Re: [DNSOP] [Ext] Working Group Last Call for draft-ietf-dnsop-nsec-ttl
Michael StJohns <msj@nthpermutation.com> Wed, 03 February 2021 23:24 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 487923A0ADE for <dnsop@ietfa.amsl.com>; Wed, 3 Feb 2021 15:24:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fAy5zsAYwBzI for <dnsop@ietfa.amsl.com>; Wed, 3 Feb 2021 15:24:13 -0800 (PST)
Received: from mail-qt1-x830.google.com (mail-qt1-x830.google.com [IPv6:2607:f8b0:4864:20::830]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B81C3A0AD5 for <dnsop@ietf.org>; Wed, 3 Feb 2021 15:24:13 -0800 (PST)
Received: by mail-qt1-x830.google.com with SMTP id d15so1073969qtw.12 for <dnsop@ietf.org>; Wed, 03 Feb 2021 15:24:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=i2XcVKyP03+jg1WYY30sXZDdqpxECCuQUlTbD4ycpws=; b=c/HD87r8Sus4b9mam24XqydGNS5QhirA7ynO0LPDnFURkWmSZNoNa1d9UGZi+pSqUq Xp4F64YvkwagWYXLFf4oMyc4wP8Nqqsum4X8MSpKvRpXze35PNU0yrQvYZ5GqRx/5bqC 8IsHd2wHUAarfPGroGqAqAwBswZhbSe7+uejeQ2eDI2Uox+gHAi/M5394Tt9W1kgOEmm 1c5WGWlnogsGY+gDilN8STn1AuQFjxdy2rStilUJEcB5BA7Uf/tf7hNwJ1FnLAzIuy9i 4vRXTUqpaDpjAP72dkQPeLVVjTavH6BVcsmp05NX/aM2qBpd25lvsJxR9l3C/EGYfPI7 t+yg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=i2XcVKyP03+jg1WYY30sXZDdqpxECCuQUlTbD4ycpws=; b=jXLbQUWFGem+0m2spPot0dHqANPOR7Iujo07XynovOMcX78nE5RNKwen+eyEs67H4f 5EF925MDQRmJ1ehW6UO5KEWuCCKvMlgLmKJtdXNiGv2RW29GO3bDxLzw0nX3NrAoCc19 nM0uAjz6g3iskpNdwmdKLXrMEma5YrQtimVeR6zY9lThSkWSzyxvpwAdfBY4J5sNTBBJ gGI2Z0tvYhRWATdLuSuQtT7K2c802VVmBBOZo+ekZz8NYpgqmQd8Dxz6OmOraDXmika6 xGydiI5jtuBcUuq5N8pR68nb6/jU1ADxgpbcK2VV/M2P2hBt8oE2BIdci1eacMjvIjwJ KNKQ==
X-Gm-Message-State: AOAM532RUuuPM1csIQEIW4Vewihmjvw/0qg53OIA+ms2MYvcf2qlctv9 IXrwulu7tjUdBpOZl4OQF9HoKolmqACxDdn4
X-Google-Smtp-Source: ABdhPJw60jIxJP2QLBpWVIrWipZLEldC1A29WvSdmIORldjFsIorYnEApeV0YRFCNl1F8JVjzCDzhw==
X-Received: by 2002:a05:622a:193:: with SMTP id s19mr4768538qtw.366.1612394651752; Wed, 03 Feb 2021 15:24:11 -0800 (PST)
Received: from [192.168.1.23] ([138.88.204.18]) by smtp.gmail.com with ESMTPSA id t62sm2773131qtd.11.2021.02.03.15.24.10 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 03 Feb 2021 15:24:10 -0800 (PST)
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: dnsop <dnsop@ietf.org>
References: <CADyWQ+En0_=LzynpgodOyPan0WD5HdtdqVdU6zw39-g_SCNL6A@mail.gmail.com> <edf948c2-f093-9850-805a-5ac05b27a2bd@nthpermutation.com> <7A8AD079-63AE-4AEA-830D-5971A7441AA7@icann.org>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <1fda54f4-7e90-e92a-7da7-e9e10a0b4e1b@nthpermutation.com>
Date: Wed, 03 Feb 2021 18:24:09 -0500
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.7.0
MIME-Version: 1.0
In-Reply-To: <7A8AD079-63AE-4AEA-830D-5971A7441AA7@icann.org>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/bGJmfwLZQPBH7K72lQ8mOf3-s7k>
Subject: Re: [DNSOP] [Ext] Working Group Last Call for draft-ietf-dnsop-nsec-ttl
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Feb 2021 23:24:15 -0000
On 2/3/2021 2:31 PM, Paul Hoffman wrote: > On Jan 29, 2021, at 9:31 AM, Michael StJohns <msj@nthpermutation.com> wrote: >> I can't support this as Standards track even though it purports to update standards as it doesn't actually specify an implementable protocol. Basically, this is dependent upon humans doing the right thing, rather than specifying behavior of the protocol. > I don't understand the context of this. The draft specifies that the protocol is changing, and now authoritative servers change the way they act from $x to $y. Where is the "humans" part? You're not specifying a change in how the Auth servers work AFAICT, you're specifying a change in the data parameters for a few records which get set by humans (and maybe enforced by tools, not necessarily by the server). This is operational guidance rather than implementation guidance - the servers continue to serve the data they are provided regardless of whether its "right" with respect to this guidance. For example, one of the texts you reference (RFC4034 Section 4) is all about crafting the contents of the data protocol, rather than what the server should do to enforce things. It probably should have said instead - "The authoritative server SHOULD treat (and send) the TTL of the NSEC RR as having the same value as the SOA minimum TTL field" But then that gets into signing issues for the NSEC record and its verification and you'd need to make sure that the signing part of this is back filled to make sure that what's signed agrees with what the server is actually sending. 