Re: [DNSOP] New draft, seeking comments: draft-sah-resolver-information
Brian Dickson <brian.peter.dickson@gmail.com> Tue, 30 April 2019 23:44 UTC
Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8ACD312041E for <dnsop@ietfa.amsl.com>; Tue, 30 Apr 2019 16:44:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qOj0xoZ5NkD9 for <dnsop@ietfa.amsl.com>; Tue, 30 Apr 2019 16:44:12 -0700 (PDT)
Received: from mail-qt1-x835.google.com (mail-qt1-x835.google.com [IPv6:2607:f8b0:4864:20::835]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CD6912041D for <dnsop@ietf.org>; Tue, 30 Apr 2019 16:44:12 -0700 (PDT)
Received: by mail-qt1-x835.google.com with SMTP id j6so18508406qtq.1 for <dnsop@ietf.org>; Tue, 30 Apr 2019 16:44:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iP8r0crQZgYlf2S/DDN6ZvW6nzGZBjiLpvY8IQ9G4B4=; b=Nu20saaSWgOpketX3NtmUGE5PIE81UMwAyvK4dBz5IgNaVup+xzLyCQy/ADOLffLfF Kbv5+uPiDB22PpOxSAQewrs8Qzw6rO73zDgeB5ppO8k/SQqR6NZ2CIqy2/Uln5fE9nLg T9iqP8TzKDZ6UIJ8D2r5DDEaYSRqpgaFQXqIOizFPoN6zJs0euJV+KbiEmld5OPVstjC KGDskJPEE2r7+aPOWCMw7r4wbBqFh26YTw864WiTSLlJhTpGhjiaJppOTuj8GQ6yRk+k ybrUsepkUmotYA38+eb+iW+r4lve9oIolr6IT66NH1HkB2DlTSFPtdaR40LoimZmwa0S +mBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iP8r0crQZgYlf2S/DDN6ZvW6nzGZBjiLpvY8IQ9G4B4=; b=pDJ1ZlQjLQNrMoe1CqDDAvomonJRBTf77LXr2PuGAXoIgbMLvIs3dgkW3P1GanFvUQ 44GwN4TeOt6z8whBNm2LWqUaDi9gwwhT8dT2U1e21TBxomWYFVTyBLsjK/Ki1g9ZbBeZ g6QiTUj5OX1vRv3E4Y+fGn83Kt73+xiL8icKC8oTEZH3KPTgwPnhelb+5CBdfkwZ3pd5 n76wfM/7Ce/9MFtRNCZIUBKflvwWb8SHJRm4RFqJ4VRDmkV2j1O+1LLcoondK6PAIThc om1FsQmeKDxl5F3BEkug91duO+oYd9v5L/eupXtjjWQFCtqejDL5PF0/sZ9NCHbIWTyO n7mA==
X-Gm-Message-State: APjAAAUKsRI6Den1ZsJFq5AEB6LkO6eys4UXrfWNJQiPVyNopEYViCJf 8ufWf3Zwg5JFkznhs+SW1GQYTqbKqnnCSoG/fGM=
X-Google-Smtp-Source: APXvYqyBZeZM2uJemmC8VG9iuOwR9yHHnAAZvqDhEhBEDSy5uoimAd9LTnbShY6SV5bKheeBDb5fczwArMlScoBwFNg=
X-Received: by 2002:aed:2537:: with SMTP id v52mr27208606qtc.351.1556667851581; Tue, 30 Apr 2019 16:44:11 -0700 (PDT)
MIME-Version: 1.0
References: <6B112B6B-A8B3-46EA-8DE9-8A0535A7B878@icann.org>
In-Reply-To: <6B112B6B-A8B3-46EA-8DE9-8A0535A7B878@icann.org>
From: Brian Dickson <brian.peter.dickson@gmail.com>
Date: Tue, 30 Apr 2019 16:44:00 -0700
Message-ID: <CAH1iCipXbZT6o6NifkxZEmy9i+UfRaozQGkwSeznnSNdKPLFhg@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000053ab2b0587c7fac6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/n7LF4nOlxpFK4V4GDWdhsBlXPMM>
Subject: Re: [DNSOP] New draft, seeking comments: draft-sah-resolver-information
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Apr 2019 23:44:23 -0000
> > Also note that this is explicitly only for resolvers; we might later do a > second protocol for authoritative servers who want to give information > about themselves (such as if they do DoT, if that moves forward in DPRIVE). > The reason for the split is that a resolver that doesn't know the protocol > here might pass the query on to the authoritative servers for the root or > .arpa, and the response to the stub would then be ambiguous. > > We look forward to your bashing and/or support. > TL;DR: RFC-1918 potentially messes a lot of things up, including the ability to bypass any forwarders to talk directly to the resolver being used. So, there are some semantic issues that lead to potential problems on naming/addressing (literally) the intended target. The roots of the problem below are that: - A DNS server can't distinguish between a stub client and a client which is a forwarder. - A DNS client can't distinguish between a server which is a resolver, and a server which is a forwarder. - A DNS forwarder can tell nothing about its own downstream or upstream - There is no inherent limit on the depth of a forwarding tree - Add on selective forwarding, and multiple server addresses on any fork, and you end up with arbitrary sized directed graphs (not even guaranteed to be acyclic!). Specifically, regarding the problems that intermediate forwarders can present: - Presume a true "stub" client in the draft - Presume that client from the draft, is pointed at what it believes is a "resolver" - Now consider the possibility that the client's immediate target (resolver) is actually what we call a "forwarder", which - responds to RD=1 queries - possibly implements a cache - generally forwards to one or more other "resolvers": - each of