Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-requirements
Joe Abley <jabley@hopcount.ca> Mon, 19 April 2021 11:31 UTC
Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D41203A2DE1 for <dnsop@ietfa.amsl.com>; Mon, 19 Apr 2021 04:31:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.196
X-Spam-Level:
X-Spam-Status: No, score=-0.196 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W9OZtWRJAM3T for <dnsop@ietfa.amsl.com>; Mon, 19 Apr 2021 04:31:53 -0700 (PDT)
Received: from mail-qt1-x831.google.com (mail-qt1-x831.google.com [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E8EB3A2DDF for <dnsop@ietf.org>; Mon, 19 Apr 2021 04:31:52 -0700 (PDT)
Received: by mail-qt1-x831.google.com with SMTP id c6so25754101qtc.1 for <dnsop@ietf.org>; Mon, 19 Apr 2021 04:31:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=Y1ZWDq/T0+Qla6O4fU1Yoh7WfmWDKN6+0qeIjAs9RZw=; b=mLXwkjuvzjx91zS7txDsYUpuMSQf3c0I3BX9Ek66r9hM0+3pNDyqDK4FW+FSH46Ezu uf0iBjP0XaBAoqIYWYKyLzQ66N59MKtWR7XjtzmlNYE3sWcZC9Z/seKoXgL84nfQWHk3 nYErSmvugBdOF3Pn4lnSXklc0UCoNZoOuslvE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=Y1ZWDq/T0+Qla6O4fU1Yoh7WfmWDKN6+0qeIjAs9RZw=; b=hbpxHboEvH9z8jGNaUP6Drgy+YU/SFIc7gNnbx+Iejy1lKdd3CeNDs7+pcW/IKPZNu vBcAj7nlqzRg08JbIb6Mt9O/hhQdNCpxkagkJW9B3EzMAxImYqkm/W2HKNNlFZUSKVcp BIev8wUw0GWGeXRQKVo/BJ4oH1NYk+UvygAYoDcHQb3xFmGvjDMx6Lf8t+bWeXP1WLr+ QWdhjXy7an+Y/OM/jzV8nGsgYSou2LGXIcyjaNl0KY0QymKNLq+sF2EXU1yrCFSWRwe4 wibgPA+tpdiRJZxFQIe1R7YHEJlC/XbdXKBx6AILNNqLAOhDZGaShS5aCAoC3pSZdOkS wrXA==
X-Gm-Message-State: AOAM531nM/cWFiAnichofx0ye6tm4wHbzi9PedNdrFp8dXuC94Dv9iIX JSvbghISoDOA3Rkp8aKr9drMHemJ1B1RNR1j
X-Google-Smtp-Source: ABdhPJzLeACrD2W/Bj2BT6051T8pUTH5vN2IUuz/HZfQlqngPr55xBpER5ou9Fvwp7YloZsp3jEzSQ==
X-Received: by 2002:ac8:4883:: with SMTP id i3mr11217626qtq.232.1618831911140; Mon, 19 Apr 2021 04:31:51 -0700 (PDT)
Received: from ?IPv6:2607:f2c0:e784:c7:a9e3:9dcf:2c3e:cd4c? ([2607:f2c0:e784:c7:a9e3:9dcf:2c3e:cd4c]) by smtp.gmail.com with ESMTPSA id x7sm3281744qkp.40.2021.04.19.04.31.49 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 Apr 2021 04:31:50 -0700 (PDT)
From: Joe Abley <jabley@hopcount.ca>
Message-Id: <9FDEDB22-997A-479A-9EC8-818988BC1A79@hopcount.ca>
Content-Type: multipart/alternative; boundary="Apple-Mail=_6B64B5A9-DC69-4EB8-A694-8CF1DD04849D"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Date: Mon, 19 Apr 2021 07:31:49 -0400
In-Reply-To: <93D82731-7B33-4E39-8DEF-FF6C14803191@gmail.com>
Cc: dnsop@ietf.org
To: Suzanne Woolf <suzworldwide@gmail.com>
References: <93D82731-7B33-4E39-8DEF-FF6C14803191@gmail.com>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/hDHKHBA6V2vlNznWVS1Arrg_WfY>
Subject: Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2021 11:31:58 -0000
Hi Suz, On 18 Apr 2021, at 19:17, Suzanne Woolf <suzworldwide@gmail.com> wrote: > This message starts the Working Group Last Call for draft-ietf-dnsop-tcp-requirements (https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-tcp-requirements/ <https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-tcp-requirements/>) I have read draft-ietf-dnsop-dns-tcp-requirements-07 and have the following comments, in flagrant defiance of George's advice to ship the document based mainly on considerations of age. :-) I think these are all fairly minor. Abstract, Section 4.4 "DNS-over-TLS" The abstract includes the sentence "This includes both DNS over unencrpted TCP, as well as over an encrypted TLS session." The later section 4.4 says "this document applies equally well to DNS-over-TLS'. The inclusion of DoT looks like an afterthought that has not been entirely afterthought-through. The procedural updates to 1034 in section 3 clearly don't apply to RFC 7858; the justifiable confusion about transports in the DNS (the main topic of this document) also doesn't apply to 7858 which only specifies use of TLS, not DTLS. I suggest that this document is really only concerned with strengthening the requirements around the use of TCP transport as described in 1034 and 1035 and that mentioning any other transport is unhelpful and arguably introduces more confusion. I think that sentence should be changed in the abstract to reflect that and section 4.4 should be removed. I would not be surprised to hear that this DoT text was added precisely to address some other earlier reviewer's opinion to the contrary, but this is what I think. While we're at it, I think this document *requires* the practice of permitting TCP transport; it doesn't simply encourage it. So how about: OLD: This document encourages the practice of permitting DNS messages to be carried over TCP on the Internet. This includes both DNS over unencrypted TCP, as well as over an encrypted TLS session. The document also considers the consequences with this form of DNS communication and the potential operational issues that can arise when this best current practice is not upheld. NEW: The specification of the DNS allows both UDP and TCP to be used as transport protocols for exchanging unencrypted DNS messages. However, for various reasons, the availability of TCP transport has sometimes been interpreted as being optional. This document clarifies the need to provide TCP transport for both clients and servers and strengthens the requirement of DNS implementations to support both. 2.3 EDNS0 RFC 6891 uses the notation EDNS(0), not EDNS0. Since 6891 obsoletes 2671 it seems reasonable to adopt