[DNSOP] Re: Last Call: <draft-ietf-dnsop-zoneversion-09.txt> (The DNS Zone Version (ZONEVERSION) Option) to Informational RFC

"Wessels, Duane" <dwessels@verisign.com> Fri, 05 July 2024 22:33 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2BFCC14F705; Fri, 5 Jul 2024 15:33:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.406
X-Spam-Level:
X-Spam-Status: No, score=-4.406 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ttuwEpx0yQoa; Fri, 5 Jul 2024 15:33:22 -0700 (PDT)
Received: from mail1.verisign.com (mail1.verisign.com [72.13.63.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC231C14F609; Fri, 5 Jul 2024 15:33:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=8661; q=dns/txt; s=VRSN; t=1720218801; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=b+3AN/Bi4t/5CKVI4urZ5jLBS6ADlPzJ2f+rOmeSC0Q=; b=ofLYRYDhkX4TUA1hKvASmvQ0+9wKDmsr7PplXEF4dQmjns39zPDxjZqh oHz2BbMi1EN8VJFnoiOAkohsEhZl5mShdpWcF0+3VC34Mvana+FIoPUpY Nih2qWPv6VNE4pGPUYw2JNM60CJD71XH2y7M5Y/Odw8sC9qIpya6yXoYq J8PYmOVAn0+i6CoSG0MsjgEqk3fbDoNxxLtD6W++7y8hkW52TdVrY1gig sci6KIy7ynVB3/dJcryjFvm3n0hakk6W1AreKJk45Qxdd/awj+tjPX7Pf sF55zHyjKyM6cR2f2V/DCfABxAv7eP+XAMdJgWxiZ8sXMCK0Ho31f+c9w w==;
X-CSE-ConnectionGUID: TnCHowrIRQKM3YCtFhwINQ==
X-CSE-MsgGUID: Sq62E7DmRY+uNq3WYmfhBQ==
X-ThreatScanner-Verdict: Negative
IronPort-Data: A9a23:fGx4uq0wjP74phxrLPbD5aN2kn2cJEfYwER7XKvMYbSIpGtil2len TNbADbYJb/RMSHyZpovP9PnsQ9E7KZh/KYgFVsx+Dd1EGkiRaHtXtjGJ0qqMyibd8eTR0g/5 chANoCbds4/HnGM/UnyPLG58ShwjP/XG+qtUrKYZSwoG1E5Qnx72Rw9luVp2NEx0LBVbyuEo cv2osbWJF6i3XlsMWkPtOeYqRxptejvoj5wUnkWPJin63eCzSFEZH5mGYmxM2fgEM4TGeWhX 6DPzb649W7D41EmDdb9OF9Rm3BiflKpBuTyt0d+W7S+mkoF4TQx0+M8P+EEL0tWhDSCksptj t5KsMSdCl+j1mWdmPgBS0sfGCh1MLcA467CKGWjsYqYyEiBdmPvwrJiDU43NoAC5u0tGmFH7 /EUMzUMax2IjqS92q7jItWA/f/PUPQHRqtH/CkI8BnZEeo+WsKEBLrV+plU3Tgxjc1UAbDVY M9eQgJUNL4pyOAMYv3+o3JWoAvTvZWITtEigA7T/cIKy2jP0BRqgv+qL8XKPNCLSsRek1yE4 GnB+iPjGhhfKdXHoQZpiUlA8dIj5wunHtp6KZW46uJymw/UgXMMF1saVFS6qvSjlgi1XNcYM VQdvzcn9YJayKDQdTWKYvHCiCLC5nYhZudt/80GBCClxvTduwqTWWZeFjdLY9F25JVuGjF3i gbYlo7gXGRk7rfJECLM/bqq9j7jYiJ9wU3ux8MnZVBcv4S8+tFbYjbnFIsL/Hud14Wtcd3I6 2nX6nV43vNL0JNjO5yTpTjvmyirqoXCUjk77wDWWnPNxg5ibeZJXaTxgbTgxagGdNfxomWp5 iBex5DBtL1WVvlhqQTWKAkzNODxjxq6GGCE6bJfN8FJ3yig/XelYbdR7FlWTG91MtwJcCPee 0TavwVc/vd7ZBNGuocuPupdo+xzpUTRPYyNusL8N7KiUbAoHOOzxxyCUGbLt4zbuBN1zfxgY 8fznfGEVh72AYw/pNa/b7lFje9znkjSz0uLLXzw50zPPbZz+Bd54FrKWbeDRrlR0U+KnOna2 +pZHOuN1A9+atTdR3Lm2pI9LU8rC0FuUPgaq+QPHgKCCiBcPjgeLdLhmepnZYdihbwTn+uO4 GumXAlTz1+XaX/vcF3MMy84LuqyBtAj/RrXPgR1Vbqs83Q8bJ204aMEX4U6Z7g89eNli/VzS pHpfu3bUq0eFm6bqlzxa7HGtdI4WUuHgDi/fDeDeWMATptuRybwr4qMkgzHsXNm4jCMndMlu 7Sr2wDzQIEIAQN4A67+ZPS0yEuZvHUBlqR1RUSgCtVJcUvwtYlnNyK0gvksJNlJOxLFyyWXz R2XBhEwpOTRrcky6tahuEyfh42zFbJhGEdKRzCe9qiscyzb5S+pxslKSuDROy7HT2Wy86KnD QlI88zB3DQ8tA4im+JB/3xDlMrSO/OHS2dm8zlZ
IronPort-HdrOrdr: A9a23:iJYWqqiHwR18A2F0k2yHQIzOgXBQXgcji2hC6mlwRA09TyX+rb HKoB17726XtN9/YhEdcLy7VpVoIkmyyXcd2+B4AV7IZniEhILHFuBfxLqn7THmFzb36+JRkY xxGpITNPTASXx3l9zz7gX9MdoxqePszImYwcPT1W1kQw0vUbxn9AsRMGumO1d7XxZLHqA0E5 eg5s5KzgDKRUgq
X-Talos-CUID: 9a23:k13eXGvyjwIaMOnbGIHVx8Yq6IsZdFb9y2jKAnWBKkMyeZaJZ1+P2YVdxp8=
X-Talos-MUID: 9a23:6IRGZAnNs8tfuo4m0U9idnpZLZkyzvuCDXo80oggopK7BCl+Ox2k2WE=
X-IronPort-AV: E=Sophos;i="6.09,186,1716249600"; d="p7s'346?scan'346,208,346";a="38194249"
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.37; Fri, 5 Jul 2024 18:33:20 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) by BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) with mapi id 15.01.2507.037; Fri, 5 Jul 2024 18:33:20 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Petr Špaček <pspacek@isc.org>
Thread-Topic: [EXTERNAL] [DNSOP] Re: Last Call: <draft-ietf-dnsop-zoneversion-09.txt> (The DNS Zone Version (ZONEVERSION) Option) to Informational RFC
Thread-Index: AQHazytWGgy1KGNi6k68eNTC4eW0SQ==
Date: Fri, 05 Jul 2024 22:33:20 +0000
Message-ID: <80CA0829-A0BC-4BF2-B04D-FE5CCC118436@verisign.com>
References: <abce75c4-af10-4fd1-9e99-8c4718996eec@isc.org> <B5D55688-06AA-491A-AD12-1E1A998CF7B0@strandkip.nl> <ec1f12e5-8fa8-49ee-aa32-35824017a2af@isc.org>
In-Reply-To: <ec1f12e5-8fa8-49ee-aa32-35824017a2af@isc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3774.600.62)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_1AD9A26C-520D-4AF6-B989-2F530D7E7075"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
Message-ID-Hash: T7EE5WNN73U5OPR2OMKRZ24UVOLFRW5U
X-Message-ID-Hash: T7EE5WNN73U5OPR2OMKRZ24UVOLFRW5U
X-MailFrom: dwessels@verisign.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop <dnsop@ietf.org>, "draft-ietf-dnsop-zoneversion@ietf.org" <draft-ietf-dnsop-zoneversion@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Last Call: <draft-ietf-dnsop-zoneversion-09.txt> (The DNS Zone Version (ZONEVERSION) Option) to Informational RFC
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/oPi8M1efQMl-USQJIlid6JyElAI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>


