Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-7706bis

Tim Wicinski <tjw.ietf@gmail.com> Sat, 16 November 2019 01:59 UTC

Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 151B212004C; Fri, 15 Nov 2019 17:59:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5vfc1lH1FB7X; Fri, 15 Nov 2019 17:59:38 -0800 (PST)
Received: from mail-oi1-x233.google.com (mail-oi1-x233.google.com [IPv6:2607:f8b0:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D56E2120044; Fri, 15 Nov 2019 17:59:37 -0800 (PST)
Received: by mail-oi1-x233.google.com with SMTP id s71so10323904oih.11; Fri, 15 Nov 2019 17:59:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=q2KavIuAV2Cdt4NwCMXuWlzcijwgcprrfeXNmJNi5I4=; b=VVpmJ31BkHUoRr9iB7ZrXT5G3CZ51qVXUcREUEHXJaDKZRVLAnstNTlAA8rZ9UdyiB /PumSrb0vImAC6TCMPFWOrru71UQ1NrDBe1yTK5FGY5Ttc9h97LtzVam5tTjeUIzDXe/ WSzRt8EAqDrPOdD15j5L30NT5nK7Wgaeg98UgUaxLEBiuAa3r5E7E+sTG3bj3l36t6on DevqmMLodAGifBHrStBc/0sqr1wDndRb4W5oFDn3i3nbY8e9IEv0O9ZGtBsQoyH/dldT UUPH5U5Kvlk7TiKG3C64BBeizdA78kKFhkpK4XuSa57uCZDKSfUXvt0r3nB/mtC/T3IO qLBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=q2KavIuAV2Cdt4NwCMXuWlzcijwgcprrfeXNmJNi5I4=; b=Q25z/A78grSu13xMW4y0PG/9PlvZR/AF5WDN01pAdEJyKEuMeX+rNP/ZT7Ikl0DZZ7 1Jnpvt0G1w2xj56Y9DNWH8BD/WB2o6NSYEu7TcyDCyK/I5Ez2J4YVWjHDBYrM9n16kEt 1/KUHThMvG2MDtehBC4dN+hdm5m3B1VeLrIRAl2jJLPI1NqNwSke9VY3CgMYfAaPi9RW uX2p0waX+0I9nZQMHwjt06vOUWu5jCHMh6YUSXak4qJLJCRWxt7qKGGMH7YljAqv8PWB IZ+Qi/MGSOyhQ33C3SYUtzMj2Xy5ol4jyCNfZKP2aG2pnvhN3kk2Wz/qnJkrbqHxytGB +J/w==
X-Gm-Message-State: APjAAAVUpnQbQXPF+rGzsVIIPVQk2L7KpMQIVw8e63m46wvsmZKCsFcS D+1GgO0SAUamHl9YhIaWok7RpoV1TM+eNYl8uyazam4tO1c=
X-Google-Smtp-Source: APXvYqyhGICXaRLPOOXKVrFxvPRCfWGw+JwE2H/6zJ83tPWGqnjlPu2aCR/O0chvP0Auq9uegEE6dFclaJxTgpC/OQY=
X-Received: by 2002:aca:484e:: with SMTP id v75mr10614683oia.6.1573869576977; Fri, 15 Nov 2019 17:59:36 -0800 (PST)
MIME-Version: 1.0
References: <CADyWQ+EOj_G=qYSn15QCvi21nCyf=62=sB+RrvzAJKq51Xqivg@mail.gmail.com> <yblr22bcp6m.fsf@w7.hardakers.net>
In-Reply-To: <yblr22bcp6m.fsf@w7.hardakers.net>
From: Tim Wicinski <tjw.ietf@gmail.com>
Date: Sat, 16 Nov 2019 09:59:25 +0800
Message-ID: <CADyWQ+FNdg1m3WqRKAn-qbc-YzJhCj4gyWaBif_AP+4FzAN9NA@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
Cc: dnsop-chairs <dnsop-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000f000b05976d117e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/hDUR3FYOHHoWdMD0cm15mkMN8Z0>
Subject: Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-7706bis
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Nov 2019 01:59:41 -0000

The WGLC  for draft-ietf-dnsop-7706bis has finished and their are editorial
comments that
the authors will address shortly. Otherwise the chairs feel the draft is
ready to move forward.

thanks for all reviews

Tim



On Thu, Nov 14, 2019 at 7:49 AM Wes Hardaker <wjhns1@hardakers.net> wrote:

