IETF Logo Mail Archive

Re: [DNSOP] Working Group Last call for draft-ietf-dnsop-dns-error-reporting

Ben Schwartz <bemasc@meta.com> Mon, 10 July 2023 21:12 UTC

Return-Path: <prvs=0555f3c718=bemasc@meta.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C43CC16B5AE; Mon, 10 Jul 2023 14:12:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.093
X-Spam-Level:
X-Spam-Status: No, score=-7.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W4wMGcSavfi5; Mon, 10 Jul 2023 14:12:38 -0700 (PDT)
Received: from mx0b-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EC4BC16B5B5; Mon, 10 Jul 2023 14:12:37 -0700 (PDT)
Received: from pps.filterd (m0109332.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 36AKnHUS011374; Mon, 10 Jul 2023 14:12:36 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=s2048-2021-q4; bh=/cgR8X1Q+2lvYKRThwDRP+Jp1q6Lt908XyT2YFoOAPA=; b=gG1MNxpy4kDHFVPlWCTSyVSWiXBT5+T0R97B0yWwGNzHDdEyf+WY7ICL+qA5ZsVNX2Ww H/UimOEXCm/X5OFduD3MjssrMNai4708EtBshffPEB5m5h+axwaSQ3LDgnaqzwJHwjQN 3n5URNcizysc/IlXbxbpddtY5A5dm9sQ0lGQ4Se9r1QyRGWJszbuZb8Otuba0AV9fSZa DWASw002czJusmqHsPwsHPsLWld4Iw6v/S5wi84aD7Nn4crdL6QGWwAGWGolAHVauHCa Hgusjpbxorn6h5AiehWko8oz1G7H/FjLWoKDK2Ccc5wOrMxV/TSQlh9AcJJMRoISmazI 6g==
Received: from nam04-bn8-obe.outbound.protection.outlook.com (mail-bn8nam04lp2044.outbound.protection.outlook.com [104.47.74.44]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3rrk6bbur3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 10 Jul 2023 14:12:36 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=I7yYeoplSCPSeFJF8iFXhk+CrUX/1hdseXOEZmJfBqhVHkfdv+jF8FNDuBg984q5eUgSRrOrpHaG6JF1DkcnxEhTzgjl7FiCi3b4Hhma2hKK+yRzbbqQ9Pz3Jj+KkviWYQ6Xei6V/AsA74OAi7lY9O5bCEjsxJeXrl+GOaC6fF2uiw01Yw9EDtjyd4nkkkpzHdrZSb2V78+e86ugrZbDzpI3Kcy5BHWZZ2dU8WX/BCuaDyurMO6KeqwlFTu5tjQHaGwWrbTBfQRW0dVNMsIRNgnrhAv89BJk9oxQZrrFZDSppiIx2mMK47FUqxqGZ4w436F81VodFYg/3FrElpWpcA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=FCWZLlWMKHjijDk3JY1imGyc9NOJxyzsVyDIAF7Yzrg=; b=UEmlkH1PvoOPvlyw969BNfdcePFsTm77GNb/ItH3e/gqh5WKAHfzW5O9lrYAysxT9xDHAKIN9EnZ/OgkDrY7vX7vy8c2HKnYKfaim06hT3NL3tvVJHHuvUe2pCHIWdbBLExe1suZbkVqVdx18a6oIro3e09oqDPp4+RSBU+C7IGYDihO+S1UBnS/lyncrgfXvzRe26Pd4JEMHojqtPfa615wKEp2zrYiO+5b5wPjZQQJJ51It6Zu7+pLPheLw1P6jsiKYlvbLfo2yigyC+n1mPkuOr6viNqTnu/FJNysNeDkGfpfrQrn+zUgkarfxIl2uOOxPoNtyZ2lhVgcJ5oG9A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from BN8PR15MB3281.namprd15.prod.outlook.com (2603:10b6:408:aa::24) by PH0PR15MB4413.namprd15.prod.outlook.com (2603:10b6:510:9f::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6565.31; Mon, 10 Jul 2023 21:12:34 +0000
