Re: [DNSOP] Murray Kucherawy's Discuss on draft-ietf-dnsop-dns-catalog-zones-08: (with DISCUSS and COMMENT)
Willem Toorop <willem@nlnetlabs.nl> Tue, 07 February 2023 10:03 UTC
Return-Path: <willem@nlnetlabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D08F4C1516E0 for <dnsop@ietfa.amsl.com>; Tue, 7 Feb 2023 02:03:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nlnetlabs.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gM91mFidMa-e for <dnsop@ietfa.amsl.com>; Tue, 7 Feb 2023 02:02:59 -0800 (PST)
Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB396C1516F3 for <dnsop@ietf.org>; Tue, 7 Feb 2023 02:02:58 -0800 (PST)
Received: by mail-ej1-x62b.google.com with SMTP id hr39so12180067ejc.7 for <dnsop@ietf.org>; Tue, 07 Feb 2023 02:02:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nlnetlabs.nl; s=google; h=content-transfer-encoding:in-reply-to:subject:content-language :references:cc:to:from:user-agent:mime-version:date:message-id:from :to:cc:subject:date:message-id:reply-to; bh=u7w1sYKoaJE+0bvqejFeeeJwmh6IzFSA/a4VmeCPuBc=; b=TM+8P67DRs4vdKZJJVq1vG+iJ1FooiIEFbFR8IyEJ7xMHAJW2emTeYkqhCjqJGEIox 3B/HqKR9QUYZhi6Y8d1zlJI7oGcfc5SIuVDD6/vtOOuPBOlNPKrvjvUDXFKCNEld8wmW 6Pe9jnWVvLyCSucqheSy0ZxWlORwy/55p/zUH6CVwa5/NPv6/tHpTOxRVLs8E0Na7En/ UHt7BnbY2LfclaLJ8THDEfRx9PuXf69Z2cKEmtCJDQdv1OfYtf7/0JRpcUa3pIcgdepX BE95lPDAKjYljLRzZbiYHRP7rU722jcDD0kFaccHWnD2E8LuFd0Ex45jIQah1dc+2MOQ u8kA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:subject:content-language :references:cc:to:from:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=u7w1sYKoaJE+0bvqejFeeeJwmh6IzFSA/a4VmeCPuBc=; b=bsDoAdm8f/eJ1BwSUAy9vtD+hOXXOmIIahtL7cfBTK/1rup9fLxYZ6+oyEcPJAWk++ Hj9Z+FfQEpFbAlBkn+hZQGR/r8okm7bDOEQGv9mlTWzMic3PVIZaQOLfbZ1QZB9o0tnC p4+H3WQLab8MCL2WsDshrfCZxocL+/bEkZxemg2W0bOYLY5Qt7pvXPH1KkAPAjVcwA8p aPRbylPlib8P+HkxNF060oZf4ShNOwyiXlxpNB9/WqUEqdWubqJneb0IHEMbZ8JB7FyZ eZkehsr0/gxfABmK7g5nc0E9KFXsP78ZH0y+418MB2nn3GwXoaWZ85k//9ut5kQhtW3Z 88WQ==
X-Gm-Message-State: AO0yUKXLBzXwThs9T7DtT1oCg5vxqWiOh+sEj47aBNFr+rIPgLnkWIt2 qapSD5BgWqwXl94dbCJNIl/FPQ==
X-Google-Smtp-Source: AK7set+sz8S86nDJ5wb+zVRJCX4FY7O38fatJbgYB+jn+57Lk3UYRKmWw4lyCIsLphrLt2HGDZN63g==
X-Received: by 2002:a17:906:69c8:b0:87b:f7dd:792f with SMTP id g8-20020a17090669c800b0087bf7dd792fmr2740364ejs.8.1675764176805; Tue, 07 Feb 2023 02:02:56 -0800 (PST)
Received: from ?IPV6:2a10:3781:2851:0:7c9b:23a5:63ef:7817? ([2a10:3781:2851:0:7c9b:23a5:63ef:7817]) by smtp.gmail.com with ESMTPSA id b10-20020a1709062b4a00b008a94f69a1e7sm784993ejg.163.2023.02.07.02.02.55 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 07 Feb 2023 02:02:56 -0800 (PST)
Message-ID: <7e2da94f-e5ed-ec19-df23-ad4a9943668c@nlnetlabs.nl>
Date: Tue, 07 Feb 2023 11:02:53 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.7.1
From: Willem Toorop <willem@nlnetlabs.nl>
To: Murray Kucherawy <superuser@gmail.com>, The IESG <iesg@ietf.org>
Cc: draft-ietf-dnsop-dns-catalog-zones@ietf.org, dnsop-chairs@ietf.org, dnsop@ietf.org, tjw.ietf@gmail.com
References: <167226657909.17946.15087865938792018398@ietfa.amsl.com>
Content-Language: en-US
In-Reply-To: <167226657909.17946.15087865938792018398@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/dg2E0Afsql1pxcvMcIn4m-cMsFA>
Subject: Re: [DNSOP] Murray Kucherawy's Discuss on draft-ietf-dnsop-dns-catalog-zones-08: (with DISCUSS and COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Feb 2023 10:03:03 -0000
Hi Murray, Hi Éric, I have added Éric on CC because he also asked for a IANA registry for catalog zones properties (which we have added). Op 28-12-2022 om 23:29 schreef Murray Kucherawy via Datatracker: > (1) It's expected (required?), with no actions for IANA, to expressly include a > section that says so. It's conspicuously missing here. We've added the section. > (2) Why is there no registry for custom properties? I can see that Section 4.5 > takes a run at dealing with the collision risk by SHOULDing a particular way of > naming custom properties, but it feels to me like a registry is the right way > to deal with this. As a consumer of this work, I might not want to reveal (via > names) which DNS implementation I'm using, for example. We (the co-authors) discussed this and do recognize that a registry for *properties* is a good idea and have added that to the draft (with PR https://github.com/NLnetLabs/draft-toorop-dnsop-dns-catalog-zones/pull/67 ) > (3) I have a similar question about groups in Section 4.4.2; "nodnssec" is an > example of something that we might want to register with global semantics, or > more generally, that some values might be common in implementations and > therefore worth documenting. Those group values are not for implementations, but for operators to choose. We have done several modifications to clarify that: - The group values now have non-descriptive names as to not suggest that they have meanings in implementations (it's the operator that determines the "meaning" and not the implementation) - We have extended the lines about catalog producers publishing at two consumer operators and how mapping of group values is a matter of those producer/consumer relationships, so it now reads: "Implementations MAY facilitate mapping of a specific group value to specific configuration configurable on a per catalog zone basis to allow for producers that publish