Re: [DNSOP] comments on draft-jabley-dnsop-refuse-any-01
神明達哉 <jinmei@wide.ad.jp> Tue, 17 November 2015 21:44 UTC
Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F262A1B3126 for <dnsop@ietfa.amsl.com>; Tue, 17 Nov 2015 13:44:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.722
X-Spam-Level: *
X-Spam-Status: No, score=1.722 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KvxaS0ug7OQW for <dnsop@ietfa.amsl.com>; Tue, 17 Nov 2015 13:44:53 -0800 (PST)
Received: from mail-ig0-x22c.google.com (mail-ig0-x22c.google.com [IPv6:2607:f8b0:4001:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DA751B3123 for <dnsop@ietf.org>; Tue, 17 Nov 2015 13:44:53 -0800 (PST)
Received: by igvg19 with SMTP id g19so105245896igv.1 for <dnsop@ietf.org>; Tue, 17 Nov 2015 13:44:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=Qg7NMH3ZServPbB+hmKgO+hdK2bypPkLsa0Xy+CcV2c=; b=o0cPTJPi+pgr7gfMQBjraZb0Aw4gXtSrxgtQAGv/eAKvLAM+IClPMVYwiK008QALmw KtzqRXAFexxi8TpVSP6/oo93hFWko0dfOTJgF/SnmBf7ct4raIsq+OtvZfX3Dkswam7q LpNg9Zvw15V6MIEjmqXyQPP1AqidKu8jMChqKzoj7k8hsOhJa8oRfcVQQzrmLIMn+pdE 5ecuaGf/UN9C+vqs1UY49vEePlHxPi6ozGtU6WWmLrqyG+TjT9KSWudzzvI35+flLbaY wpJYzg3Gd2Bul1vqhL1eGTIFPdFS01lcNlD9bwwmxxohW/ejhjDk48MDCb1SqGvwHgM7 ZoWQ==
MIME-Version: 1.0
X-Received: by 10.50.160.38 with SMTP id xh6mr3963918igb.41.1447796692598; Tue, 17 Nov 2015 13:44:52 -0800 (PST)
Sender: jinmei.tatuya@gmail.com
Received: by 10.107.47.217 with HTTP; Tue, 17 Nov 2015 13:44:52 -0800 (PST)
In-Reply-To: <E9331C17-2B75-4AED-A0F0-1DE51C83DCEB@hopcount.ca>
References: <CAJE_bqdcmL7zF+iW2c=y4hgzXgzAHoYFNAuTtYQYSqJmavYMkg@mail.gmail.com> <E9331C17-2B75-4AED-A0F0-1DE51C83DCEB@hopcount.ca>
Date: Tue, 17 Nov 2015 13:44:52 -0800
X-Google-Sender-Auth: MDIhehX5eCATgcrgk8Q8fd5yHIg
Message-ID: <CAJE_bqccsOSUQh6CwBAZU5Z7E6chefviZeana8GefRbDC5vaow@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: Joe Abley <jabley@hopcount.ca>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/eMcNtRONWkjp_xLhcPa_tNbGe8Q>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] comments on draft-jabley-dnsop-refuse-any-01
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2015 21:44:55 -0000
At Mon, 02 Nov 2015 11:47:26 -0500, "Joe Abley" <jabley@hopcount.ca> wrote: > > - Section 3 > > > > ANY queries are sometimes used to help mine authoritative-only DNS > > servers for zone data, since they return all RRSets for a particular > > owner name. A DNS zone maintainer might prefer not to send full ANY > > responses to reduce the potential for such information leaks. > > > > I'm not opposed to the idea of reducing ANY responses per se, but > > this rationale doesn't sound very strong to me. > > I agree. I think that none of the motivations listed for suppressing ANY > responses are, individually, globally convincing; some will resonate > strongly with some operators with their own particular set of concerns, > and others will better resonate elsewhere. The goal was to provide some > illustrations, not to describe a smoking gun. > > Do you think more text is needed to make this clear? I don't have a particular opinion on the "more text" itself (I'd leave it to you). As for this particular "motivation", however, how to deal with it would affect my other point (allowing ANY query for debugging purposes), so we'll need to handle these points at the same time, in a consistent manner. See below. > > - Section 4 > > > > 1. A DNS responder may choose to search for an owner name that > > matches the QNAME and, if that name owns multiple RRs, return > > just one of them. > > > > If the choice of the "one" is not deterministic and especially if a > > zone uses different authoritative server implementations, then it's > > more likely that they return "inconsistent" responses. This may not > > be a problem, but we may want to encourage consistent behavior, > > e.g., by suggesting the choice of smallest (not just 'a small') one > > in Section 5. > > My inclination was to leave this decision up to the implementation, or > the operator; it wasn't obvious to me that prescribing a single approach > was likely to result in the best approach in different situations. > > We could certainly add some text with the observation that you made, as > guidance to both implementations and operators -- i.e. advice that a > particular server or set of servers acting together as a cluster SHOULD > make a predictable choice in this case, on the basis that predictability > has operational value. I'm fine with that. > > - In terms of using ANY query for debugging purposes, and if our main > > goal is to prevent abuses like amplification attacks rather than > > mining, I wonder whether we want to allow the original behavior > > under some conditions, e.g., queries authorized by TSIG or sent over > > TCP. > > I think we described the whole mechanism as a big giant MAY, and the > inference we intended was that you don't have to do this at all if you > don't want to. Choosing not to do it for particular clients or in > response to particular transport protocols, the presence or absence of > TSIG or SIG(0) is consistent with the advice in the text, I think -- but > if you think this needs to be called out explicitly, I am not opposed. Hmm, maybe I have to re-read the whole text again, but my impression at the time of writing the comment was that many future implementations will support the mechanism, perhaps with a binary enable/disable configuration switch whose default is "enable". If that's the case, it's quite unlikely that we keep the debugging capability with ANY since very few users will be willing to disable the whole feature unconditionally. So I think it helps if we mention it explicitly. And, there's a relationship between this point and about "mining" motivation (see above): allowing the original ANY behavior for queries over TCP makes sense if the concern is to be abused for amplification DoS, but not if it's about "mining". But "allow it over TCP" will be more convenient than requiring a stronger authentication like TSIG since it doesn't require a setup at the client side. So, if we generally agree that the motivation about "mining" is weak, it's more consistent if we just don't include it in the motivation while we mention the possibility of allowing ANY over TCP for debugging purposes. Another option is to still mention "mining" in motivation but we note "ANY over TCP for debugging" will undermine it. > > - I wonder whether we want to use a new type of RR rather than HINFO > > for synthesized responses. (I've not closely followed discussions on > > this draft, so perhaps it was already considered and rejected?). > > This suggestion was raised (well, there was angry shouting about how > wrong HINFO was) by Ed Lewis, and I talked to him briefly about it in > person in Dublin. Paraphrasing, Ed's strong opinion is that we are > sending a new kind of information using an RRType that was not defined > for this purpose, and that doing so is lazy and inconsistent with the > advice that we gave (e.g.) around SPF vs. TXT. I, for one, totally agree with this paraphrased argument. The logic of the counter-argument in the next paragraph looks to me like a variant of the typical excuse used by many TXT "abusers". Allowing such an argument for ourselves while acting as the RR-type police for others (dnsop people are the usual suspects as the police in my understanding) seems to be hypocrisy to me. Also, the argument that this is an intended use of HINFO (the last paragraph) sounds arbitrary and is not very convincing, at least to me. On the understanding of how HINFO is chosen, I'd now more positively suggest using a new RR type. > A counter-argument to that is that this is new behaviour, and that there > is operational value in being able to send a test query with QTYPE=ANY > and get a response that is human-readable using existing tools. We > observe that many systems, even those with bleeding edge versions of > BIND9/knot/NSD/whatever, often have fairly ancient versions of dig > installed, and an operator at the command line is best served with a > response she can read. > > I know I have already received multiple questions from people > troubleshooting ANY queries against cloudflare servers based on the fact > that the HINFO RDATA contains the token "jabley". Which I am grateful > for, because I don't get nearly enough e-mail. :-) > > HINFO was intended to convey information about a host, and our use of > HINFO is conveying that kind of information, loosely speaking. Given the > specific desire to use an RRType that is already understood by deployed > troubleshooting tools, and mindful of the fact that HINFO is rarely used > otherwise (I believe there is no example of it being used in the > portfolio of domains that Cloudflare hosts, and I believe that's also > true for Dyn), it seemed like a reasonable choice. -- JINMEI, Tatuya