Received: from BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::9fed:31c4:371a:6fd5]) by BN8PR15MB3281.namprd15.prod.outlook.com ([fe80::9fed:31c4:371a:6fd5%6]) with mapi id 15.20.6565.028; Mon, 10 Jul 2023 21:12:33 +0000
From: Ben Schwartz <bemasc@meta.com>
To: Roy Arends <roy@dnss.ec>, Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>
CC: Benno Overeinder <benno@nlnetlabs.nl>, DNSOP Working Group <dnsop@ietf.org>, DNSOP Chairs <dnsop-chairs@ietf.org>
Thread-Topic: [DNSOP] Working Group Last call for draft-ietf-dnsop-dns-error-reporting
Thread-Index: AQHZmfAJny+/7BI3tUyfCW5NhYgymK+Xq3pXgBv0KYCAABLNzQ==
Date: Mon, 10 Jul 2023 21:12:33 +0000
Message-ID: <BN8PR15MB32814FB40B44BF1E88A59DB7B330A@BN8PR15MB3281.namprd15.prod.outlook.com>
References: <fa6ec641-0eab-dec6-2267-3ca818402812@NLnetLabs.nl> <BN8PR15MB32811A729AA0F3D979C7B6EBB323A@BN8PR15MB3281.namprd15.prod.outlook.com> <4A239D77-84E1-40EE-B4C6-62555A0DCB8E@dnss.ec>
In-Reply-To: <4A239D77-84E1-40EE-B4C6-62555A0DCB8E@dnss.ec>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN8PR15MB3281:EE_|PH0PR15MB4413:EE_
x-ms-office365-filtering-correlation-id: 4a130237-a916-4db4-74f1-08db818a60ce
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: fazqPchSvDCYGJX2m+AScNIqTZFO6GoTMAjxjELQ8UzdFi1JBl+1fNteziFKHj7ConblxJVIncOOlZ7gle73fAyqG+OGzrLd8YbDGn3Y+vL4KlH9MzsDk+nfeiPOeHqYOwjc6dx5Ygqgl2jfpTwoqPqz7dgZUwdn8ESYlQIA2qPx0hsn7ISsgKvytDYiutY8oiuTNprigvfZRpkVhANHIlURBTe33LAzgD10jtws1+b6INgFsmWNhsfemDT+I/LwLYZ7lQ370VxGDZgSd7eVgh97YiXvdb/FgjHyfmgSHMIa+Ra7kaK/5MpAdqwDG/FG4y0dpwpR3VFaK5UjkrFA2aTu9FewD89KckEzL/gPUi3yBpMKESQ5CxAG2K+oqxFVsovjZXpSBFvrcInSW9UsIsKzIDatQUJdCkaaVeEHSUpbp/0tnJPXpkz+fGLIxCT2nWURnsJbEpRHLcjFOm2tZkzxL7vt/LiUew1NMcjnUj/GREAWCUlsbSuyVY9TdheNh6id4M38YezKC3yzyT/kTaM5xCiW1on7ObQoyOeySaNoEA5ObzgP7vK8AdFNzs3lCvb28AI5Ps+c4vXsa9SHgKNAkkqG1asgkmnSVFrlToA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN8PR15MB3281.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(39860400002)(366004)(376002)(136003)(396003)(346002)(451199021)(2906002)(41300700001)(478600001)(71200400001)(66899021)(166002)(7696005)(316002)(38100700002)(55016003)(38070700005)(76116006)(66446008)(64756008)(66476007)(66556008)(91956017)(66946007)(4326008)(54906003)(110136005)(122000001)(33656002)(53546011)(6506007)(9686003)(186003)(86362001)(8936002)(8676002)(52536014)(83380400001)(5660300002)(19627405001)(966005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: