IETF Logo Mail Archive

Re: [DNSOP] HTTPS SVCB no service available signal.

Brian Dickson <brian.peter.dickson@gmail.com> Fri, 10 July 2020 16:41 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3231A3A0033 for <dnsop@ietfa.amsl.com>; Fri, 10 Jul 2020 09:41:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EPQZTh4Y9fhe for <dnsop@ietfa.amsl.com>; Fri, 10 Jul 2020 09:41:22 -0700 (PDT)
Received: from mail-vs1-xe31.google.com (mail-vs1-xe31.google.com [IPv6:2607:f8b0:4864:20::e31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D89C3A0029 for <DNSOP@ietf.org>; Fri, 10 Jul 2020 09:41:22 -0700 (PDT)
Received: by mail-vs1-xe31.google.com with SMTP id a17so3315047vsq.6 for <DNSOP@ietf.org>; Fri, 10 Jul 2020 09:41:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=H2MP4s1lUDC1My4gewKRcUF1K25z/2tw09VAn059Ez4=; b=OAqOvjHjEbmca2dazJdsmGLG6E/ryJyzoXtDr1dDnHsjj93DskNHOYi6Qy81WnKhLK 7fdov58WW7gYso41lZxLW1jlRJnXOh58GadxF1m3Krl5PbEMnBuf4kAfacvbrqhyBgpr dWTnDeVUEUNqZO3wJV9lsS7XWwKPQ1WgVYnZP/wOmFKsuhzL8kw6JrNxEHOGVYzauM0I Ist38MiAxzfe6bXB9G7CHCJPQ6oFAgQQt6qwGchlUH3O6BYSxGeDn+ztYNxmQ3DSWbjP i+v2DVyMMm4SISp9iRwY41M5d3I7ayAPH4pksT4p/a7+nzbWkZ8iiQ8eg1pDIdxFp5FQ rygg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=H2MP4s1lUDC1My4gewKRcUF1K25z/2tw09VAn059Ez4=; b=K1fI7GmqQdgwJF6yjm26DgHHWF5ANVwRvcTBqwTULuRSlosBvwp055h6zvNddYYUpx l9XhDCzYL6PrklSYuu0zojbrycS2OcRSyaDHxZOAd17rmSI/5v/OdE2iq5cJ5xGsPQ3A NKEpiev636MiMCxDOut8fRrXQAoLbS5nxmypSeO6Ys6eSDW/rdpBNJNEZ2kXryaUqdaV ZqSgdArKJ0GZh6EFTZp8BEP+jmAI/VmZ4NTG/hKt2TMLviN8ViWY3IvA1ETYhEWm8S7K GvKy0upzSNut40s4Uv11UFqZbqrLnpYje4Up3tlKmJ1P0NviO6BOZSivd2+z2FwZENEL 321g==
X-Gm-Message-State: AOAM530oGidSp4G+otHwQ5PZo9tO/tS44LromTUO2N/NUJZlhK/7lPQr 61CMoJWbE6ZQ+dgfQYC7JPOkm9XCBTa3LP+Lplc=
X-Google-Smtp-Source: ABdhPJwtvvf3TIASLW9aHv4EQpmY3HEGeJTwn4CVDETOXP/2VWy11MZ14QYdPOrvQP/N/yx8pOXesXk71NR7jMe24KQ=
X-Received: by 2002:a67:2007:: with SMTP id g7mr52112250vsg.219.1594399281293; Fri, 10 Jul 2020 09:41:21 -0700 (PDT)
MIME-Version: 1.0
References: <CAHbrMsByWLUGwe9+1QC5VjVXDsEUmC27uLmNiZjV9tjm8=fTMA@mail.gmail.com> <CAJhMdTMiQzJv299d=p13UdBzGp1QMdmg0+jBn22q-feaPfsVkw@mail.gmail.com> <AFC8B7F0-134B-43C7-A0E5-E18725C50F3E@isc.org> <C4CA557F-7095-4BC4-AF5D-E66A2328F14C@hopcount.ca> <2133DA0C-4640-4489-9C6A-485A57BCBF70@isc.org>
In-Reply-To: <2133DA0C-4640-4489-9C6A-485A57BCBF70@isc.org>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Fri, 10 Jul 2020 09:41:10 -0700
Message-ID: <CAH1iCip7pzjuwizVnF0E7p_j=yf9O6Sp9BdFJf8M_4ragxgBwA@mail.gmail.com>
To: Mark Andrews <marka@isc.org>
Cc: Joe Abley <jabley@hopcount.ca>, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, dnsop WG <DNSOP@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000caad0b05aa190242"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/jRoPXgx45b5mYWFuRXbyaJnCwew>
Subject: Re: [DNSOP] HTTPS SVCB no service available signal.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2020 16:41:25 -0000

(Apologies for any weird quoting-style/depth issues, mail user agents
aren't terribly consistent.)

