkHjYx3xetoM9WP49qStvrB1iqtUTudNC vkQbZYV8grLU7UGKKKH1cvzDhGoL7gldFaU25xmPfSyEiVZkSxUa3V+ZiThOAvsAXsV0 UbGPs++S8XpSw3O6TDgEfOHqDFmyvTntvAUlwrrxBvRBz39ZBQkyGy94OjlJ33OYyp40 u9phQI9Pa5QzfHWmdmtFXSukx4F9gb7KW7PU3Uj1hzDQTCFDf1VzN7L+qXAo8VolVXls DYyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=I8gm+NYUU0/jXXR3qcbPY8g+O+kUN3vHLTdVYE56NPI=; b=a6ZGPlz/0beqiac7NgM9xI3lZJnlcw+h7CacDO08KViuQPEFCBDJvTh9kIFp4+/8L/ fTLk1nykvAuskgSz0rUf8BHtdoddlqOXv7rX4P0/jq1i/w+3QoqVrU1kxcoJM0d3+Nhk DWkslxt8R5XkNbNz2X/wRP1evXkCzjgf1lYnw0E1hC0PIDo3X2RX/irATIr6/pLFST/z 8rewn79jj8I6Eaf9k6V0tn9sNvQmlZFhDqA7JCVZfSzLZ2jBetWGwJ2g3/+lFYqcAucp fg/ACY7AjQ7oYeV4e3136DoKQK/7AeC3kuRj9vUKUpYRAPpUIBkawstDK6hY9dNhivZt vQeQ==
X-Gm-Message-State: APjAAAX1U8yS9H9qcbyH+Kjr+f7QOnnq3nIRtMWRZS2Cf7LF9TtC5ij8 WgSDJxolsiie91o2Bf5sYmsHcCrOoPGfINXUbrQ=
X-Google-Smtp-Source: APXvYqyldCo/VC7zXbBAvPCViqqbipUQEUofo0noG8mXK/sM7LL4S5yC0yDWiD7WCawDf3oj2rw0cMGdcVSazP/+Tag=
X-Received: by 2002:a1f:5945:: with SMTP id n66mr58291762vkb.58.1565026991841; Mon, 05 Aug 2019 10:43:11 -0700 (PDT)
MIME-Version: 1.0
References: <CADyWQ+EUk_Qmnk=x3-om1OMjSMFrhd9qFUKTEBk6qWjh6fgRXQ@mail.gmail.com> <93191ae0-39e9-4a0f-9750-b553292266bd@www.fastmail.com> <CDF505A0-09FE-41C6-A197-46C407BE1AFF@icann.org> <e783894a-90de-4dcf-94c9-dee90982a650@www.fastmail.com> <A2FB32FA-E67D-4418-9592-C282EF11676E@hopcount.ca>
In-Reply-To: <A2FB32FA-E67D-4418-9592-C282EF11676E@hopcount.ca>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Mon, 05 Aug 2019 10:43:00 -0700
Message-ID: <CAH1iCiq-879VtmKdw7bX8VPAKw4ShziiBE40R_Fh0KKtjX-j9g@mail.gmail.com>
To: Joe Abley <jabley@hopcount.ca>
Cc: Martin Thomson <mt@lowentropy.net>, Paul Hoffman <paul.hoffman@icann.org>, "dnsop@ietf.org" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e9a503058f623da5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/b2RlvK0n3qH3mW0LiS2VVTF9V-o>
Subject: Re: [DNSOP] [Ext] Call for Adoption: draft-sah-resolver-information
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Aug 2019 17:43:22 -0000

+1 to everything Joe wrote below. (There should be an automatic +1 to
things Joe writes.)

I'd like to suggest an approach to the issues of DNS forwarders + NATs of
varying depth/scope, but I think there may be some extra protocol work in
order to address these problems.

Also, I think there would be additional value in that extra work, in the
form of a "DNS traceroute" that would be possible.