> On Jul 4, 2024, at 1:55 AM, Petr Špaček <pspacek@isc.org> wrote:
> 
> 
> Unrelated thoughts:
> 
> ### OPCODE
> Currently the document sorta implicitly talks about DNS queries - mainly implied by the structure of section 3.2 and listed possible answer types and RCODEs.
> 
> Should the document be explicitly limited to OPCODE=QUERY, or is there value in allowing other opcodes?
> 
> E.g. RCODE=YXRRSET comes to mind, where it could be useful for OPCODE=UPDATE as well as OPCODE=QUERY.

You’re right that the document was written with QUERY in mind.

As you say, it might also work for UPDATE and maybe even NOTIFY.   

UPDATE presents a slight complication in that some implementations probably increment the serial/version shortly after processing the update, but perhaps after sending the response.  If UPDATE were to be supported, then we’d probably have to specify that the server returns the pre-update zone version.

Since the entire thing is optional to implement anyway, maybe just leave it up to individual implementors which opcodes they want to support?



> 
> 
> 
> ### Error handling advice
> While re-reading it once more I wonder if sections 3.1 Initiators and 3.2 Responders should have some more words about when to do when various MUST/SHOULDs are violated?
> 
> Say initiator gets answer with exactly duplicated ZONEVERSION. What now?
> And what if LABEL and TYPE are duplicate but with different SERIAL values? What now?
> 
> Drop it on the floor as signal FORMERR in both cases? Or process and display as usual in the first but drop the second case? Or what?

I think both of those options are fine because it probably depends on the client.  Would you like to see text in the document saying so?


> 
> 
> This is my generic complains with dnsop documents - they often do not say what's expected behavior when constraints are violated. We can take it as a though experiment and see where we get.
> 
> 
> Ad one specific case which _is_ defined:
> > A name server MUST ignore invalid ZONEVERSION options present in the query message.
> 
> Does that mean that server MUST ignore ZONEVERSION query with 60 000 bytes of payload and proceed as usual? I would say it warrants FORMERR :-)

This will be changed to say that a server MUST return FORMERR, instead of just ignoring.

DW