8198 section 5.4 actually specifies an implementable behavior in that it tells the client how to treat received and cached data. > >> For each of these, I'd recommend specifying what a client does in each of the cases, rather than weasel wording the SHOULD with respect to the zone contents to turn this into an implementable protocol. > Here, I agree that the draft is unclear. It should say explicitly "resolvers keep doing $z, there is no change here". Also, for the text about authoritative servers, I agree that changing the SHOULDs from the current standards to MUSTs. > > I note that you didn't appear to accuse the authors of 4034, 4035, and 5155 of "weasle wording" when those documents were standardized. Doing so now seems out of line. As a whole those documents were less specific that I would have liked. Basically, everywhere there is a SHOULD is a possibility where some resolvers accept the data and others reject it. In any case where see a should, you need companion text to describe what to do (either on the sender, or the receiver, or both) if you don't follow that guidance. WRT to the parent documents - as a whole they mix implementable and human in the loop functions and there's enough of the former to place them as Standards. But when you extract guidance paragraphs, update them, but then don't update the client guidance on how to handle the received data, you're not really updating the standard and hence informational vs standard. >> E.g. for each of these clauses add something similar to "The client SHOULD/MUST reduce the effective TTL for the received NSEC RR to the lesser of the TTL of the current SOA record, the TTL of the SOA, and the TTL of the NSEC RR record and MUST discard the NSEC RR when that effective TTL expires." > Again, this is not about the clients, as the document says (but not clearly enough). And that's really the problem. The client should be able to look at the incoming data, do a sanity check on it and then do the appropriate things it needs for self protection. If it can't - if you don't specify it should - then eventually something will break that's rather unexpected and perhaps with a very large impact. If this is important enough to make a change at the server, its certainly important enough to require the corresponding validation change at the client. > >> So - not ready for last call. > Sure it is. These are normal last call comments. Given that there was little or not actual discussion on the document, I was quite surprised to see it go for last call. But fair - "not ready to pass last call". > > In a similar vein, I think that the section on "No updates to RFC8198" should indeed update RFC 8198. The resolver might have the SOA in its cache, and thus could do the right thing even if the authoritative server has not been updated. > > --Paul Hoffman Longer Discourse - As I model the DNS, I tend think of it as having three main parts: the data source (what used to be called the zone master file), the authoritative servers, and the clients. This is simplistic, but bear with me. In early days, the authoritative servers generally served what the data provider gave them, regardless of mistakes (and somewhere around here I have a number of very broken master files). The AS' were pass through entities to the point that there's very little text that says something like "The AS MUST verify.... and MUST NOT serve data that fails that verification step". Most of the documents talk about setting this bit or clearing that bit in the data source, but then don't take the step of indicating that the AS must do a sanity check and refuse to serve bogus data. E.g. if a human screws up in the provision of the data the AS screws up. Separate from the protocol model, most providers of modern DNS AS implementations tend to treat the data origin tools as part and parcel of the AS, and does some verification during the record creation process. But that's an implementation choice, rather than a requirement of the specification. Mostly that's not a problem, be cause we mostly do specify the behavior of the client upon receipt of the possibly bogus data and all of that takes place without a human in the loop. So I'm fine with the changes to the TTL setting, but you need to impose the requirement on the client to do the right thing even if the data creator screws up and does the wrong thing. Later, Mike ps - Peter -sorry I missed your immediate response. I think the above covers your comments as well, but feel free to bring up anything I missed.
- [DNSOP] Working Group Last Call for draft-ietf-dn… Tim Wicinski
- Re: [DNSOP] Working Group Last Call for draft-iet… Michael StJohns
- Re: [DNSOP] Working Group Last Call for draft-iet… Peter van Dijk
- Re: [DNSOP] [Ext] Working Group Last Call for dra… Paul Hoffman
- Re: [DNSOP] [Ext] Working Group Last Call for dra… Michael StJohns
- Re: [DNSOP] [Ext] Working Group Last Call for dra… Paul Hoffman
- Re: [DNSOP] [Ext] Working Group Last Call for dra… Wessels, Duane
- Re: [DNSOP] [Ext] Working Group Last Call for dra… Matthijs Mekking
- Re: [DNSOP] Working Group Last Call for draft-iet… Tim Wicinski