Re: [DNSOP] Again about refuse ANY and HINFO
Ted Lemon <mellon@fugue.com> Thu, 07 April 2016 13:55 UTC
Return-Path: <mellon@fugue.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DAC812D1ED for <dnsop@ietfa.amsl.com>; Thu, 7 Apr 2016 06:55:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WgOGEjQgylAJ for <dnsop@ietfa.amsl.com>; Thu, 7 Apr 2016 06:55:46 -0700 (PDT)
Received: from mail-lf0-x231.google.com (mail-lf0-x231.google.com [IPv6:2a00:1450:4010:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C19CA12D1B8 for <dnsop@ietf.org>; Thu, 7 Apr 2016 06:55:45 -0700 (PDT)
Received: by mail-lf0-x231.google.com with SMTP id e190so55804213lfe.0 for <dnsop@ietf.org>; Thu, 07 Apr 2016 06:55:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=y/fpl7JtlhKQ87KuAe3icXuw1L7rzG2V98PXG5jxizU=; b=ruchyZXEDZVTAWRsBXCabeS5VqAm1UqfMPmYaC81pZjUVhtEQZbvD2cKfrUnQW6CYQ CQ3d7vR3AvkHaWBq0LDgcRMJq0ZZWwT61tbfmW6tSA8pBYKiTwjK1ojjCuWLDPRKWQpJ U3SG7Ng/on4s2RGJdEvrWn3bfqZnFawpXlB8OX3OwlZrxiyWgaWdudbguun2Qk4DZyWw Ghvuc6pg7YzLMxtNnyQNU4S6SoRCABdbUGe67W5isq35a6k7Lct5RxySHOYQv6yy2ed7 XWyGGzsAg9/Thkearchb2kmKrvm2Q1UX63s3ZK1953hftOYGQTU8jAx8rK270fd8L+Ro 8XfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=y/fpl7JtlhKQ87KuAe3icXuw1L7rzG2V98PXG5jxizU=; b=H646oG4+5ZDkbEU21/N1Eyt4XidtkjLDdiCxaxB9CKUys4CgEJMND6TbvP8GIfk1ff tMzNjFyTVJSZX+JWPD5wMfLmXZJILX3IePXvnuG7dg0KA3WLwhhn72Dur8UnZPsaW1C7 OzwFT6wWCQu8nyVRnfL6fwIzEWswqIKj8TrDrN8hLycLrLoRJJ6Ee7eGmGOeOuYbBnKb +ei9GJBbIyXgqhsFUas7dMw8qOFoWUnhLrOdCdLrJSGrwzNTqINAbmWcRNCysOagHoP/ Mp1KHhnJb9RAAa3upc182lVljZ4UnBAZ0uCWyonkN34DuYZorUknrm9P0hZi508uytyC NOpw==
X-Gm-Message-State: AD7BkJIcjs41fPk0vmq3R4U9AGgN8nm2SCCXLgR/j7UsrcifcOzbIp/hLurPeIN8ncKmUZRYGKHK7MVAnH8Wbg==
X-Received: by 10.25.205.146 with SMTP id d140mr1401175lfg.109.1460037343786; Thu, 07 Apr 2016 06:55:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.40.136 with HTTP; Thu, 7 Apr 2016 06:55:04 -0700 (PDT)
X-Originating-IP: [2001:67c:370:136:ec62:80b3:91d7:df8a]
In-Reply-To: <D32BE7C1.153EC%edward.lewis@icann.org>
References: <D32BE7C1.153EC%edward.lewis@icann.org>
From: Ted Lemon <mellon@fugue.com>
Date: Thu, 07 Apr 2016 10:55:04 -0300
Message-ID: <CAPt1N1nRnoktCjJhSaKzGsrLR6SLE3LAQhn7i=60E-hSS=SxnQ@mail.gmail.com>
To: Edward Lewis <edward.lewis@icann.org>
Content-Type: multipart/alternative; boundary="001a114128ca3c4e2b052fe56fab"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/kSUoVMhoXSCDppier1enoKH9v24>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Again about refuse ANY and HINFO
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2016 13:55:54 -0000
One point about repeated queries is that on the list of problems we have in the DNS, this probably isn't high. What would the packet rate be for such queries as opposed to the other problem queries we see? (I tend to agree with your take on this generally, Ed.) On Thu, Apr 7, 2016 at 10:32 AM, Edward Lewis <edward.lewis@icann.org> wrote: > I've shuffled my feet before (the "Again" in the subject) to express my > dislike of the HINFO technique. This time I dove a little deeper into why > I dislike the approach, motivated by something quickly said in the DNSOP > meeting yesterday. > > If nothing else, I suggest that this not be standards track due to > interoperability concerns with private key sharing. > > (The draft :- > https://www.ietf.org/archive/id/draft-dnsop-refuse-any-00.txt) > > The draft says "the operator of an authoritative DNS server might choose" > and proceeds to propose solutions that involve what belongs to the zone > administrator. Architecturally, this bugs me. > > The draft proposes that a server (and I'll hand wave over details that are > in the draft for the sake of brevity in email) respond with "some other > record" at the QNAME or, if it chooses, a synthesized HINFO record. With > DNSSEC, one would need to