Re: [DNSOP] [Last-Call] Opsdir last call review of draft-ietf-dnsop-rfc7816bis-09

Viktor Dukhovni <ietf-dane@dukhovni.org> Sat, 29 May 2021 18:55 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54B8E3A1BA6; Sat, 29 May 2021 11:55:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qYqFJiy0lxdj; Sat, 29 May 2021 11:55:38 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8C693A1BA3; Sat, 29 May 2021 11:55:34 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 4206BBA7EF; Sat, 29 May 2021 14:55:32 -0400 (EDT)
Date: Sat, 29 May 2021 14:55:32 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: last-call@ietf.org, dnsop@ietf.org, draft-ietf-dnsop-rfc7816bis.all@ietf.org
Message-ID: <YLKOJIyWhZCOHdN9@straasha.imrryr.org>
Reply-To: last-call@ietf.org, dnsop@ietf.org, draft-ietf-dnsop-rfc7816bis.all@ietf.org
References: <162226051666.12109.3602205426917895173@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <162226051666.12109.3602205426917895173@ietfa.amsl.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/fRig0M4peY6F0l_b-R-nM3sZ_tY>
Subject: Re: [DNSOP] [Last-Call] Opsdir last call review of draft-ietf-dnsop-rfc7816bis-09
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 May 2021 18:55:43 -0000

On Fri, May 28, 2021 at 08:55:16PM -0700, Qin Wu via Datatracker wrote:

> Reviewer: Qin Wu
> Review result: Ready
> 
> This draft defines DNS Query Name Minimisation mechanism, it is motivated by
> QNAME minimisation implementation lesson and experience and well documented. I
> believe it is ready for publication.

In a post to the dnsop list on 2020-10-28:

    https://mailarchive.ietf.org/arch/msg/dnsop/_H4aM5AquCSRlz0Pz3ncwl7Plpk/

I suggested that qname minimisation should not be applied to "special-use"
labels (those that start with "_").  I did not see any further
discussion of this point on the list, and the draft does not discuss
these.

Multiple consecutive special use labels occur in e.g. SRV and TLSA queries:

    _ldap._tcp.ad.example.com. IN SRV ?
    _25._tcp.smtp.example.com. IN TLSA ?

The topmost special-use label (_tcp in the above examples) is often an
empty-non-terminal (ENT), and it is sadly somewhat too common for some
name servers to mishandle (should be NODATA) the denial of existence of
ENTs.

Zone cuts at special-use labels are quite rare, and even when present
are unlikely to cross privacy-relevant administrative boundaries.

Because of the substantially increased risk of ENT lookup failure, and
lack of plausible privacy benefits in querying for "_tcp" prior to
querying for "_ldap._tcp", I'd like to see a recommendation in the draft
to avoid splitting the qname after the first special-use label.

-- 
    Viktor.