Re: [DNSOP] I-D Action: draft-ietf-dnsop-session-signal-02.txt

Petr Špaček <> Fri, 18 August 2017 15:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DD3A61326E1 for <>; Fri, 18 Aug 2017 08:13:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7
X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IctTYljIBkyA for <>; Fri, 18 Aug 2017 08:12:58 -0700 (PDT)
Received: from ( [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 366C1132658 for <>; Fri, 18 Aug 2017 08:12:58 -0700 (PDT)
Received: from [] ( []) by (Postfix) with ESMTPSA id 21CD2613CB; Fri, 18 Aug 2017 17:12:56 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=default; t=1503069176; bh=832HR0F2VH9Wckp/wcVPl2qSrj00VgMw849KbE+qW+g=; h=From:To:Date; b=BU6Q4vmMioOe5VSMYgMtPK1QVAsonQeelxa9a4D4GbH/mX3wAnzQegT1TcYVFG888 hpcRFJBIPp4WiMrQOszhFgqHMngVAA9B5A6iLi3igl898shd1MDkTSdju7nVoXUjw2 pBqt6VgpNnP5JiAlGfmIjAbFrGDGHdL7QiP6ybBE=
From: Petr Špaček <>
To: Ted Lemon <>
Cc: dnsop WG <>
References: <> <> <> <> <> <> <> <> <>
Organization: CZ.NIC
Message-ID: <>
Date: Fri, 18 Aug 2017 17:12:55 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
Archived-At: <>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-session-signal-02.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 18 Aug 2017 15:13:03 -0000

Hello Ted and dnsop,

I'm trying really hard to find out why we do not understand each other
so I dug into to dnsop archives and draft-bellis-dnsop-session-signal-00
to see if my questions were already answered somewhere. Hopefully I have
better understanding and will focus on technical questions.

To be absolutely clear:
There are parts of session signaling I *do like*, especially the idea to
use a new OPCODE to separate "signaling" from "normal traffic". Also, I
do not object to DNS-SD and other features built on top of session

On 10.8.2017 14:43, Ted Lemon wrote:
> Petr, forgive me for holding your feet to the fire on this, but you make
> several statements along the lines of "for me, ... is stretching the
> definition too far," "I disgree that this is less significant," et
> cetera, but you don't actually raise any technical objections—you just
> expressed uneasy feelings, with which I don't think the working group is
> competent to help you.

I will try my best to make the point even clearer, I promise!

My objections are in the end about engineering costs, which was nicely
summarized by Paul Vixie in another thread (about SWILD, but applicable
to session signaling as well):

For me the major portion of cost does not come from features (like
session management etc.) but from the *framework* needed to build them.
This cost increase IMHO stems from fact that the framework (SS aka DNS
control plane as you named it) does not build on existing and widely
available components.

I believe that added complexity is one of serious technical parameters
and I was objecting to it 4 months ago already:

> Your claim that this is a new wire format is
> incorrect.   What it would mean for this to be a new wire format is that
> it is incompatible with the existing wire format.   Doing something like
> that is an interesting job that is potentially worth working on, but
> would have a very long deployment window, if it got deployed at all.
> What we are proposing here is not a new wire format.  It is compatible
> with, and enhances, the existing wire format.

Let's not focus on wording but on the meaning.

We can certainly call TLVs "extension" but renaming it does not remove
the fundamental problem:
TLVs are largely incompatible with the code we already have widely
implemented and deployed everywhere in all the DNS implementations and
tools. As a consequence, it is increasing engineering cost for all
involved parties.

Please keep in mind that "involved parties" mean also all the people who
are not interested in support for session signaling but happen to work
on DNS monitoring, testing, etc. This will get worse if SS gets off is
used as "DNS control plane" because at that point everyone will have to
support it, with all its costs.

> As for whether the working group should in fact undertake some grand
> design process for such a format, I don't have a strong opinion, but the
> first question I would raise is simply this: do /you/ want to undertake
> such an effort?   If the answer is yes, can you give me a sense of what
> your goals are?  The reason I ask is that IETF working groups are
> constrained to do work that participants are willing to do, and thus far
> we have seen no evidence that you are interested in working on this
> document, which has been a working group document for a year.

