Re: [DNSOP] DNSOPWorking Group Last call for draft-ietf-dnsop-dns-error-reporting
Wes Hardaker <wjhns1@hardakers.net> Fri, 09 June 2023 15:38 UTC
Return-Path: <wjhns1@hardakers.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A601C14CE30; Fri, 9 Jun 2023 08:38:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lg6YjT2FUR8z; Fri, 9 Jun 2023 08:38:03 -0700 (PDT)
Received: from mail.hardakers.net (mail.hardakers.net [107.220.113.177]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EED7CC14CF1F; Fri, 9 Jun 2023 08:38:02 -0700 (PDT)
Received: from localhost (178-196.icannmeeting.org [199.91.196.178]) by mail.hardakers.net (Postfix) with ESMTPA id 8F7782060D; Fri, 9 Jun 2023 08:38:02 -0700 (PDT)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Benno Overeinder <benno@NLnetLabs.nl>
Cc: DNSOP Working Group <dnsop@ietf.org>, DNSOP Chairs <dnsop-chairs@ietf.org>
References: <fa6ec641-0eab-dec6-2267-3ca818402812@NLnetLabs.nl>
Date: Fri, 09 Jun 2023 08:38:01 -0700
In-Reply-To: <fa6ec641-0eab-dec6-2267-3ca818402812@NLnetLabs.nl> (Benno Overeinder's message of "Thu, 8 Jun 2023 11:59:59 +0200")
Message-ID: <ybly1kswsrq.fsf@wx.hardakers.net>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/dCq4dbJwpqu45yclohqYSRj3MG8>
Subject: Re: [DNSOP] DNSOPWorking Group Last call for draft-ietf-dnsop-dns-error-reporting
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jun 2023 15:38:03 -0000
Benno Overeinder <benno@NLnetLabs.nl> writes: > This starts a Working Group Last Call for: > draft-ietf-dnsop-dns-error-reporting. Overall: I support the publication of this document and believe it is a good addition to the DNS specifications. Some suggestions: - section 1: "reported via social media" -> "report via E-Mail or social media" -- anyone subscribed to dns-operations and various *og lists will know that a lot of errors are reported to operational communities over email. - Terminology: Why is a reporting resolver listed as validating here? From what I can tell from the rest of the document, this should be a more generic reporting mechanism even if the examples are DNSSEC related. The EDE document has many errors that have nothing to do with DNSSEC (filtering being one example). - Terminology: Report Query's last sentence is hard to read. Maybe "The content of the error report is encoded in the QNAME of a DNS request to the reporting agent." - TBD: Terminology: Monitoring agent: I'm not sure that the monitoring agent has to respond or not? - Terminology: Agent Domain isn't really describing what the agent domain actually is used for, but rather just where it's encoded. How about "A domain name which is returned in the DNS Error Reporting EDNS0 option that indicates where DNS resolvers can send error reports." - section 5: option-code "indicates error reporting support is TBD". I suggest it would more clearly understood if it included a reference to the fact it's an EDNS0 code: "an EDNS0 code that is used in an EDNS0 option to indicate support for error reporting. The name for this EDNS0 option code is Report-Channel" - 6.1 reporting resolver specification: "The EDNS0 report channel option MUST NOT be included in queries" -- above you label it as "Report-Channel" and I suggest you be consistent with the usage everywhere (I didn't check if "report channel" in lower case with a space exists elsewhere too) - 6.2: I'm not sure the reason behind this requirement. Why would it matter if more than one agent supported *receiving* reports? I think the real requirement should be that authoritative servers SHOULD only send a single reporting agent to a client and thus only a single Reporting Channel EDNS0 option. (I could even argue this should be a MUST.) But on the server side (either the authoritative server or the report-receiving authoritative server) I don't see the point in putting this restriction on them. - security considerations: In the last paragraph I'd mention that there is a concern that large measurement query networks (RIPE atlas) or bot-networks could misuse this and likely achieve an amplification attack against a name put in the reporting option. I actually wonder if it would be good to put in a time-bound rate limit to the number of error reports that should be sent anywhere as I have concerns that this could be too easily misused and caching may not be a completely sufficient mitigation. -- Wes Hardaker USC/ISI
- [DNSOP] Working Group Last call for draft-ietf-dn… Benno Overeinder
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] DNSOPWorking Group Last call for draf… Wes Hardaker
- Re: [DNSOP] Working Group Last call for draft-iet… Benno Overeinder
- Re: [DNSOP] DNSOPWorking Group Last call for draf… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
- Re: [DNSOP] Working Group Last call for draft-iet… Willem Toorop
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
- Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
- Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Paul Wouters
- Re: [DNSOP] DNSOPWorking Group Last call for draf… Wes Hardaker
- Re: [DNSOP] Working Group Last call for draft-iet… Ben Schwartz
- Re: [DNSOP] Working Group Last call for draft-iet… Viktor Dukhovni
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Viktor Dukhovni
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Ben Schwartz
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Viktor Dukhovni
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Viktor Dukhovni
- Re: [DNSOP] Working Group Last call for draft-iet… Benno Overeinder
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Roy Arends