sign the synthesized record. > > Notably missing is - what if the QNAME does not exist ("Role of Wildcards > in the DNS" section 2.2)? > (An open question...) > > If the server chooses to answer with "just some record" (the first > option), how would a querier know that this means ANY is not honored? > Personally, I don't think that a protocol should have a state in which the > situation is ambiguous. (There are many examples of protocols that do and > many examples of ambiguity, but that doesn't make it a good thing.) I > can't quantify why this approach seems to lacking something > (architecturally). Perhaps, if you mean "no" say "no." Or maybe passive > aggressive is not a good personality trait for a protocol. I don't know. > > If the server chooses to answer with a synthesized HINFO and has to sign > it for DNSSEC, there's a line being crossed. The server answering has to > have the zone's key to make the signature. DNSSEC was not designed for > that although it is easily demonstrated that on-line signing can be done. > The reason I raise this is, what about interoperability? ("What about the > children?" as per https://en.wikipedia.org/wiki/Think_of_the_children) > > The draft doesn't address how one operator can opt out of ANY answers if > the zone administrator does not share the keys with the operator. In > examples existing today, so far as I know and I could be wrong, the live > implementation is an "owner/operator", that is an organization that plays > the role of zone administrator (on behalf of others) and the exclusive DNS > operator for those zones. > > There is nothing wrong with that set up, I'm just being specific about > "why it works" in the field yet I see an architectural challenge. > > I am not criticizing the desire to opt out of ANY queries. I have been in > position where I wanted to do the same thing. My discomfort lies in using > the "data plane" to signal though. > > I agree this is an server operator thing, not a zone admin thing. The > data in the DNS is managed by a zone admin, not the server operator. (See > how the root zone responsibilities are divided for an example.) > > If nothing else, this perhaps should not be standards track. Experimental > or informational perhaps. This approach is implementable, it is what an > operator does today. It addresses a need. > > But I see interoperability holes in the approach. > > I do know of another operator that has turned off ANY queries. They did > it by sending nothing back. The name exists, the authoritative server > sends back RCODE=refused. As far as I know, that operator has not made > public statements about this, I discovered it in some code I run. Because > of the way it answered, it was obvious that I needed to stop sending ANY > queries to get the data I sought. Hard fail can be good. > > The draft does address this: > > "Alternative proposals for dealing with ANY queries have been discussed. > One approach proposed using a new RCODE ... resolvers receiving an unknown > RCODE caused them to re-send the same query to all available authoritative > servers, rather than suppress future such ANY queries > for the same QNAME." > > > I see this as a tradeoff. Extra queries versus having to reply on > distributing a DNSSEC private key to Internet-exposed servers. To me, in > my opinion, for the sake of interoperability the option costing extra > queries seems more desirable than having to figure out how to allow server > operators share a zone admin's private key. > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > >
- Re: [DNSOP] Again about refuse ANY and HINFO Tony Finch
- [DNSOP] Again about refuse ANY and HINFO Edward Lewis
- Re: [DNSOP] Again about refuse ANY and HINFO Ted Lemon
- Re: [DNSOP] Again about refuse ANY and HINFO Tony Finch
- Re: [DNSOP] Again about refuse ANY and HINFO Ted Lemon