Re: [DNSOP] New Version Notification for draft-bellis-dnsop-xpf-00.txt

"Peter van Dijk" <peter.van.dijk@powerdns.com> Fri, 10 February 2017 12:52 UTC

Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11EFA1296A3 for <dnsop@ietfa.amsl.com>; Fri, 10 Feb 2017 04:52:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TaYhcjfyFt3S for <dnsop@ietfa.amsl.com>; Fri, 10 Feb 2017 04:52:19 -0800 (PST)
Received: from shannon.7bits.nl (shannon.7bits.nl [IPv6:2a01:1b0:202:40::1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67A50129637 for <dnsop@ietf.org>; Fri, 10 Feb 2017 04:52:19 -0800 (PST)
Received: from [192.168.137.1] (095-096-086-198.static.chello.nl [95.96.86.198]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: peter) by shannon.7bits.nl (Postfix) with ESMTPSA id 98774C1B96; Fri, 10 Feb 2017 13:52:16 +0100 (CET)
From: "Peter van Dijk" <peter.van.dijk@powerdns.com>
To: dnsop@ietf.org
Date: Fri, 10 Feb 2017 13:52:16 +0100
Message-ID: <A719BB79-A018-4C15-B9DD-F0E032D11123@powerdns.com>
In-Reply-To: <af8e10d1-1b39-dd86-a131-198bfde80076@bellis.me.uk>
References: <148371232017.17418.17291340320637379369.idtracker@ietfa.amsl.com> <dab36e0b-81a5-e9cc-0a07-416061ce9b74@isc.org> <54C32FCA-8248-441A-9D44-9EEFEB1F00E5@verisign.com> <af8e10d1-1b39-dd86-a131-198bfde80076@bellis.me.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Mailer: MailMate (1.9.6r5344)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kelWqVHFPqIoqDkTqAvCjWLbUrI>
Subject: Re: [DNSOP] New Version Notification for draft-bellis-dnsop-xpf-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2017 12:52:21 -0000

Hello Ray,

On 6 Jan 2017, at 23:02, Ray Bellis wrote:

> On 06/01/2017 18:43, Wessels, Duane wrote:
>
>> The idea of "X-Forwarded-For" for DNS makes me nervous, but it is
>> probably inevitable.
>>
>> It is of course quite similar to EDNS client subnet, except that
>> there is no masking and the client cannot opt-out.  Might be worth
>> saying in your document why EDNS client subnet wouldn't work for this
>> purpose.
>
> I believe that dnsdist / PowerDNS is already (ab)using the ECS option
> for this purpose.
>
> The intent in part is to provide a separate option so that "real" ECS
> can pass unhindered.  [ not that I think ECS is a good idea, but some
> folks want it, c'est la vie ]

Indeed, dnsdist uses ECS to pass the actual client IP to the real 
backend DNS server. And indeed, this gets confusing when there is also 
‘real’ ECS. So thank you for writing this draft, it will be very 
useful!

However, both in ECS, and now in XPF, we do not get client’s port 
number. With increasing CGNAT deployment, this makes it impossible to 
distinguish clients once a request has passed through a proxy, like 
dnsdist or a TLS frontend.

Can you please consider adding a port number field?

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/