Re: [DNSOP] Fwd: New Version Notification for draft-bellis-dnsop-xpf-00.txt
Ray Bellis <ray@bellis.me.uk> Fri, 06 January 2017 22:01 UTC
Return-Path: <ray@bellis.me.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A036129458 for <dnsop@ietfa.amsl.com>; Fri, 6 Jan 2017 14:01:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gGTPhg_INsSS for <dnsop@ietfa.amsl.com>; Fri, 6 Jan 2017 14:01:41 -0800 (PST)
Received: from hydrogen.portfast.net (hydrogen.portfast.net [188.246.200.2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FF4512944B for <dnsop@ietf.org>; Fri, 6 Jan 2017 14:01:41 -0800 (PST)
Received: from [46.227.151.81] (port=53130 helo=rays-mbp.local) by hydrogen.portfast.net ([188.246.200.2]:465) with esmtpsa (fixed_plain:ray@bellis.me.uk) (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) id 1cPcZs-0007Wn-2G (Exim 4.72) for dnsop@ietf.org (return-path <ray@bellis.me.uk>); Fri, 06 Jan 2017 22:01:36 +0000
To: dnsop@ietf.org
References: <148371232017.17418.17291340320637379369.idtracker@ietfa.amsl.com> <dab36e0b-81a5-e9cc-0a07-416061ce9b74@isc.org> <54C32FCA-8248-441A-9D44-9EEFEB1F00E5@verisign.com>
From: Ray Bellis <ray@bellis.me.uk>
Message-ID: <af8e10d1-1b39-dd86-a131-198bfde80076@bellis.me.uk>
Date: Fri, 06 Jan 2017 22:02:16 +0000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.6.0
MIME-Version: 1.0
In-Reply-To: <54C32FCA-8248-441A-9D44-9EEFEB1F00E5@verisign.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/khxioC1mfMK9PGfPiTx4GbEy0mI>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-bellis-dnsop-xpf-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jan 2017 22:01:43 -0000
On 06/01/2017 18:43, Wessels, Duane wrote: > Hi Ray, > > The idea of "X-Forwarded-For" for DNS makes me nervous, but it is > probably inevitable. > > It is of course quite similar to EDNS client subnet, except that > there is no masking and the client cannot opt-out. Might be worth > saying in your document why EDNS client subnet wouldn't work for this > purpose. I believe that dnsdist / PowerDNS is already (ab)using the ECS option for this purpose. The intent in part is to provide a separate option so that "real" ECS can pass unhindered. [ not that I think ECS is a good idea, but some folks want it, c'est la vie ] > Since you use the term proxy throughout I wondered if proxy was > defined in our terminology document. Looks like it is not. > terminology-bis-03 says: > > [RFC5625] does not give a specific definition for forwarding, but > describes in detail what features a system that forwards need to > support. Systems that forward are sometimes called "DNS proxies", > but that term has not yet been defined (even in [RFC5625]). > > I think we should define proxy in the terminology doc, or use some > other well-defined terms in your XPF doc. I should probably define "proxy". I specifically avoided the term "forwarding" (c.f. X-Forwarded-For in HTTP) because in our terminology a forwarder is usually something on the "outbound" side of a resolver, whereas this is on the "inbound" side. > Despite when you say "it is not intended for use on proxy / forwarder > devices that sit on the client-side of a DNS request" and "only > intended for use on server-side proxy devices that are under the same > administrative control" I fully expect XPF will be implemented and > used in all sorts of places. For example, some clients will include > the option in queries to authoritative servers, which will go > unnoticed for a while. Then it will be noticed by servers and > they'll take advantage of it somehow (logging, treating it like ECS, > etc). To hopefully prevent that I might propose something like: > > When a server receives the option from a non-whitelisted client, it > MUST return a FORMERR response. That's a very good idea. I should probably also include even more explicit text explaining that this is for "internal use" only, and MUST NOT be sent from a stub to a resolver, nor from an recursor to an authority server. It's only intended to be injected by server-side DNS equipment that's a front-end onto local DNS servers that would already know the client source IP if the proxy wasn't there. thanks! Ray
- [DNSOP] Fwd: New Version Notification for draft-b… Ray Bellis
- Re: [DNSOP] Fwd: New Version Notification for dra… Robert Edmonds
- Re: [DNSOP] Fwd: New Version Notification for dra… Ray Bellis
- Re: [DNSOP] Fwd: New Version Notification for dra… Robert Edmonds
- Re: [DNSOP] Fwd: New Version Notification for dra… Ray Bellis
- Re: [DNSOP] Fwd: New Version Notification for dra… Wessels, Duane
- Re: [DNSOP] Fwd: New Version Notification for dra… Evan Hunt
- Re: [DNSOP] Fwd: New Version Notification for dra… Warren Kumari
- Re: [DNSOP] Fwd: New Version Notification for dra… Ray Bellis
- Re: [DNSOP] New Version Notification for draft-be… Peter van Dijk
- Re: [DNSOP] New Version Notification for draft-be… Ray Bellis
- Re: [DNSOP] New Version Notification for draft-be… Peter van Dijk