Re: [DNSOP] DNS cookies and multi-vendor anycast incompatibility
Mark Andrews <marka@isc.org> Thu, 21 June 2018 14:36 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1041B130E96 for <dnsop@ietfa.amsl.com>; Thu, 21 Jun 2018 07:36:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FDJmI0Q1cSvf for <dnsop@ietfa.amsl.com>; Thu, 21 Jun 2018 07:36:36 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F307130E77 for <dnsop@ietf.org>; Thu, 21 Jun 2018 07:36:36 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 326E93AB004; Thu, 21 Jun 2018 14:36:35 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 1E37C16006A; Thu, 21 Jun 2018 14:36:35 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 03A63160068; Thu, 21 Jun 2018 14:36:35 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id rMoWqnsgczQy; Thu, 21 Jun 2018 14:36:34 +0000 (UTC)
Received: from [172.30.42.90] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id CCA1F16003D; Thu, 21 Jun 2018 14:36:33 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <107c3532-a07d-9821-70ab-94c00a9dd2f0@nic.cz>
Date: Fri, 22 Jun 2018 00:36:30 +1000
Cc: Paul Wouters <paul@nohats.ca>, "dnsop@ietf.org WG" <dnsop@ietf.org>, Daniel Salzman <daniel.salzman@nic.cz>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F6CB5212-461C-4E91-8E56-43B9E6377A7C@isc.org>
References: <c70f058c-8e82-f905-e352-f3e2fd0d4cfc@nic.cz> <alpine.LRH.2.21.1806201006530.6077@bofh.nohats.ca> <107c3532-a07d-9821-70ab-94c00a9dd2f0@nic.cz>
To: Petr Špaček <petr.spacek@nic.cz>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/iWUJoGUU3KYE79K3fW-7s2ORCvM>
Subject: Re: [DNSOP] DNS cookies and multi-vendor anycast incompatibility
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jun 2018 14:36:39 -0000
> On 21 Jun 2018, at 12:25 am, Petr Špaček <petr.spacek@nic.cz> wrote: > > On 20.6.2018 16:10, Paul Wouters wrote: >> On Wed, 20 Jun 2018, Petr Špaček wrote: >> >>> it seems that current specification of DNS cookies in RFC 7873 is not >>> detailed enough to allow deployment of DNS cookies in multi-vendor >>> anycast setup, i.e. a setup where one IP address is backed by multiple >>> DNS servers. >>> >>> The problem is lack of standardized algorithm to generate server >>> cookie from a shared secret. In practice, even if users manually >>> configure the same shared secret, Knot DNS and BIND will use diffrent >>> algorithm to generate server cookie and as consequence these two >>> cannot reliably back the same IP address and have DNS cookies enabled. >>> >>> One of root server operators told me that they are not going to enable >>> DNS cookies until it can work with multi-vendor anycast, and I think >>> this is very reasonable position. >>> >>> So, vendors, would you be willing to standardize on small number of >>> server cookie algorithms to enable multi-vendor deployments? >> >> I think this is a good idea but there are already two examples in RFC >> 7873 for cookie generation. Is there a problem with those examples, or >> is there only a lack of options in the implementation to configure >> these? If the latter, than no new IETF work would be needed. > > These are mere examples and not specifications with all the details > necessary for reliable interoperability. > E.g. when a cookie is "old" according to B.2.? I really depends on the algorithm being used. > E.g. are there privacy considerations with plain HMAC vs. encryption? Not the way AES is being used. > Besides this, BIND defaults to AES-based algorithm which is not > specified in the RFC and Knot DNS has its own because developers > considered the BIND's approch overkill. What does it matter what the default algorithm is. Unless you are running a anycast cluster IT DOES NOT MATTER. If you are running a anycast cluster you just needs to make sure all the server are set up the same way. > If we decide to standardize we need to find a reasonable algorihm and > standardize all its variables to make it work without run-time > synchronization (posssibly except key rotation but it can be done > avoided as well). BIND implemented 3 algorithms. All three were similar. The only difference was how the hash is generated. The hmac-sha1 and hmac-sha256-8 take identical inputs. AES is slightly different because it is AES. > This message is for other DNS vendors to see if there is an interest in > standardizing something we can all share and operators use in practice. > > -- > Petr Špaček @ CZ.NIC > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Daniel Salzman
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Daniel Salzman
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Mark Andrews
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Mark Andrews
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Mukund Sivaraman
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Warren Kumari
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Mark Andrews
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Mark Andrews
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Mark Andrews
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Petr Špaček
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Donald Eastlake
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Ondřej Surý
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Petr Špaček
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Mark Andrews
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Petr Špaček
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Paul Wouters
- [DNSOP] DNS cookies and multi-vendor anycast inco… Petr Špaček
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Mukund Sivaraman
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Warren Kumari
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Evan Hunt
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Evan Hunt
- Re: [DNSOP] DNS cookies and multi-vendor anycast … Petr Špaček