Here are two conundrums:

   - Forwarding:
      - The server side of a DNS resolver (or forwarder) cannot determine
      if the client is a vanilla host (or stub or whatever), or a forwarder.
      - The client side of a DNS resolver (or forwarder) cannot determine
      if the server it is talking to is a full resolver or merely a forwarder.
      - Corollary: a forwarder cannot determine whether it is the only
      forwarder in a resolution path
   - EDNS:
      - EDNS is hop-by-hop
      - Thus, EDNS does not facilitate new EDNS records that might allow a
      client to pass stuff to the eventual resolver, or vice versa

There are two things, which combined, would get around this issue:

   - A way to pass an EDNS type to discover the identifier of every server
   (including forwarders) in a resolution chain
      - E.g. a transitive EDNS Type, that would have no entries on the
      query, but would include an ordered list of identities in the response
   - A way to target a DNS query at a specific identified forwarder/resolver
      - E.g. a transitive EDNS Type, indicating that only the
      forwarder/resolver with the specified ID should answer, and otherwise the
      query should be passed "upwards"

Use of these two hypothetical mechanisms would facilitate this RESINFO
draft (and do so within DNS itself).

It's too bad that the original spec for EDNS didn't include a bit in the
Type field for "transitive", the way that BGP attributes did. (Doing that
allows "unknown" types to be passed or dropped based solely on that bit.)

I realize that "transitive" only has any meaning in the forwarder context,
since recursive-authoritative is technically unrelated to
client-(forwarder*)-recursive.

I'm not sure it would be feasible at this point to propose fixing the
exclusively hop-by-hop nature of EDNS. However, I think there will always
be value and need for this, so perhaps doing it sooner would be less
painful.

Thoughts?

Brian

On Mon, Aug 5, 2019 at 5:53 AM Joe Abley <jabley@hopcount.ca> wrote:

> On 4 Aug 2019, at 21:00, Martin Thomson <mt@lowentropy.net> wrote:
>
> > On Sun, Aug 4, 2019, at 00:37, Paul Hoffman wrote:
> >>> I think that I might have said this before, but I don't think that
> asking an HTTP server about a DNS server is the right solution.
> >>
> >> It is not "the" right solution, but it is one of them. That's why there
> >> is also a DNS-based solution in the same document.
> >
> > Let me be slightly more pointed then.  I think that documenting a
> solution that has one protocol speak for another would be a bad idea.  Even
> if there is a better way to do the same thing in a "better" way.
>
> and
>
> >>> The RESINFO RRtype seems OK, but I have less confidence in my ability
> to assess that aspect of this.  The only thing that bothers me is the
> potential for 1.0.0.10.in-addr.arpa and friends to leak and ruin the
> protocol for everyone.
> >>
> >> Please say more here. Who do you think would be publishing at 10.0.0.1?
> >
> > A good proportion of the resolvers I talk to operate from 1918 space,
> how else would they advertise this information?  I don't care if they are
> merely proxies, and nor should it matter if they are.
> >
> > The fact that they are proxies means that my ISP is likely going to be
> the one fielding RESINFO queries for 10.0.0.1 and friends.
>
> together also trigger discomfort for me. DNS and HTTP requests might
> generally follow the same gradient as far as network address translation
> goes (escaping to ever-shallower NAT domains) but it's worth remembering
> that the gateways between the layers are not always just gateways at the IP
> layer; some are ALGs. The addresses that services are reachable at can can
> change between layers, as (in general) do the addresses used for proxy
> requests in the case of ALGs.
>
> I'm concerned about the cases where:
>
> (a) the data enclosed within a RESINFO response includes embedded IP
> addresses that may not match the addresses that correspond to the resolver
> service as viewed from another addressing domain, and
>
> (b) the potential for HTTPS and DNS ALGs to further confuse matters as the
> system generating the RESINFO response for one retrieval protocol might not
> be the same as for the other.
>
> I realise it's tempting to imagine that HTTPS is not subject to explicit
> or implicit handling by ALGs; however, anecdotally at least, SSL-stripping
> (e.g. with jurisdiction-specific trust anchors installed on clients) is on
> the rise and not just in enterprise networks. I've also seen networks where
> traffic is routed by policy in different directions according to
> transport-layer addresses, e.g. for reasons of available capacity or
> latency.
>
> So I echo the concern about having one protocol speaking for another. I
> haven't quite got my head around what I think about RESINFO in general but
> this particular aspect seems like a more general weakness that is worth
> highlighting.
>
>
> Joe
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>

v2.23.0 | Report a Bug | By Email