IETF Logo Mail Archive

Re: [DNSOP] draft-schanzen-gns and namespace mechanisms

"Schanzenbach, Martin" <mschanzenbach@posteo.de> Fri, 19 August 2022 15:10 UTC

Return-Path: <mschanzenbach@posteo.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99C35C1526E7 for <dnsop@ietfa.amsl.com>; Fri, 19 Aug 2022 08:10:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=posteo.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xjOMxmj8-7JL for <dnsop@ietfa.amsl.com>; Fri, 19 Aug 2022 08:10:38 -0700 (PDT)
Received: from mout02.posteo.de (mout02.posteo.de [185.67.36.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C7B3C1526F3 for <dnsop@ietf.org>; Fri, 19 Aug 2022 08:10:37 -0700 (PDT)
Received: from submission (posteo.de [185.67.36.169]) by mout02.posteo.de (Postfix) with ESMTPS id 25E10240106 for <dnsop@ietf.org>; Fri, 19 Aug 2022 17:10:34 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.de; s=2017; t=1660921835; bh=IXNCh9YcE7FsKaZ0iDDjK8FMUJhiGQYC/ybYH8tij5w=; h=Subject:From:Date:Cc:To:From; b=aO012DLv6GbziWjz/4NH7skrgJ1Ij3LuZJhazbTpXCZ69iCJ6RBKFSUto5326SmN0 QETIEanDPzTvf/dzsdTH0G4fFA5T/OXhAcvIVm+oFvoHoOb/pbCupJYKNcqR/dvggc yob496xjGxIPwL4Zj1Zp6uu2UNNhkn9J2z0ckert1mSqLMr7Tf0OCMgPH1ZPwhl1Ru WqS8rnz64OH8alVnzme1Kfm+5QZs4xMLlIeRkP0gGr6Pb9ZOz4RQGRsTtj/ZX3XQqG cZeFLOFScvhg9AJxhvMw2q6FqFe1iRZBMk4LZ9DD56LQRq6xY2wbTuykMC8bC8n3fV gxhdh7qG0CWmg==
Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4M8QDT4L4wz9rxh; Fri, 19 Aug 2022 17:10:33 +0200 (CEST)
Content-Type: multipart/signed; boundary="Apple-Mail=_F3117492-7208-49CE-B8CF-416943D7B865"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: "Schanzenbach, Martin" <mschanzenbach@posteo.de>
In-Reply-To: <E4F195F3-EA81-4734-AB11-25B03DA61E97@posteo.de>
Date: Fri, 19 Aug 2022 15:10:32 +0000
Cc: "Independent Submissions Editor (Eliot Lear)" <rfc-ise@rfc-editor.org>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Message-Id: <08472CE8-AB4B-49FD-A5A3-6F07754CAE24@posteo.de>
References: <91abb9ac-9d3b-87bf-5639-174581d625fd@rfc-editor.org> <CAH1iCioYdJf_d7M4bFOnkiURY2ppupnaksvkioPOMt_igcgCwA@mail.gmail.com> <E4F195F3-EA81-4734-AB11-25B03DA61E97@posteo.de>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/junfsKeDNQTbHvrhD81zB5kowiE>
Subject: Re: [DNSOP] draft-schanzen-gns and namespace mechanisms
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Aug 2022 15:10:42 -0000


> On 19. Aug 2022, at 17:06, Schanzenbach, Martin <mschanzenbach@posteo.de> wrote:
> 
> Signed PGP part
> Hi Brian,
> 
> thank you for the feedback.
> 
>> On 19. Aug 2022, at 16:46, Brian Dickson <brian.peter.dickson@gmail.com> wrote:
>> 
>> One tidbit that might have been overlooked, is that draft-schanzen-gns (and the various documents it references, including stuff in github) has a technical problem.
>> 
>> The TL;DR: is that nsswitch (and similar systems) depend on individual resolution mechanisms (whatever those may be) returning NXDOMAIN (or the equivalent) in order to fall through to the next mechanism.
>> GNS as currently specified will NEVER return NXDOMAIN. The draft says so (about never returning NXDOMAIN) and explains why. The why doesn't matter, the what matters.
>> 
>> What this means is, if nsswitch.conf has a line that looks like:
>> hosts: gns dns files
>> then the lookups will NEVER fall through to DNS or /etc/hosts. Changing the order around to put "gns" at the end of the list will work, but would result in DNS queries for GNS names always being done. This appears to not do what the draft says it wants to do (i.e. allowing users to have both GNS and DNS names in use, including allowing GNS to be preferred if a name collision occurs.)
>> 
>> Here's the longer version:
>> If GNS never returns NXDOMAIN, then the only way GNS can interoperate with the name resolution selectors such as nsswitch.conf is to use a namespace identifier of some kind, and return NXDOMAIN for any names that are not actual GNS names. (The identifier could be anything -- a suffix, a prefix, a single character, etc.) This would allow GNS to be a first-class member of the available resolution mechanisms, rather than being forced to always be the last mechanism in a list.
> 
> 
> A GNS implementation ships with a default configuration: The "Start Zone" (https://www.ietf.org/archive/id/draft-schanzen-gns-21.html#name-start-zones).
> IF the user configured a suffix in the start zone that also exists in DNS, then that is the users problem (see also, /etc/hosts).
> So, the GNS nsswitch plugins functions similarly to the "files" plugin. It also times out, at which point it returns notfound, however.
> See also https://docs.gnunet.org/installing.html#nss-plugin-optional

