IETF Logo Mail Archive

[DNSOP] Re: Deployment tests for "probe.resolver.arpa"

Paul Wouters <paul@nohats.ca> Fri, 23 May 2025 18:58 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 044102C5FDEC for <dnsop@mail2.ietf.org>; Fri, 23 May 2025 11:58:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.4
X-Spam-Level:
X-Spam-Status: No, score=-4.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FV_6ElVwhrhh for <dnsop@mail2.ietf.org>; Fri, 23 May 2025 11:58:53 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::85]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id A3DBE2C5FDDC for <dnsop@ietf.org>; Fri, 23 May 2025 11:58:53 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4b3vZg6trfzFK8; Fri, 23 May 2025 20:58:51 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1748026731; bh=prrBuy0/GeU4PcTgpVnknkbWGM/HYs1R7pN7BNyDHwA=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=ZcHqhNeXFE41Hmq+NPmPV4cQkNcmVrdsczk9eJUMSEEonwfnxN3KnvOm6oeFzx/JE N62cBJqC1oCkvMmYJf7ZGMFlgsN2eVzUSbyBmlV41va7DWmIct+/GlGKE0PAl2l5Mq mZMs01cdRzLEWoX77gwtFuXrk9/94c3+IX1AJxTQ=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id eqWNQlcNcNx5; Fri, 23 May 2025 20:58:51 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Fri, 23 May 2025 20:58:50 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 072B115186A8; Fri, 23 May 2025 14:58:50 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 026D515186A7; Fri, 23 May 2025 14:58:49 -0400 (EDT)
Date: Fri, 23 May 2025 14:58:49 -0400
From: Paul Wouters <paul@nohats.ca>
To: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>
In-Reply-To: <SA1PR15MB43703D41CFC32A24930D7FBDB39EA@SA1PR15MB4370.namprd15.prod.outlook.com>
Message-ID: <296bc609-01cd-ad89-90c2-332dc6d6ca69@nohats.ca>
References: <SA1PR15MB4370984AE1604666FFA470E2B39CA@SA1PR15MB4370.namprd15.prod.outlook.com> <1975082.FsBFY9rHsf@workstation.vm.ideapad.lan> <SA1PR15MB43703D41CFC32A24930D7FBDB39EA@SA1PR15MB4370.namprd15.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: ROLRVDULOW6CSYCIB6EAC5NKQHSAKUSF
X-Message-ID-Hash: ROLRVDULOW6CSYCIB6EAC5NKQHSAKUSF
X-MailFrom: paul@nohats.ca
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Michael De Roover <ietf@nixmagic.com>, "dnsop@ietf.org" <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Deployment tests for "probe.resolver.arpa"
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/l0mm-IMYgJkojb8h015tgXLpvms>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Wed, 21 May 2025, Ben Schwartz wrote:

[ speaking only as individual DNS enthousiast ]

> > From what I understand about the draft so far, it seems that this would be a
> > vendor-neutral convergence point to do these connectivity checks against.
> 
> No, that is not the idea.  The idea is that when performing connectivity checks against any recursive resolver, you should use this arbitrary
> QNAME, not some other arbitrary QNAME.

So this is when the application "knows" it is online, but does not know
if its system-overriding nameserver is reachable or not?

i.e. you connect to startbucks, it gives you DNS 1.2.3.4, but your
application wants to use 8.8.8.8 and so it has to probe for something
and you propose this something to be some hardcoded vendor neutral name
that hopefully doesn't cause queries beyond the actual resolver
targetted, due to the zone being locall served by that remote DNS
resolver?

I see the advantage of this. Response time should be fairly quick
because no further resolving is required on the remote resolver part.

But I am bit puzzled by why a DNS probe is even needed when doing
DoH or DoT. Since you already build a TLS connection, isn't that in
itself already a proof of reachability - without sending a DNS query?

Doing this for port 53 seems odd. If unencrypted, you might as well use
the local network's DNS server since you are giving them all the data
anyway and all the opportunities to falsify the responses.

Paul

v2.35.0 | Report a Bug | By Email | System Status