u7oXMvVHq/Hyqt6stC7/4RS6xn7XT713ZF66NgvCMJy+QtlOU4mC6BXoIjpy43nDIgNUlYbJGGo1KWTnMYTWDlfdDR3h/IU5m3STRnJ58cpeXzJJ4R0i6z8NG4Nu+OWmrVCjwMIyk0FrK4y6TykkBOtrnG2m41Jae6qPLh+G0Rn+0qDtygYzJcRVv8q2A52ZXuvPm1b7UxOwabPk+uiHad3gFIOiG3sbcwudmjz3J2QvRHmRJLiCJ4AjvYtvz811a4CO4r1qNGNJmENANYWkPdr9U4X4mPxOjkrIrlBTeBfSqzKa7D921zR//oL1BVZ5TGe7B0QB7jff3czVQ7C6zA9xcaChox7yz3MZNt56P4W2ZMrwaInHHowX9tXUqPiuj9e1cy7Y9XVwfJrFu9vtm3Gjft7ofzcD0+EepLcGoKNkL+hnwVgaEJTUhA6mgtVrZWVX6xtoL/MV2hlEYwOqyCR9F+7zHNKVD8UKG6dwi16SkZcmL/6XYsvULsjXsFx47RF+aKNU9ZeSrEmzIvuPqdzGdzGBfHQ9Wj5823eCfE2f0EMhzO+aSOtyiZeYQC2kqzj3srcC8Zh8cjn/aWrIJ3y17UHmkVl7HPsQLcr0YcGUSmEdQbnAOT1+5DyKtbQwASnsprV/1YGn6RBJdA97r1XjKZiiOtXED3XJqM0evjX9KpOHAb68Q6CBfuDLNZ6ptHuQarW0vcZtujlUDvZMmvy2VHUfcYvw3hmjanWlnom9ygHI4oFBglM7nun6BKHniZ94rwm4+RvHvdIam5ULvkuLNZ5thUNdUb5McLoKpv7Nz2XuENiYWkwgWf+mRViqepon1BQTgxK6hGplPnEJn81+822y4Kc3JtXDE8AnfygekbK6bjEpaMJ7FTpza9AINGOMYLL5XEWI/wyGMyW8L6HGSTC9OnDP42Ipwgg7SRHG8Us3mzoaACyOO8nUNZ66Y2HrmP9hzXI9a0WvyMnxf9RKi6bEHEe0LlnY6EGxCusQllB9YwKsKlJSzzL2I2A8LBUNTUXMHeuM/1XlMScbrO64C/0fmmDkNztjGbh0xLKoeLri38ZQggV2w+VDTVbQm7x3RYej7jyUOXA9JlQZ6HGwCrP3hEXnB1PB5xlLb5gqeoGgVUosEhxqGjnZWTq0Ro1s5tOBoxvRIpMMHyB3BOqCglPcN/U8Xgz9oH0EjblX22nRH+hUMXThvTuEVGoaaklzd4gZIm3TGPDb20uqPYvu6saw/Y//8eXdWZeYuUQpgOkbLJcMW7PulMVuXlF87GD8y2DPrtaVZ0O2tyfEW2OtqahCaPr3gbHlJeLbu2ByudkkY6/V7wVzZBkIBXmrpaeQtBzbkK5d88qIZJpOZ7fZ/D14BthOXNSKwB+IXS/j8UQV7MT95PzWp9Drf3J4/AuXVsPugaTXocMAMsmu9RWYQRh3ZS68LfLd9vq1ovOMDZ5Rda5Hc4TLDxVaKJzlqw8p/S2FvIs8vg3F8jdH9wvX/hxghTE6JvzWmi6CqGpF6yYyJ7RpdVueN4TBSI4P66mhYD4g79yd0xyFJNCN4km/FNqLLf0O7sTfMp/quZHScvnUCBPsy+raKPeQ9QY+
Content-Type: multipart/alternative; boundary="_000_BN8PR15MB32814FB40B44BF1E88A59DB7B330ABN8PR15MB3281namp_"
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN8PR15MB3281.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4a130237-a916-4db4-74f1-08db818a60ce
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jul 2023 21:12:33.2614 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: tJzFXyFm7u6TBPPNLIN8EX7Ty5otjlxlFZya8DTuTHJHpS05sLazsO000nU/o7wJ
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR15MB4413
X-Proofpoint-ORIG-GUID: YJpsuVhRMG-2iR0KR4dZJ21jPi-FhZY0
X-Proofpoint-GUID: YJpsuVhRMG-2iR0KR4dZJ21jPi-FhZY0
X-Proofpoint-UnRewURL: 16 URL's were un-rewritten
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.591,FMLib:17.11.176.26 definitions=2023-07-10_16,2023-07-06_02,2023-05-22_02
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/opTQ9cVLyU6UfuTIPNTYzOlzFfU>
Subject: Re: [DNSOP] Working Group Last call for draft-ietf-dnsop-dns-error-reporting
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jul 2023 21:12:42 -0000