Oh and I need to add here: The nsswitch plugin is a "GNS-aware" application. Which is why if there is NO "start zone" configuration that matches the suffix of the name, it DOES return "NXDOMAIN".

> 
> IF the implementation ships a default configuration that has mappings that also exist in DNS/others , then this may be a problem.
> I would request a suggestion on different wording then (however, I think with .alt this would be fixed anyway).
> 
>> 
>> Using some (any) mechanism that allows GNS names to be identifiable in such a way as to either allow GNS to internally distinguish GNS from DNS (and return NXDOMAIN for DNS names if the query sent to GNS is a DNS name), or for GNS to handle both GNS and DNS names on a similar basis (do a GNS resolve on GNS names, or do a DNS resolve on DNS names and return the result from the DNS call).
>> Having DNS vs GNS ordering handled by the os-specific mechanism (such as nsswitch.conf) might be better for linux/unix systems (and servers and desktops generally), while mobile OS set-ups might use their own mechanisms.
> 
> We want the DNS vs GNS vs Other handling to be done by the application (the OS resolver is an application from the perspective of the GNS implementation). This IMO should not be part of our spec beyond some non-normative guidance.
> For example, we specifically consider nsswitch to be a crutch for applications that cannot (yet) distinguish between name systems as part of *possible* migration paths: https://www.ietf.org/archive/id/draft-schanzen-gns-21.html#appendix-A.4
> 
>> 
>> The GNS specification might also want to change its design so that applications make those decisions on resolution directly, and call whichever mechanism is appropriate, ie. call either GNS or DNS for resolution on the basis of the presence/absence of the GNS identifier. Additionally, the applications (e.g. web browsers) might handle the input/UI parts to default to either DNS or GNS, and "hide" the GNS identifier (similar to how the "www" prefix and "https:" service identifier are "hidden", but available for modification by users in the browser bar), allowing advanced users to do "the other thing", as appropriate, or whatever the GNS folks thing makes sense.
>> 
>> E.g. in the browser UI for the URI, what might appear to the user as "foo.bar" might in fact be "https://www.foo.bar" (current DNS-as-default browser), or could alternatively be "https://www.foo.bar.gns.alt" (modified GNS-as-default browser). A user entering "foo.bar" would have that transformation applied by default, but also be editable if the user desires.
> 
> Yes, but we have to distinguish between "GNS-aware" and "GNS-unaware" applications. For example, applications such as browsers are not really "nsswitch files plugin"-aware.
> The browser will try the IP and TLS probably will not work if the server IPs in DNS and hosts do not match.
> 
> So, in order to applications to proactively handle GNS names, they need to "know" what it is. But if they to, they can easily figure out the "start zone" configuration of the user and compare it against the given name according to https://www.ietf.org/archive/id/draft-schanzen-gns-21.html#name-start-zones
> 
> However, I think you found a blind spot and I need to recheck the draft. I remember that we intentionally left handling of the name by applications out of the draft.
> The primary reason for this initially was internationalisation and UTF-8, as far as I remember.
> Anyway, I think we may address this issue anyway should we incorporate references to a possible .alt draft in the next revisions or so.
> 
> BR
> Martin
> 
>> 
>> Brian
>> P.S. To be clear, this is an observation on a deficiency, and suggested possible fix, but it is not specifically advocating for the correction to be done.
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
> 
> 
>

v2.23.0 | Report a Bug | By Email