IETF Logo Mail Archive

Re: [DNSOP] Fwd: New Version Notification for draft-bellis-dnsop-xpf-00.txt

"Wessels, Duane" <dwessels@verisign.com> Fri, 06 January 2017 18:43 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA061129628 for <dnsop@ietfa.amsl.com>; Fri, 6 Jan 2017 10:43:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.101
X-Spam-Level:
X-Spam-Status: No, score=-5.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0DQAJ__c_vX1 for <dnsop@ietfa.amsl.com>; Fri, 6 Jan 2017 10:43:34 -0800 (PST)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 485F31295D8 for <dnsop@ietf.org>; Fri, 6 Jan 2017 10:43:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=2095; q=dns/txt; s=VRSN; t=1483728215; h=from:to:cc:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=9k5s6GogUzReZbsEqhEVl167wvfUoNRPzWT0LzoplTI=; b=hkqmPP7N6BNpcELuLhjUCcF6LMA5/ClaaIOnUHereq5zKQvMsWPVPsoh ocO8bshui/P7eGRfm+ai/dXd8uT4MVxwgJhfoHfuHOXa1KZwm39U7NwB6 2WVHx8SM3b/t+KebyfPTtK76s3SfrbzEuxEhP2P116Cwny0qZB5t0yuwn 58qNWE45WcNVg3F1wIKasQSAnaeQ0dA6tob2T1GW0dHOltGSyL7UlsUhw EyThrvwU1mFS66K3IpO5fupM6MXBHA/QimrpUU/3uWUIWuyyzYsB+RZWt YaOBu4XXJ+nGkzEQLbl3CXOH3ylpIALwg1/gQ4Np4rxY7KtdKF/mjR2H7 Q==;
X-IronPort-AV: E=Sophos;i="5.33,326,1477958400"; d="scan'208";a="1122631"
IronPort-PHdr: 9a23:FGvCLR87/Ki1E/9uRHKM819IXTAuvvDOBiVQ1KB31uMcTK2v8tzYMVDF4r011RmSDNmdsasP0rOP+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZPebgFHiTanf79+MRq6oRjMusULnIBvNrs/xhzVr3VSZu9Y33loJVWdnxb94se/4ptu+DlOtvwi6sBNT7z0c7w3QrJEAjsmNXs15NDwuhnYUQSP/HocXX4InRdOHgPI8Qv1Xpb1siv9q+p9xCyXNtD4QLwoRTiv6bpgRRn1gykFKjE56nnahMxugqxGvBKvqR9xw4DWb4GUKPVwcazScMgGRWpYW8ZdSzBNDp+iY4YJEuEPPfxYr474p1YWoxexBRejBPj0yjBWgn/2xrU22PkvHwHbxgMgGcwBvHrJp9jyKagTX/66zLLTzTrda/NWwizw6JbWfRA7oPGMRrNwccXXyUU1CwzFiVCQpJXjMjiI2OoNtG2b4PBhVeKpk2MnpABxoiSvxscxkYbFnJ4aylfB9Sh/3Y07JsW4RVZmbdK4CpdcqiOXOoVsTs8/Q2xltjw2xqMJtJO7ZCQG1YgrywTCZ/GFfYWE+A/vWeaPLTtii39ofq+0iQyo/ki60OL8U9G50FNNriVYjNbBrmsN1xnP6sifTft941uh1S6P1w/N7uFEJlg5mrHBK54n37IwkpUSsUHZES/3nEX2i7KWdlk49uS28ejnfKvppoWdN49viwH+PaIultajDuQ/NwgCR2mb+eKi273/5UD1XalGgucrnqTbvp3WP9kXq663DgNPzIou5BayAy+j0NsCnHkHKFxFeAiAj4jsI1zBPf75Aumkg1S3jjhrw+vGM6b/AprTNHjDkazhfbdy605a0gY80ddf55dMBrEbPP3zQlPxtMDfDhIhLgO0xf3nCNJl1o4FWGKAHLOZMK3IvV+P/OIvLPGGZJUJtzblN/gl+/nugGcjmVAHfaikxpoXaGukEfh8JEWZe3Xs0Z89FjIwtxt2ZuHujFyZGWpJbmeaXrk3oDYhB9T1I53EQ9Xnv7Gaxyq/BdkeSn1PDF3GWSPkaIifQPoIcwqML9VgiT0LU/6qTIp3hkLmjxPz17cydrmcwSYfr5+2jNU=
X-IPAS-Result: A2GMAQCc5G9Y//WZrQpeGwEBAQMBAQEJAQEBFwEBBAEBCgEBgw4BAQEBAX6BDAeNUJIhkxeCD4FGQyqFeAKCFBQBAQEBAQEBAQEBAQKBCIIzGAsEPQ0vAQEBAQEBAQEBAQEBAQEBGgINXQEBAQECATo9AgULAgEIDQseEDIlAgQOBYhoFrJfih0BAQEBAQEBAwEBAQEBAQEBAQEBGAWGRoIBCIJXhDAWgzWCMQWbDwYBhlebSpJRH4F1FUQBhE2BR3OHWYENAQEB
Received: from brn1wnexcas02.vcorp.ad.vrsn.com (brn1wnexcas02 [10.173.152.206]) by brn1lxmailout02.verisign.com (8.13.8/8.13.8) with ESMTP id v06IhVqH020592 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Fri, 6 Jan 2017 13:43:31 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas02.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0301.000; Fri, 6 Jan 2017 13:43:30 -0500
From: "Wessels, Duane" <dwessels@verisign.com>
To: Ray Bellis <ray@isc.org>
Thread-Topic: [EXTERNAL] [DNSOP] Fwd: New Version Notification for draft-bellis-dnsop-xpf-00.txt
Thread-Index: AQHSaCwMAy/AsMRjWEG8SvXHw3bAyqEsHSiA
Date: Fri, 06 Jan 2017 18:43:30 +0000
Message-ID: <54C32FCA-8248-441A-9D44-9EEFEB1F00E5@verisign.com>
References: <148371232017.17418.17291340320637379369.idtracker@ietfa.amsl.com> <dab36e0b-81a5-e9cc-0a07-416061ce9b74@isc.org>
In-Reply-To: <dab36e0b-81a5-e9cc-0a07-416061ce9b74@isc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <870A959A18183D478D32BE4B24958BA4@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ie3DhrIUCEEZwGaWtJ4pLjs96dw>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-bellis-dnsop-xpf-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jan 2017 18:43:37 -0000