its notation. I suggest going all search and replace on that. 2.4 Fragmentation and Truncation The second paragraph does not mention another fundamental problem with stateless protocols over IPv6 when datagrams require truncation, which is that the requirement in v6 to fragment and resent from the source is not possible when the source has not retained any state regarding to the response that was just sent. While I had my hands in the patient I also added a small reference to tunnel encaps in IPv4. OLD: For IPv4-connected hosts, the de-facto MTU is often the Ethernet payload size of 1500 bytes. This means that the largest unfragmented UDP DNS message that can be sent over IPv4 is likely 1472 bytes. For IPv6, the situation is a little more complicated. First, IPv6 headers are 40 bytes (versus 20 without options in IPv4). Second, it seems as though some people have mis-interpreted IPv6's required minimum MTU of 1280 as a required maximum. Third, fragmentation in IPv6 can only be done by the host originating the datagram. The need to fragment is conveyed in an ICMPv6 "packet too big" message. The originating host indicates a fragmented datagram with IPv6 extension headers. Unfortunately, it is quite common for both ICMPv6 and IPv6 extension headers to be blocked by middleboxes. According to [HUSTON] some 35% of IPv6-capable recursive resolvers were unable to receive a fragmented IPv6 packet. NEW: For IPv4-connected hosts, the MTU is often the Ethernet payload size of 1500 bytes. This means that the largest unfragmented UDP DNS message that can be sent over IPv4 is likely 1472 bytes, although tunnel encapsulation may reduce that maximum message size in some cases. For IPv6, the situation is a little more complicated. First, IPv6 headers are 40 bytes (versus 20 without options in IPv4). Second, it seems as though some people have mis-interpreted IPv6's required minimum MTU of 1280 as a required maximum. Third, fragmentation in IPv6 can only be done by the host originating the datagram. The need to fragment is conveyed in an ICMPv6 "packet too big" message. The originating host indicates a fragmented datagram with IPv6 extension headers. Unfortunately, it is quite common for both ICMPv6 and IPv6 extension headers to be blocked by middleboxes. According to [HUSTON] some 37% of IPv6-capable recursive resolvers were unable to receive a fragmented IPv6 packet. Even if the originating host does receive a signal that fragmentation is required, the stateless nature of the DNS protocol is such that the host does not generally retain a copy of the message concerned and hence is unable to fragment and re-send anyway. The third paragraph refers to "BIND" without a reference. While it seems ridiculous to imagine that anybody my age would not know what BIND was (ignoring the distinction that has been made between BIND and BIND9) there are other popular products today and terrible young people who are wandering all over my lawn. I think a reference would be useful. The fifth paragraph refers to "growing sentiment in the DNSSEC community" which would benefit from being anchored in time, ideally with a citation. 2.5 "Only Zone Transfers Use TCP" Second paragraph: replace "historic" ("having importance in or influence on history") with "historical" ("based on past events or set in the past"). 4.1 "Connection Establishment and Admission" Third paragraph might benefit from a reference to RFC 5358/BCP 140. Joe
- [DNSOP] WGLC for draft-ietf-dnsop-tcp-requirements Suzanne Woolf
- Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-require… George Michaelson
- Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-require… Joe Abley
- Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-require… John Kristoff
- Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-require… Joe Abley
- Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-require… Joe Abley
- Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-require… Tony Finch
- Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-require… Peter van Dijk
- Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-require… Peter van Dijk
- Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-require… Joe Abley
- Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-require… Brian Dickson
- Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-require… Tim Wicinski
- Re: [DNSOP] [Ext] WGLC for draft-ietf-dnsop-tcp-r… Paul Hoffman
- Re: [DNSOP] [Ext] WGLC for draft-ietf-dnsop-tcp-r… Joe Abley
- Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-require… Wessels, Duane
- Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-require… Wessels, Duane
- Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-require… Wessels, Duane
- Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-require… Peter van Dijk
- Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-require… Wessels, Duane
- Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-require… Donald Eastlake
- Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-require… Tony Finch
- Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-require… Wessels, Duane
- Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-require… Donald Eastlake
- Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-require… John Kristoff
- Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-require… Tony Finch
- Re: [DNSOP] WGLC for draft-ietf-dnsop-tcp-require… Suzanne Woolf