Thanks!  I think making it clear that auth servers are allowed to send TC to force TCP upgrade is a nice compromise.
________________________________
From: DNSOP <dnsop-bounces@ietf.org> on behalf of Roy Arends <roy@dnss.ec>
Sent: Monday, July 10, 2023 4:04 PM
To: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>
Cc: Benno Overeinder <benno@nlnetlabs.nl>; DNSOP Working Group <dnsop@ietf.org>; DNSOP Chairs <dnsop-chairs@ietf.org>
Subject: Re: [DNSOP] Working Group Last call for draft-ietf-dnsop-dns-error-reporting

!-------------------------------------------------------------------|
  This Message Is From an External Sender

|-------------------------------------------------------------------!

Ben,

Thanks for this! Comments inline.

> On 23 Jun 2023, at 02:27, Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org> wrote:
>
> I want this draft to move forward, but upon review I noted with concern the security section text:
>
>    DNS error reporting is done without any authentication between the
>    reporting resolver and the authoritative server of the agent domain.
>    Authentication significantly increases the burden on the reporting
>    resolver without any benefit to the monitoring agent, authoritative
>    server or reporting resolver.
>
> Strong authentication (e.g. to a zone identity with DNSSEC) is probably excessive, but the current draft appears to have no defense against even trivial IP spoofing.  Anyone in the world who can spoof IP addresses can impersonate a reputable resolver and pollute the error reports sent to authoritative servers.  As an authoritative server operator, I would place a lot more trust in reports from reputable resolvers than from unrecognized sources.

Ack

> I think the draft should probably say something like: "To defend against spoofing of source IP addresses used for error reports, reporting resolvers MUST use DNS over TCP [RFC 7766], DNS COOKIE [RFC 7873], or another procedure that defeats IP address spoofing."

I’ve added language to this extend. However, I’ll won’t go as far as MUST. I’ve made this is a SHOULD (for both TCP and cookie), while the authoritative server SHOULD respond with TC bit set to force a re-query over TCP.

Hope this suffices.

Warmly,

Roy


> --Ben SchwartzFrom: DNSOP <dnsop-bounces@ietf.org> on behalf of Benno Overeinder <benno@NLnetLabs.nl>
> Sent: Thursday, June 8, 2023 5:59 AM
> To: DNSOP Working Group <dnsop@ietf.org>
> Cc: DNSOP Chairs <dnsop-chairs@ietf.org>
> Subject: [DNSOP] Working Group Last call for draft-ietf-dnsop-dns-error-reporting
>  !-------------------------------------------------------------------|
>   This Message Is From an External Sender
>
> |-------------------------------------------------------------------!
>
> Dear DNSOP WG,
>
> The authors and the chairs feel this document has reached the stage
> where it's ready for Working Group Last Call.
>
> This starts a Working Group Last Call for:
> draft-ietf-dnsop-dns-error-reporting.
>
> Current versions of the draft is available here:
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-error-reporting/  .
>
> The Current Intended Status of this document is: Standards Track.
>
> Please review the draft and offer relevant comments.
> If this does not seem appropriate please speak out.
> If someone feels the document is *not* ready for publication, please
> speak out with your reasons.
> Supporting statements that the document is ready are also welcome.
>
> This starts a two week Working Group Last Call process, and ends on:
> June 22nd, 2023.
>
> Thanks,
>
> -- Benno
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop


_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email