IETF Logo Mail Archive

Re: [DNSOP] Benoit Claise's No Objection on draft-ietf-dnsop-dnssec-roadblock-avoidance-04: (with COMMENT)

Wes Hardaker <wjhns1@hardakers.net> Fri, 08 July 2016 22:21 UTC

Return-Path: <wjhns1@hardakers.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FE1712D8AB; Fri, 8 Jul 2016 15:21:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.327
X-Spam-Level:
X-Spam-Status: No, score=-3.327 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EG8SYkf6cITu; Fri, 8 Jul 2016 15:21:32 -0700 (PDT)
Received: from mail.hardakers.net (dawn.hardakers.net [IPv6:2001:470:1f00:187::1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7734712D196; Fri, 8 Jul 2016 15:21:32 -0700 (PDT)
Received: from localhost (50-1-20-198.dsl.static.fusionbroadband.com [50.1.20.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.hardakers.net (Postfix) with ESMTPSA id 9C4AC2AF93; Fri, 8 Jul 2016 15:21:31 -0700 (PDT)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Benoit Claise <bclaise@cisco.com>
References: <20160707093130.23717.33167.idtracker@ietfa.amsl.com>
Date: Fri, 08 Jul 2016 15:21:30 -0700
In-Reply-To: <20160707093130.23717.33167.idtracker@ietfa.amsl.com> (Benoit Claise's message of "Thu, 07 Jul 2016 02:31:30 -0700")
Message-ID: <0l1t33ydn9.fsf@wjh.hardakers.net>
User-Agent: Gnus/5.130014 (Ma Gnus v0.14) Emacs/24.5 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/gLo3F9GarivI_kD4dsMVALk6bu0>
Cc: tjw.ietf@gmail.com, dnsop-chairs@ietf.org, dnsop@ietf.org, draft-ietf-dnsop-dnssec-roadblock-avoidance@ietf.org, The IESG <iesg@ietf.org>, evyncke@cisco.com
Subject: Re: [DNSOP] Benoit Claise's No Objection on draft-ietf-dnsop-dnssec-roadblock-avoidance-04: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2016 22:21:34 -0000

"Benoit Claise" <bclaise@cisco.com> writes:

> Here is Eric Vyncke's (pretty knowledgeable security expert) OPS DIR
> review (you'll see that it's in line with Terry's DISCUSS point):
> Based on my operational experience, I have seen multiple DNSSEC packets
> dropped by firewalls because they try to use EDNS0 rather than
> fragmenting. Does your I-D also address this issue?

Section 3.1.3 defines a test to determine if EDNS0 is an issue and
whether a resolver can make of it within the network its deployed in.
So, yes, the draft talks about it.  I don't believe from the above
comment we're missing anything unless you think I've missed your point. 

> I am a little puzzled by the hand waving "we also assume that the path is
> clear of "DNS interfering" crap-ware/middle-boxes, like stupid firewalls,
> proxies, forwarders." (I would avoid the use of "stupid") This
> restriction does not appear as realistic to me in the current
> deployment.

I think this new paragraph should fix these problems (along with the
usage of the words that shouldn't belong in an IETF document).

      NOTE: when performing these tests we also assume that the
      path is clear of "DNS interfering" middle-boxes, like firewalls,
      proxies, forwarders. Presence of such infrastructure can easily
      make a recursive resolver appear to be improperly performing. It
      is beyond the scope of the document as how to work around such
      interference, although the tests defined in this document may
      indicate which such misbehaving middle-ware is causing interference.

> In the wave of IPv6 deployment and IPv4 sunset, I would suggest that
> examples (such as in 3.1.1) uses AAAA RR and not A.

I see your point, but at the same time we're not trying to test for
compliance of IPv6, and thus we are using A to avoid any other test
failure that may have been as a result of an IPv6 record being fetched.
Though, I admit, that if I resolver can't handle AAAA records there is
pretty much zero chance it can handle DNSSEC.  However, I'd rather tests
be super-narrow in what may break when they issue queries.

> It is a little unclear to me WHEN the host should run those test? At boot
> time? At every network attach? When it resumes operation after a sleep
> period? Or a periodic test (such as hourly) ? This could cause a
> scalability problem in vast WiFi deployment.

How does this paragraph sound to address this:

      These tests should be performed when a resolver determines its
      network infrastructure has changed.  Certainly a resolver should
      perform these tests when first starting, but MAY also perform
      these tests when they've detected network changes (e.g. address
      changes, or network reattachment, etc).

> I am also a little puzzled by another hand waving "The goal of this
> document is to tie the above tests and aggregations to avoidance
> practices; however the document does not specify exactly how to do that."
> and later "Else return an useful error code" which will make
> interoperation (API portability) complex.

I need to speak to the author of that sentence to determine his
attention and will get back to it.

> I hope the above will help to improve a very useful document

Thanks so much for your comments!
-- 
Wes Hardaker
Parsons

v2.23.0 | Report a Bug | By Email