I apologize for taking so long before noticing the draft. To paraphrase:

I tried to ignore this draft for a while, but became alarmed after
reading about some of the recent development, so I went and read the


> As for whether this document is in charter, what we are proposing is
> certainly in scope for the working group—it's very clearly an
> operational enhancement for DNS in streaming protocols.   It doesn't
> change the way you do DNS queries—it just adds some new capabilities for
> new implementations.   I think it's very clearly useful—we already have
> three use cases for it.   If we were to stop work on this document now,
> the work that now relies on it would revert to what had been proposed
> earlier, which was not as good—dnssd has been hanging fire waiting for
> this work to be done because the working group wanted to cooperate with
> dnsop in producing something more generally useful, rather than doing a
> one-off extension like Apple's DNS Long-Lived Queries, which was never
> standardized.
> So if there is something missing from the document, or something
> unclear, or you wish we'd thought of ???, or think that !!! is not quite
> right and have suggestions, I think that would be really helpful.   And
> of course the working group chairs are free to agree with your vague
> feelings of unease and drop this as a working group document.
> But as for any sort of specific request that the authors or the working
> group could act on, I am not hearing anything of that sort in what you
> have said.   Can you think about this in that context, and see if you
> can more clearly articulate what it is that you find lacking in this
> proposal, so that the working group can figure out how to fix it?   Can
> you do it soon?

Okay, please let me be even more specific. I believe that WG should seek
answers to following questions and add explanatory text to the draft.

Looking at version draft-ietf-dnsop-session-signal-03#section-1:

In general, as far as I can tell, this document gives no clear
justification why it is a good idea to do it this way. What I really
want, on the highest level, is to see a justification why it is a good
idea *to not reuse and extend existing framework* like EDNS. We have not
been told of the practical problems that preclude solutions which are
closer to existing code, e.g. EDNS, which would lower the engineering
costs for the whole ecosystem.

Let me make clear that when I talk about EDNS and other existing stuff,
I still think about variant where e.g. EDNS is used in messages with new
OPCODE, so the separation is still there. This is in no way proposal to
mix SS and non-SS traffic.

To avoid all doubts, here is my list of specific high-level problems

   The existing EDNS(0) Extension Mechanism for DNS [RFC6891] is
   explicitly defined to only have "per-message" semantics.  Whilst
   EDNS(0) has been used to signal at least one session related
   parameter (the EDNS(0) TCP Keepalive option [RFC7828]) the result is
   less than optimal due to the restrictions imposed by the EDNS(0)
   semantics and the lack of server-initiated signalling.

a) What are technical reasons not to use EDNS similarly to what RFC7828
have done?
Specifically what is "less than optimal"?
What problems of RFC7828 are we trying to avoid?

b) What is the technical reason to invent a new thing instead of solving
"lack of server-initiated signaling" in EDNS instead?

Without justification it seems like we are not reusing code we have and
thus increasing costs unnecessarily.

   This document defines a new Session Signaling OPCODE used to carry
   persistent "per-session" operations, expressed using type-length-
   value (TLV) syntax, and defines an initial set of TLVs used to manage
   session timeouts and termination.

c) What were technical reasons to standardize TLV format over something
else? What technical criteria were used to design the new format?

Again, without justification it seems like we are not reusing code we
have and thus increasing costs unnecessarily.

   With EDNS(0), multiple options may be packed into a single OPT
   pseudo-RR, and there is no generalized mechanism for a client to be
   able to tell whether a server has processed or otherwise acted upon
   each individual option within the combined OPT RR.  The
   specifications for each individual option need to define how each
   different option is to be acknowledged, if necessary.

d) Is it something which is not solved by EDNS capabilities (just an
example)? I really need to see a justification why it is better to start
from scratch instead of improving existing standards and code.

   With Session Signaling, in contrast, there is no compelling
   motivation to pack multiple operations into a single message for
   efficiency reasons.  Each Session Signaling operation is communicated
   in its own separate DNS message, and the transport protocol can take
   care of packing separate DNS messages into a single IP packet if
   appropriate.  For example, TCP can pack multiple small DNS messages
   into a single TCP segment.  The RCODE in each response message
   indicates the success or failure of the operation in question.

e) Technically packing multiple messages into one single TCP segment is
not a property of session signaling but property of the transport. It
would work the same way if we were sending DNS messages with OPT
containing one EDNS option at a time. Current EDNS options define how
server replies to client, so the client gets a reply according to
particular standard. If the option is missing in the answer then it is
not supported by server, i.e. the cost of detecting unsupported options
is the very same as for session signaling with TLV (one round-trip).

