IETF Logo Mail Archive

Re: [DNSOP] Fwd: New Version Notification for draft-bellis-dnsop-xpf-00.txt

Ray Bellis <ray@bellis.me.uk> Fri, 06 January 2017 22:01 UTC

Return-Path: <ray@bellis.me.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A036129458 for <dnsop@ietfa.amsl.com>; Fri, 6 Jan 2017 14:01:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gGTPhg_INsSS for <dnsop@ietfa.amsl.com>; Fri, 6 Jan 2017 14:01:41 -0800 (PST)
Received: from hydrogen.portfast.net (hydrogen.portfast.net [188.246.200.2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FF4512944B for <dnsop@ietf.org>; Fri, 6 Jan 2017 14:01:41 -0800 (PST)
Received: from [46.227.151.81] (port=53130 helo=rays-mbp.local) by hydrogen.portfast.net ([188.246.200.2]:465) with esmtpsa (fixed_plain:ray@bellis.me.uk) (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) id 1cPcZs-0007Wn-2G (Exim 4.72) for dnsop@ietf.org (return-path <ray@bellis.me.uk>); Fri, 06 Jan 2017 22:01:36 +0000
To: dnsop@ietf.org
References: <148371232017.17418.17291340320637379369.idtracker@ietfa.amsl.com> <dab36e0b-81a5-e9cc-0a07-416061ce9b74@isc.org> <54C32FCA-8248-441A-9D44-9EEFEB1F00E5@verisign.com>
From: Ray Bellis <ray@bellis.me.uk>
Message-ID: <af8e10d1-1b39-dd86-a131-198bfde80076@bellis.me.uk>
Date: Fri, 06 Jan 2017 22:02:16 +0000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.6.0
MIME-Version: 1.0
In-Reply-To: <54C32FCA-8248-441A-9D44-9EEFEB1F00E5@verisign.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/khxioC1mfMK9PGfPiTx4GbEy0mI>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-bellis-dnsop-xpf-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jan 2017 22:01:43 -0000

On 06/01/2017 18:43, Wessels, Duane wrote:

> Hi Ray,
> 
> The idea of "X-Forwarded-For" for DNS makes me nervous, but it is
> probably inevitable.
> 
> It is of course quite similar to EDNS client subnet, except that
> there is no masking and the client cannot opt-out.  Might be worth
> saying in your document why EDNS client subnet wouldn't work for this
> purpose.

I believe that dnsdist / PowerDNS is already (ab)using the ECS option
for this purpose.

The intent in part is to provide a separate option so that "real" ECS
can pass unhindered.  [ not that I think ECS is a good idea, but some
folks want it, c'est la vie ]

> Since you use the term proxy throughout I wondered if proxy was
> defined in our terminology document.  Looks like it is not.
> terminology-bis-03 says:
> 
> [RFC5625] does not give a specific definition for forwarding, but 
> describes in detail what features a system that forwards need to 
> support.  Systems that forward are sometimes called "DNS proxies", 
> but that term has not yet been defined (even in [RFC5625]).
> 
> I think we should define proxy in the terminology doc, or use some
> other well-defined terms in your XPF doc.

I should probably define "proxy".  I specifically avoided the term
"forwarding" (c.f. X-Forwarded-For in HTTP) because in our terminology a
forwarder is usually something on the "outbound" side of a resolver,
whereas this is on the "inbound" side.

> Despite when you say "it is not intended for use on proxy / forwarder
> devices that sit on the client-side of a DNS request" and "only
> intended for use on server-side proxy devices that are under the same
> administrative control" I fully expect XPF will be implemented and
> used in all sorts of places.  For example, some clients will include
> the option in queries to authoritative servers, which will go
> unnoticed for a while.   Then it will be noticed by servers and
> they'll take advantage of it somehow (logging, treating it like ECS,
> etc).  To hopefully prevent that I might propose something like:
> 
> When a server receives the option from a non-whitelisted client, it
> MUST return a FORMERR response.

That's a very good idea.

I should probably also include even more explicit text explaining that
this is for "internal use" only, and MUST NOT be sent from a stub to a
resolver, nor from an recursor to an authority server.  It's only
intended to be injected by server-side DNS equipment that's a front-end
onto local DNS servers that would already know the client source IP if
the proxy wasn't there.

thanks!

Ray

v2.23.0 | Report a Bug | By Email