IETF Logo Mail Archive

Re: [DNSOP] New draft, seeking comments: draft-sah-resolver-information

Brian Dickson <brian.peter.dickson@gmail.com> Tue, 30 April 2019 23:44 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8ACD312041E for <dnsop@ietfa.amsl.com>; Tue, 30 Apr 2019 16:44:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qOj0xoZ5NkD9 for <dnsop@ietfa.amsl.com>; Tue, 30 Apr 2019 16:44:12 -0700 (PDT)
Received: from mail-qt1-x835.google.com (mail-qt1-x835.google.com [IPv6:2607:f8b0:4864:20::835]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CD6912041D for <dnsop@ietf.org>; Tue, 30 Apr 2019 16:44:12 -0700 (PDT)
Received: by mail-qt1-x835.google.com with SMTP id j6so18508406qtq.1 for <dnsop@ietf.org>; Tue, 30 Apr 2019 16:44:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iP8r0crQZgYlf2S/DDN6ZvW6nzGZBjiLpvY8IQ9G4B4=; b=Nu20saaSWgOpketX3NtmUGE5PIE81UMwAyvK4dBz5IgNaVup+xzLyCQy/ADOLffLfF Kbv5+uPiDB22PpOxSAQewrs8Qzw6rO73zDgeB5ppO8k/SQqR6NZ2CIqy2/Uln5fE9nLg T9iqP8TzKDZ6UIJ8D2r5DDEaYSRqpgaFQXqIOizFPoN6zJs0euJV+KbiEmld5OPVstjC KGDskJPEE2r7+aPOWCMw7r4wbBqFh26YTw864WiTSLlJhTpGhjiaJppOTuj8GQ6yRk+k ybrUsepkUmotYA38+eb+iW+r4lve9oIolr6IT66NH1HkB2DlTSFPtdaR40LoimZmwa0S +mBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iP8r0crQZgYlf2S/DDN6ZvW6nzGZBjiLpvY8IQ9G4B4=; b=pDJ1ZlQjLQNrMoe1CqDDAvomonJRBTf77LXr2PuGAXoIgbMLvIs3dgkW3P1GanFvUQ 44GwN4TeOt6z8whBNm2LWqUaDi9gwwhT8dT2U1e21TBxomWYFVTyBLsjK/Ki1g9ZbBeZ g6QiTUj5OX1vRv3E4Y+fGn83Kt73+xiL8icKC8oTEZH3KPTgwPnhelb+5CBdfkwZ3pd5 n76wfM/7Ce/9MFtRNCZIUBKflvwWb8SHJRm4RFqJ4VRDmkV2j1O+1LLcoondK6PAIThc om1FsQmeKDxl5F3BEkug91duO+oYd9v5L/eupXtjjWQFCtqejDL5PF0/sZ9NCHbIWTyO n7mA==
X-Gm-Message-State: APjAAAUKsRI6Den1ZsJFq5AEB6LkO6eys4UXrfWNJQiPVyNopEYViCJf 8ufWf3Zwg5JFkznhs+SW1GQYTqbKqnnCSoG/fGM=
X-Google-Smtp-Source: APXvYqyBZeZM2uJemmC8VG9iuOwR9yHHnAAZvqDhEhBEDSy5uoimAd9LTnbShY6SV5bKheeBDb5fczwArMlScoBwFNg=
X-Received: by 2002:aed:2537:: with SMTP id v52mr27208606qtc.351.1556667851581; Tue, 30 Apr 2019 16:44:11 -0700 (PDT)
MIME-Version: 1.0
References: <6B112B6B-A8B3-46EA-8DE9-8A0535A7B878@icann.org>
In-Reply-To: <6B112B6B-A8B3-46EA-8DE9-8A0535A7B878@icann.org>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Tue, 30 Apr 2019 16:44:00 -0700
Message-ID: <CAH1iCipXbZT6o6NifkxZEmy9i+UfRaozQGkwSeznnSNdKPLFhg@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000053ab2b0587c7fac6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/n7LF4nOlxpFK4V4GDWdhsBlXPMM>
Subject: Re: [DNSOP] New draft, seeking comments: draft-sah-resolver-information
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Apr 2019 23:44:23 -0000

>
> Also note that this is explicitly only for resolvers; we might later do a
> second protocol for authoritative servers who want to give information
> about themselves (such as if they do DoT, if that moves forward in DPRIVE).
> The reason for the split is that a resolver that doesn't know the protocol
> here might pass the query on to the authoritative servers for the root or
> .arpa, and the response to the stub would then be ambiguous.
>
> We look forward to your bashing and/or support.
>

TL;DR: RFC-1918 potentially messes a lot of things up, including the
ability to bypass any forwarders to talk directly to the resolver being
used.