In other words, this paragraph does not justify costs for inventing a
new thing because the EDNS already can do the same.

4.1.3.  EDNS(0) and TSIG

   Since the ARCOUNT field MUST be zero, a Session Signaling message
   MUST NOT contain an EDNS(0) option in the additional records section.
   If functionality provided by current or future EDNS(0) options is
   desired for Session Signaling messages, a Session Signaling Operation
   TLV or Modifier TLV needs to be defined to carry the necessary

   For example, the EDNS(0) Padding Option [RFC7830] used for security
   purposes is not permitted in a Session Signaling message, so if
   message padding is desired for Session Signaling messages, a Session
   Signaling Modifier TLV needs to be defined to perform this function.

   Similarly, a Session Signaling message MUST NOT contain a TSIG
   record.  A TSIG record in a conventional DNS message is added as the
   last record in the additional records section, and carries a
   signature computed over the preceding message content.  Since Session
   Signaling data appears after the additional records section, it would
   not be included in the signature calculation.  If use of signatures
   with Session Signaling messages becomes necessary in the future, an
   explicit Session Signaling Modifier TLV needs to be defined to
   perform this function.
   This specification explicitly prohibits use of the EDNS(0) TCP
   Keepalive Option [RFC7828] in _any_ messages sent on a Session
   Signaling session (because it duplicates the functionality provided
   by the Session Signaling Keepalive operation), but messages may
   contain other EDNS(0) options as appropriate.

f) Section 4.1.3. shows the problem in full. Approach envisioned by the
draft duplicates work and thus leads to unnecessary engineering costs
again. Re-inventing things for two incompatible frameworks (EDNS and SS)
will cost everyone a lot of effort.

Are there technical reasons justifying these costs? The document does
not answer this question, which is a significant problem.

Can we work together and find answers to there questions?
I will be happy to participate in the process.