> Tim Wicinski <tjw.ietf@gmail.com> writes:
>
> > This starts a Working Group Last Call for draft-ietf-dnsop-7706bis
>
> Up front: as you know, I support this document fully being the driver
> behind localroot.isi.edu that's mentioned in the document.  That being
> said, I do want to raise a few points/suggestions:
>
> 1. "... because negative answers are sometimes cached for a much shorter
>    period of time."
>
>    I'd like to suggest amending that with "time and because many queries
>    received at the roots are for leaked or garbage strings as well as
>    some many that are generated algorithmic by applications attempting
>    to detect NXDOMAIN rewriting".  In particular, the vast vast majority
>    of the junk is not from low negative caching, but from the fact that
>    each queries are frequently different random garbage strings and the
>    vast majority of those are generated by Chromium based products (and
>    probably others at this point too).
>
> 2. The next paragraph talks about the benefits being weak for true
>    responses, due to caching, but as the root becomes more and more flat
>    as new gTLDs are added (with another round likely "soon"), this
>    statement will become more and more false.
>
> 3. Though the document has "relaxed" the specification to not require a
>    loopback address/interface, this is still functionally a no-op since
>    it still requires only serving data from the localhost.  That's not
>    really relaxing it much; it just means functionally the same thing
>    with a slightly wider view of how to implement it.
>
> 4. In the second to last paragraph in the introduction, it might be
>    worth adding 'Some resolver software supports being both an
>    authoritative server and a resolver but separated by logical "views",
>    allowing a local root to be implemented within a single process'.
>    And you could even list the appendixes, where most of the example
>    configuration actually makes use of this notion.
>
> 5. In section 3, there are broken sentences:
>
>    "In a system that is using a local authoritative server for the root
>    zone.  if the contents of the root zone cannot be refreshed before
>    the expire time in the SOA, the local root server MUST return a
>    SERVFAIL error response for all queries sent to it until the zone can
>    be successfully be set up again."
>
>    I think this is meant to be
>
>    "In a system that is using a local authoritative server for the root
>    zone, if the contents of the root zone cannot be refreshed before
>    the expire time in the SOA, the local root server MUST return a
>    SERVFAIL error response for all queries sent to it until the zone can
>    be successfully be set up again."
>
> 6. regarding the next paragraph: "In a resolver that is using an
>    internal service for the root zone.  if the contents of the root zone
>    cannot be refreshed before the expire time in the SOA, the resolver
>    MUST immediatly switch to using non-local root servers."
>
>    You're prescribing implementation choices here, not the goal: the
>    goal is to prevent resolvers from returning stale data (though....
>    with serve-stale in effect too.......).  There are two immediately
>    obvious choices for how to do this: 1) switch to non-local root
>    service, as you state.  or 2) return SERVFAIL from the resolver.
>    E.G., I'm not sure existing implementations, including the config in
>    the appendix, follow this MUST.  To aggrevate this issue further: I'm
>    not sure how a resolver would *know* that the data is stale from the
>    local root it is querying (there are hints of this later, but I have
>    issues with that too; see below).  Functionally, this text is
>    mandating an architecture that is not likely implemented today and is
>    not likely to be implemented in the future (I'm guessing, but happy
>    to be proven wrong).
>
>    Wouldn't it be better to state simply "Resolvers MUST NOT return
>    stale data."  But again, I'm not sure how to implement that without
>    requiring a very specific binding between the resolver and the local
>    root server, which is rather special-case.  You have already
>    prescribed that the local root server itself should return SERVFAIL
>    and I think that's really all you need to, or can, prescribe.
>
> 7. In the last paragraph in 3, it requires the administrator to check
>    whether or not the SOA is fresh and shows a potential mechanism for
>    doing that. But, even that is subject to fail unfortunately.  Again,
>    you're trying to get the resolver to be intelligent with data that it
>    doesn't have access to.  That requirement should be put into the
>    local root server instead, and again is covered by having it return
>    SERVFAIL on out-of-compliance data.  The resolver half of the
>    deployment can not test this easily, but the (potentially
>    pseudo-)authoritative server can.  That's what the requirement should
>    be aimed at.
>
> 8. The security considerations talk about limiting damage from broken
>    deployments to "any other system that might try to rely on an altered
>    copy of the root.".  I think, however, that the damage may be seen by
>    any client that depends on the resolver making use of a local root
>    server when the local root server becomes problematic.  IE, if the
>    resolver is serving an enterprise and its localhost accessible local
>    root has a problem, the entire enterprise will have a problem.
>
> 9. In appendix A, can you please add "localroot.isi.edu" as a domain
>    from which you can AXFR the zone too?  It's mentioned in the next
>    section.
>
> 10. For A.1, second paragraph about LocalRoot, can you replace with the
>     following text (assuming you agree with it):
>
>     The LocalRoot project (<https://localroot.isi.edu/>) is a service
>     that embodies many of the ideas in this document and is operated in
>     cooperation with USC/ISI's root server.  It distributes the root
>     zone by AXFR, but also offers DNS NOTIFY messages when the LocalRoot
>     system sees that the root zone has changed, providing potentially
>     faster updates to local root implementations.  It additionally
>     provides secured AXFR transfers, which helps defeat issues with
>     unsigned glue records being potentially modified in transit (see
>     Section 2).
>
> 11. For B.1, example config for Bind 9.12 - why is this not bind 9.11
> (too)?
>     It's still a viable platform and is supported till 2021 Q4.
>
>     (also, it would be worth adding localroot.isi.edu to that and other
>     similar configs as well)
>
> 12. For B.3 (bind 9.14 with mirror): it's worth adding a note that by
>     using the mirror implementation you're actually using less upstreams
>     because it won't include the ICANN xfr (or localroot) sources.
>
> 13. B.3 says "when it is released" referencing 9.14.  It was released
>     early this year I believe.
>
> Phew.  Sorry!  But I do hope these are helpful, and again: I certainly
> support this document going forward.
>
> --
> Wes Hardaker
> USC/ISI
>