IETF Logo Mail Archive

Re: [DNSOP] DNSOPWorking Group Last call for draft-ietf-dnsop-dns-error-reporting

Wes Hardaker <wjhns1@hardakers.net> Fri, 09 June 2023 15:38 UTC

Return-Path: <wjhns1@hardakers.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A601C14CE30; Fri, 9 Jun 2023 08:38:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lg6YjT2FUR8z; Fri, 9 Jun 2023 08:38:03 -0700 (PDT)
Received: from mail.hardakers.net (mail.hardakers.net [107.220.113.177]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EED7CC14CF1F; Fri, 9 Jun 2023 08:38:02 -0700 (PDT)
Received: from localhost (178-196.icannmeeting.org [199.91.196.178]) by mail.hardakers.net (Postfix) with ESMTPA id 8F7782060D; Fri, 9 Jun 2023 08:38:02 -0700 (PDT)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Benno Overeinder <benno@NLnetLabs.nl>
Cc: DNSOP Working Group <dnsop@ietf.org>, DNSOP Chairs <dnsop-chairs@ietf.org>
References: <fa6ec641-0eab-dec6-2267-3ca818402812@NLnetLabs.nl>
Date: Fri, 09 Jun 2023 08:38:01 -0700
In-Reply-To: <fa6ec641-0eab-dec6-2267-3ca818402812@NLnetLabs.nl> (Benno Overeinder's message of "Thu, 8 Jun 2023 11:59:59 +0200")
Message-ID: <ybly1kswsrq.fsf@wx.hardakers.net>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/dCq4dbJwpqu45yclohqYSRj3MG8>
Subject: Re: [DNSOP] DNSOPWorking Group Last call for draft-ietf-dnsop-dns-error-reporting
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jun 2023 15:38:03 -0000

Benno Overeinder <benno@NLnetLabs.nl> writes:

> This starts a Working Group Last Call for:
> draft-ietf-dnsop-dns-error-reporting.

Overall: I support the publication of this document and believe it is a
good addition to the DNS specifications.

Some suggestions:

- section 1: "reported via social media" -> "report via E-Mail or social
  media" -- anyone subscribed to dns-operations and various *og lists
  will know that a lot of errors are reported to operational communities
  over email.

- Terminology: Why is a reporting resolver listed as validating here?
  From what I can tell from the rest of the document, this should be a
  more generic reporting mechanism even if the examples are DNSSEC
  related.  The EDE document has many errors that have nothing to do
  with DNSSEC (filtering being one example).

- Terminology: Report Query's last sentence is hard to read.  Maybe "The
  content of the error report is encoded in the QNAME of a DNS request
  to the reporting agent."

- TBD: Terminology: Monitoring agent: I'm not sure that the monitoring agent
  has to respond or not?

- Terminology: Agent Domain isn't really describing what the agent
  domain actually is used for, but rather just where it's encoded.  How
  about "A domain name which is returned in the DNS Error Reporting
  EDNS0 option that indicates where DNS resolvers can send error reports."

- section 5: option-code "indicates error reporting support is TBD".  I
  suggest it would more clearly understood if it included a reference to
  the fact it's an EDNS0 code: "an EDNS0 code that is used in an EDNS0
  option to indicate support for error reporting.  The name for this
  EDNS0 option code is Report-Channel"

- 6.1 reporting resolver specification: "The EDNS0 report channel option
  MUST NOT be included in queries" -- above you label it as
  "Report-Channel" and I suggest you be consistent with the usage
  everywhere (I didn't check if "report channel" in lower case with a
  space exists elsewhere too)

- 6.2: I'm not sure the reason behind this requirement.  Why would it
  matter if more than one agent supported *receiving* reports?  I think
  the real requirement should be that authoritative servers SHOULD only
  send a single reporting agent to a client and thus only a single
  Reporting Channel EDNS0 option.  (I could even argue this should be a
  MUST.)  But on the server side (either the authoritative server or the
  report-receiving authoritative server) I don't see the point in
  putting this restriction on them.

- security considerations: In the last paragraph I'd mention that there
  is a concern that large measurement query networks (RIPE atlas) or
  bot-networks could misuse this and likely achieve an amplification
  attack against a name put in the reporting option.  I actually wonder
  if it would be good to put in a time-bound rate limit to the number of
  error reports that should be sent anywhere as I have concerns that
  this could be too easily misused and caching may not be a completely
  sufficient mitigation.


-- 
Wes Hardaker
USC/ISI

v2.23.0 | Report a Bug | By Email