which is itself indistinguishable as being a "true resolver" or another "forwarder" - Now, add more complexity from RFC-1918: - Each "forwarder" or "resolver" can be numbered from RFC-1918 space - Each "forwarder" or "resolver" may be integrated onto a "middle-box", which can include: - Providing DHCP service to clients - Providing DNS service to clients - Being a DHCP client of another entity/network - Forwarding its DNS queries to an upstream DNS "forwarder" or "resolver" - May have conflicting outside/inside RFC-1918 addressing schemes - There may specifically be an address collision between the DNS host IP it serves in DHCP (itself) and some DNS host it uses upstream (direct, or upstream^N) In such a potentially ambiguous and potentially conflicting set of boxes, there are several problems that can arise: - Without a public IP address, global public DNS can't be used (no RFC 1918 allowed) - Without a public IP address, any possible name is at best of limited use, and reliant on the use of the correct DNS resolver to achieve name->IP mapping - Without a public IP address, the private IP address of the intended DNS resolver might not even be directly reachable: - I.e. if the actual resolver (not forwarder) has an IP address, which is in a conflicting RFC-1918 ranges from the perspective of the client. - E.g.: - The client has received a DHCP address of 192.168.0.254/24, - The gateway of 192.168.0.1, which is a "middle-box". - The middle-box is a DHCP client itself, receiving its own address of 192.168.0.127/25 - The middle-box has its own gateway of 192.168.0.1. - Both instances of 192.168.0.1 are DNS servers, with the "closest" one to the client being a forwarder, and the "further" one being a full resolver. - The full resolver cannot be reached. (Also, as a result of these challenges, there may even be some overlap with the "homenet" folks, not that I at all want to open that can of worms. However, any solutions might be applicable in both areas, so it might be worth keeping that use case in mind as well.) It might be possible for any DNS server to establish some unique name (e.g. a UUID or GUID label). A UUID/GUID still presents a challenge for having the ability to use the name, and probably any number of hacks might be needed for being able to establish a connection to the DNS server via the name. Restricting the draft's applicability only to publicly-addressed DNS servers may not be sufficiently useful to warrant pursuit, unfortunately. Ironically, the only type of DNS server guaranteed to have a public IP address, is the authority server for a globally unique domain name. Even if it were possible to stuff the stateful bits of DoT into EDNS things, e.g. added to DNS over UDP, the problem is EDNS is only hop-by-hop, not forwarded. I've kind of run out of wacky ideas on how one might pass Do* through forwarders, to talk to a resolver if there's any RFC-1918 conflict. Maybe it is sufficient to discover the conflict/reachability issue, and have an appropriate error/response with enough information for the user to get the problem fixed? I.e. if there is at least one forwarder, possibly doing NAT, but no RFC-1918 conflict, the resolver should be reachable, and the only issue is one of naming and discovery of the resolver's IP address (and NOT any of the forwarders involved). Maybe that could be added to one of the sections of the draft and worked on? Brian
- [DNSOP] New draft, seeking comments: draft-sah-re… Paul Hoffman
- Re: [DNSOP] New draft, seeking comments: draft-sa… Paul Vixie
- Re: [DNSOP] New draft, seeking comments: draft-sa… Erik Kline
- Re: [DNSOP] New draft, seeking comments: draft-sa… Ralf Weber
- Re: [DNSOP] New draft, seeking comments: draft-sa… Brian Dickson
- Re: [DNSOP] New draft, seeking comments: draft-sa… John Levine
- Re: [DNSOP] New draft, seeking comments: draft-sa… Puneet Sood
- Re: [DNSOP] New draft, seeking comments: draft-sa… John Levine
- Re: [DNSOP] New draft, seeking comments: draft-sa… Vladimír Čunát
- Re: [DNSOP] New draft, seeking comments: draft-sa… John R Levine
- Re: [DNSOP] New draft, seeking comments: draft-sa… Vladimír Čunát
- Re: [DNSOP] New draft, seeking comments: draft-sa… Töma Gavrichenkov
- Re: [DNSOP] New draft, seeking comments: draft-sa… John R Levine
- Re: [DNSOP] New draft, seeking comments: draft-sa… John Levine