Petr Špaček  @  CZ.NIC

> Thanks!
> On Thu, Aug 10, 2017 at 7:28 AM, Petr Špaček <
> <>> wrote:
>     Hello Ted and dnsop,
>     and sorry for delayed answer (below). Your message forced me to think
>     more about the draft, this time without focus on the wire format.
>     Spoiler alert: I still do not like the proposal in its current form.
>     Please see below.
>     On 21.7.2017 10:22, Ted Lemon wrote:
>     > I am hearing from a number of people that this is "a new protocol" and
>     > hence requires careful thought and perhaps a new working group, along
>     > with the associated delay.   I do not _entirely_ disagree with this
>     > position, although it would be really inconvenient from my perspective.
>     >
>     > However, I would like to point out that the objection "it is a new
>     > protocol" is not a technical objection.  Also, the same objection can
>     > actually much more justly be raised against several other proposals that
>     > were brought before the working group.   For example, the multiple
>     > RRtypes proposal, the multiple responses proposal, and the extended
>     > error codes proposal.
>     >
>     > All of these define new protocol, in ways that are in, like session
>     > signaling, backward-compatible with the existing protocol.   The other
>     > proposals are actually much more significant changes than session
>     > signaling is, in terms of what they actually do, as opposed to what
>     > their wire format is.
>     Okay, I can see what you mean - there surely are various levels of
>     complexity and protocol changes proposed in the last years for dnsop.
>     However I disagree that adding session signalling to DNS is less
>     significant change than e.g. multi-query/repose proposals.
>     As you said, session signalling is a "control plane for DNS", which is a
>     very new thing. Keeping (IMHO significant) wire format issues aside,
>     adding a control plane to DNS is in my eyes a significant new
>     development and should be treated as such.
>     > And as for a new DNS wire format, which I also think would be a good
>     > idea, this is pretty clearly /not /what session signaling is.   How
>     > would you do a DNS query with session signaling?   In what way would it
>     > be an improvement over the existing query format?   It's possible that a
>     > new wire format can be built on top of session signaling, but session
>     > signaling doesn't build a new wire format, and if we choose to do
>     > session signaling, that doesn't preclude doing a different wire format
>     > for queries later.
>     Maybe one of the problems is that the current draft mixes three
>     things in a single document:
>     - The new wire format,
>     - DNS control plane,
>     - Session signaling functionality over the control plane.
>     This is probably making things way harder to explain to non-authors than
>     necessary.
>     These really are separate things. I can imagine that control plane
>     and potentially its wire format can be together in one document (but I'm
>     still not convinced that the a wire format is necessary), but session
>     signaling functionality itself should be certainly separate from that.
>     Let's keep discussion about the wire format for later, there is even
>     more significant issue ahead of us:
>     > Session signaling is just a control plane for DNS.   It's useful.   I
>     > would like to see it done sooner rather than later.   If we are not
>     > going to do it sooner rather than later, I would like the reason to be
>     > something more than vague unease about walking backwards into a new wire
>     > format.
>     The problem is that current proposal is creating some generic "control
>     DNS plane" as by-product of session signaling functionality, as we were
>     discussion during dnsop session.
>     (References: "Totally flexible format" & "Concerned with embedding DNS
>     messages in TLVs" in [2].)
>     I believe that we really should not invent such generic mechanisms as
>     by-products.
>     If a WG agrees that a generic DNS control plane is needed, then it needs
>     to be carefuly designed and described, including problem statement and
>     analysis related to current and potential new transports. These are
>     compleretely missing now.
>     Moreover, the dnsop is specifically chartered to subset of possible
>     changes [1] to the DNS protocol:
>     4. Publish documents  to address operational issues with the DNS
>         protocols by  extending or performing protocol maintenance
>         on them.  Act as  focal-point for operator discussion and provide
>         advice to the Ops ADs and other WGs on EDNS0 options,  new
>         RRTYPEs, DNSSEC,  record synthesis, or other mechanics of
>         extending DNS to support other applications.
>     5. Serve as a home for drafts that document the problem space
>        around existing or new DNS issues.  The group, with the advice
>        and consent of the responsible AD in coordination with other areas,
>        will then decide whether these  issues belong in DNSOP  under
>        the existing charter and, if not,  will work with the authors and
>        appropriate ADs to determine the proper place for the work to be
>        carried out.
>     For me, adding control plane is just stretching this definition too far.
>     If session signaling is covered by this charter then we must admit
>     that dnsop can do anything it wants to the DNS protocol.
>     [1]
>     <>
>     [2]
>     <>
>     Again:
>     If there is a need for a "DNS control plane" then it should be enginered
>     as such and not invented as by-product of something else.
>     Yes, it is a lot of work. And yes, it should start with problem
>     statement for control plane (in general) and continue from there.
>     I hope it explains why I still do not like the current proposal.
>     Thank you for your attention.
>     Petr Špaček  @  CZ.NIC
>     >
>     > On Fri, Jul 21, 2017 at 10:02 AM, Petr Špaček < <>
>     > < <>>> wrote:
>     >
>     >     On 20.7.2017 19:09, Andrew Sullivan wrote:
>     >     > On Thu, Jul 20, 2017 at 06:59:42PM +0200, Ondřej Surý wrote:
>     >     >>> But it's certainly another step along the way to DNSbis by
>     accident.
>     >     >>
>     >     >> Would it be useful to make it not "by accident"?
>     >     >
>     >     > Yes.  That was basically the point I was trying to make at the
>     >     > beginning of today's session, about overall analysis.
>     >     >
>     >     >  > b) make this draft DNS-SD only, so it can fast forward...
>     >     >>
>     >     >
>     >     > I'm not keen on this.
>     >     >
>     >     >
>     >     >> c) use the changed paradigm to work on DNSbis without the
>     accident part?
>     >
>     >     Yes please!
>     >
>     >     My main opposition comes from fact that current session
>     signaling draft
>     >     "accidentaly" defines new protocol which is using the old
>     DNS-RFC1035 as
>     >     "transport".
>     >
>     >     I would welcome DNSbis effort with clear cut. Here please note
>     that
>     >     clear cut does not mean that RR format and data, for example,
>     has to be
>     >     incompatible!
>     >
>     >     It is still possible to share big chunks of specifications
>     (like RR
>     >     definitions, namespace, etc.) but define a DNSbis protocol
>     which is
>     >     clearly distinguishable from the old DNS.
>     >
>     >     Petr Špaček  @  CZ.NIC
>     >
>     >     > I'm starting to wonder whether a bof is needed.  Maybe the IAB's
>     >     > workshop will produce some fruit?