On Thu, Jul 9, 2020 at 8:03 PM Mark Andrews <marka@isc.org> wrote:

>
>
> > On 10 Jul 2020, at 11:53, Joe Abley <jabley@hopcount.ca> wrote:
> >
> > On 9 Jul 2020, at 18:48, Mark Andrews <marka@isc.org> wrote:
> >
>
> > By that logic, DNS UPDATE changed the original purpose of MNAME to be
> the target for a DNS UPDATE.
>
> No. DNS UPDATE says any listed nameserver is a target for DNS UPDATE.  If
> the SOA MNAME matches a NS name then you try that nameserver FIRST.
>

That's an IF conditional which is only applicable if the IF condition is
matched. It says nothing about what to do if the SOA MNAME doesn't match an
NS name.

I'm also confused about the objection. Are you saying you want to allow
UPDATEs, or that you want a mechanism that programmatically blocks UPDATEs
without changing your use of MNAME?
See below (next block of text from me) if it is the latter case.


>
> >> When you change the purpose of a field you have to consider the
> existing users of that field.
> >
> > The only purpose of MNAME today that I am aware of is to identify the
> target for a DNS UPDATE. If you know of another way that the field is
> interpreted I'd be interested to hear it. Even without DNS UPDATE being a
> primary concern, there are many zones whose provisioning means that
> "primary master" has no real meaning; there's no reachable server that is
> more master or more primary than any other; the concept of a single,
> primary master server or service is a legacy that no longer applies to many
> high-use zones.
>
> So you discard everyone that has to diagnose DNS issues.  You discard
> anyones self configuring provisioning system.  The field is in use for
> purposes other than DNS UPDATE.
>
>
This illustrates the importance and value in documenting dependencies/uses
in RFCs, even if they are Informational or even ISE.
The uses you are referring to aren't in any RFCs, are they?
I could overload the TTL field of a DNS record to be a DSCP thing, but if I
didn't tell anyone about it, I shouldn't be surprised if future changes to
standards broke it.

However, this doesn't mean this use case isn't valid.
The fundamental question is whether there are ways to support that use (XFR
topology discovery) while also supporting Joe's concept(s) for making
useless UPDATE things stop.
 (And more generally have ways to signal anything that might be a host name
from being used for something when that something isn't supported by
policy.)

Rather than the NAME of the thing (FQDN, e.g. MNAME field or MX target),
what about using the VALUE or STATUS (e.g. presence/absence of A/AAAA
RRSETs, or NXDOMAIN results)?

The corner case for XFR topology could be accomplished with DNS "views" for
the FQDN in the MNAME field (only permitted XFR clients would get the
"real" value).

The logic path for clients would be relatively simple:

   - Check if the name resolves and has A/AAAA records
   - Use it for the field's purpose only if BOTH things are satisfied.

That seems like a simple and pragmatic compromise.
I think it would be easy to implement, and would be mostly an optimization
(to not send UPDATEs that will be ignored).
Interoperability would be dead easy to confirm.


> > I still think it'd be a service at this point to codify the use of an
> empty string in a field that is intended for use as a hostname to indicate
> that no host is available to do whatever the client was hoping to do. The
> only identified harm from such a definition, even after the fact, is the
> potential for a few client libraries that are unfamiliar with the concept
> of a hostname sending a few queries that will quickly be cached at multiple
> levels.
> >
> > Making this assertion for all RDATA fields that might contain hostnames
> seems more beneficial than poking about in particular RRSet definitions,
> since it opens the door for efficient suppression of traffic in client
> libraries.
> >
> > Having clients inadvertently send DNS UPDATEs to servers that are not
> prepared to accept the is at least an inefficiency; at worst it's a
> systematic leak of local topology information.
>

I agree with this concept.
See above for an idea on how to implement this that doesn't rely on the
FQDN being the empty string per se, but which would be satisfied IF the
FQDN were the empty string (or something under empty.as112.arpa, for
example.)

Brian

v2.23.0 | Report a Bug | By Email