So, there are some semantic issues that lead to potential problems on
naming/addressing (literally) the intended target.

The roots of the problem below are that:

   - A DNS server can't distinguish between a stub client and a client
   which is a forwarder.
   - A DNS client can't distinguish between a server which is a resolver,
   and a server which is a forwarder.
   - A DNS forwarder can tell nothing about its own downstream or upstream
   - There is no inherent limit on the depth of a forwarding tree
   - Add on selective forwarding, and multiple server addresses on any
   fork, and you end up with arbitrary sized directed graphs (not even
   guaranteed to be acyclic!).


Specifically, regarding the problems that intermediate forwarders can
present:

   - Presume a true "stub" client in the draft
   - Presume that client from the draft, is pointed at what it believes is
   a "resolver"
   - Now consider the possibility that the client's immediate target
   (resolver) is actually what we call a "forwarder", which
      - responds to RD=1 queries
      - possibly implements a cache
      - generally forwards to one or more other "resolvers":
         - each of which is itself indistinguishable as being a "true
         resolver" or another "forwarder"
      - Now, add more complexity from RFC-1918:
      - Each "forwarder" or "resolver" can be numbered from RFC-1918 space
      - Each "forwarder" or "resolver" may be integrated onto a
      "middle-box", which can include:
         - Providing DHCP service to clients
         - Providing DNS service to clients
         - Being a DHCP client of another entity/network
         - Forwarding its DNS queries to an upstream DNS "forwarder" or
         "resolver"
         - May have conflicting outside/inside RFC-1918 addressing schemes
      - There may specifically be an address collision between the DNS host
      IP it serves in DHCP (itself) and some DNS host it uses upstream (direct,
      or upstream^N)

In such a potentially ambiguous and potentially conflicting set of boxes,
there are several problems that can arise:

   - Without a public IP address, global public DNS can't be used (no RFC
   1918 allowed)
   - Without a public IP address, any possible name is at best of limited
   use, and reliant on the use of the correct DNS resolver to achieve name->IP
   mapping
   - Without a public IP address, the private IP address of the intended
   DNS resolver might not even be directly reachable:
      - I.e. if the actual resolver (not forwarder) has an IP address,
      which is in a conflicting RFC-1918 ranges from the perspective of the
      client.
      - E.g.:
         - The client has received a DHCP address of 192.168.0.254/24,
         - The gateway of 192.168.0.1, which is a "middle-box".
         - The middle-box is a DHCP client itself, receiving its own
         address of 192.168.0.127/25
         - The middle-box has its own gateway of 192.168.0.1.
         - Both instances of 192.168.0.1 are DNS servers, with the
         "closest" one to the client being a forwarder, and the
"further" one being
         a full resolver.
         - The full resolver cannot be reached.

(Also, as a result of these challenges, there may even be some overlap with
the "homenet" folks, not that I at all want to open that can of worms.
However, any solutions might be applicable in both areas, so it might be
worth keeping that use case in mind as well.)

It might be possible for any DNS server to establish some unique name (e.g.
a UUID or GUID label).

A UUID/GUID still presents a challenge for having the ability to use the
name, and probably any number of hacks might be needed for being able to
establish a connection to the DNS server via the name.

Restricting the draft's applicability only to publicly-addressed DNS
servers may not be sufficiently useful to warrant pursuit, unfortunately.

Ironically, the only type of DNS server guaranteed to have a public IP
address, is the authority server for a globally unique domain name.

Even if it were possible to stuff the stateful bits of DoT into EDNS
things, e.g. added to DNS over UDP, the problem is EDNS is only hop-by-hop,
not forwarded.

I've kind of run out of wacky ideas on how one might pass Do* through
forwarders, to talk to a resolver if there's any RFC-1918 conflict.

Maybe it is sufficient to discover the conflict/reachability issue, and
have an appropriate error/response with enough information for the user to
get the problem fixed?

I.e. if there is at least one forwarder, possibly doing NAT, but no
RFC-1918 conflict, the resolver should be reachable, and the only issue is
one of naming and discovery of the resolver's IP address (and NOT any of
the forwarders involved).

Maybe that could be added to one of the sections of the draft and worked on?

Brian

v2.23.0 | Report a Bug | By Email