> On Jan 6, 2017, at 6:49 AM, Ray Bellis <ray@isc.org> wrote:
> 
> Spurred on by Warren's announcement of a Docker image that uses NGINX to
> proxy TLS connections into DNS servers that don't natively support TLS,
> I've just written up this short draft describing an EDNS0 option that
> allows smart proxies to tell the backend server what the original client
> IP address was.
> 
> The master doc is at https://github.com/raybellis/draft-bellis-dnsop-xpf

Hi Ray,

The idea of "X-Forwarded-For" for DNS makes me nervous, but it is probably inevitable. 

It is of course quite similar to EDNS client subnet, except that there is no masking and the client cannot opt-out.  Might be worth saying in your document why EDNS client subnet wouldn't work for this purpose.

Since you use the term proxy throughout I wondered if proxy was defined in our terminology document.  Looks like it is not. terminology-bis-03 says:

      [RFC5625] does not give a specific definition for forwarding, but
      describes in detail what features a system that forwards need to
      support.  Systems that forward are sometimes called "DNS proxies",
      but that term has not yet been defined (even in [RFC5625]).

I think we should define proxy in the terminology doc, or use some other well-defined terms in your XPF doc.

Despite when you say "it is not intended for use on proxy / forwarder devices that sit on the client-side of a DNS request" and "only intended for use on server-side proxy devices that are under the same administrative control" I fully expect XPF will be implemented and used in all sorts of places.  For example, some clients will include the option in queries to authoritative servers, which will go unnoticed for a while.   Then it will be noticed by servers and they'll take advantage of it somehow (logging, treating it like ECS, etc).  To hopefully prevent that I might propose something like:

  When a server receives the option from a non-whitelisted client, it MUST return a FORMERR response.

DW

v2.23.0 | Report a Bug | By Email