their catalog zone at multiple consumer operators. Consumer operators SHOULD namespace their group values to reduce the risk of having to resolve clashes." > (4) Do we need a registry of names that are special in the context of catalog > zones, e.g., "zones", "ext", "group", "version", "coo", "invalid"? We have added a registry for catalog zones properties, already provisioned with "zones", "ext", "group", "version" and "coo". The latest version of the IANA registry (including "zones") can be seen here: https://github.com/NLnetLabs/draft-toorop-dnsop-dns-catalog-zones/blob/master/draft-ietf-dnsop-dns-catalog-zones.md#iana-considerations-iana "invalid" is already part of the "Special use domain names" registry: https://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml > Separately: What action should be taken if a nameserver is already > authoritative for a zone (say, is a primary), yet it receives a catalog update > that now contains that same zone? This seems like a possible attack that > should be discussed. I guess the second-last paragraph of Section 7 covers > this, though indirectly. There is text for this in section 5.2: "If there is a clash between an existing zone's name (either from an existing member zone or otherwise configured zone) and an incoming member zone's name (via transfer or update), the new instance of the zone MUST be ignored and an error SHOULD be logged." > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > General: > > Could I trouble you for an example of a complete sample catalog zone, perhaps > in BIND format, in an appendix? I can see each individual concept illustrated, > but it would be helpful to see them assembled someplace. Ack. We've added a sample zone: https://github.com/NLnetLabs/draft-toorop-dnsop-dns-catalog-zones/blob/master/draft-ietf-dnsop-dns-catalog-zones.md#catalog-zone-example > Section 3: > > "Catalog consumers MUST ignore any RR in the catalog zone which is meaningless > to or otherwise not supported by the implementation" seems peculiar. Wouldn't > you do that anyway? We thought it couldn't harm to repeat this for clarity. Some reviewers "stumbled" over the word "meaningless" so we rephrased this to: "Catalog consumers MUST ignore any RRs in the catalog zone for which no processing is specified or which are otherwise not supported by the implementation." > Section 4.1: > > Given the text in Section 3 (specifically that a catalog zone follows the same > rules as any other zone), is this section needed? The third paragraph could be > its own differently-named section, but the rest seems redundant. This has moved up and rephrased into one sentence: "A catalog zone MUST follow the usual rules for DNS zones. In particular, SOA and NS record sets MUST be present and adhere to standard requirements (such as [RFC1982])" Is that better? > Section 4.2: > > The SHOULD at the end leaves implementers with a choice. Why might an > implementer choose to do something other than what it says? Or should this > really be a MUST? As it is most likely that catalog producers and consumers hold the zone authoritatively, TTLs shouldn't play a role as the records are not cached anyway. However, we could imagine a catalog consumer processing the catalog (or part of it) by performing queries. Such a consumer may not have the choice to ignore TTLs when it is querying indirectly via a resolver. SHOULD leaves the door open for other "kinds" of implementations than we have now. > Section 4.3: > > It doesn't say anywhere (unless I missed it) that the RRTYPEs of properties are > unspecified, and depend on the property. It might be good to make that > explicit, because I kept searching for it. We said in the second half of the second sentence of the section: "with type(s) as appropriate for the respective property." We've changed "with type(s)" into "with RR types(s)" to make it clearer. > Section 4.4.1: > > Regarding the last paragraph, is there any advice to pass on to operators about > how exactly one can tell when the COO is complete? Not really without querying all the secondaries, but at least secondaries will pick it up if they either lost the notify or were down. I suppose monitoring the network status of the secondary provider and making sure the whole network has been up for at least the refresh time of the catalog zone ... and then a bit more, would be a safe bet, but it's very much dependent on the specific operational reality. > Section 7: > > Why are the protections of zone transfers and updates only SHOULDs? It depends on the operational reality. Zone transfers may be using a completely separate distribution network which is shielded from external DNS access (with VPNs or UPDATES from an internal network or local machine even). It is also not a MUST with zone transfers in general which may also contain privacy sensitive or operational critical information. I plan to record all the changes that have been done in the Change History appendix and then upload version -09 for rereview. Best regards, Willem Toorop on behalf of the draft-ietf-dnsop-dns-catalog-zones co-authors
- [DNSOP] Murray Kucherawy's Discuss on draft-ietf-… Murray Kucherawy via Datatracker
- Re: [DNSOP] Murray Kucherawy's Discuss on draft-i… Willem Toorop
- Re: [DNSOP] Murray Kucherawy's Discuss on draft-i… Murray S. Kucherawy