Re: [DNSOP] Roman Danyliw's No Objection on draft-ietf-dnsop-no-response-issue-20: (with COMMENT)

Mark Andrews <marka@isc.org> Tue, 14 April 2020 00:23 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D93A53A21C3; Mon, 13 Apr 2020 17:23:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O4MaLax062oi; Mon, 13 Apr 2020 17:23:10 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D98A3A21C2; Mon, 13 Apr 2020 17:23:10 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 264F33AB00C; Tue, 14 Apr 2020 00:23:10 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 1A3FC16005D; Tue, 14 Apr 2020 00:23:10 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 07A2F160083; Tue, 14 Apr 2020 00:23:10 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id bBE2S6KejaQv; Tue, 14 Apr 2020 00:23:09 +0000 (UTC)
Received: from [172.30.42.69] (unknown [49.2.228.79]) by zmx1.isc.org (Postfix) with ESMTPSA id ACD2B16005D; Tue, 14 Apr 2020 00:23:08 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.5\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <158630912863.8844.3304986435489944536@ietfa.amsl.com>
Date: Tue, 14 Apr 2020 10:23:04 +1000
Cc: The IESG <iesg@ietf.org>, Tim Wicinski <tjw.ietf@gmail.com>, draft-ietf-dnsop-no-response-issue@ietf.org, dnsop-chairs@ietf.org, dnsop@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <5AFE99B8-DB0A-4364-B9C7-BBDAF6294014@isc.org>
References: <158630912863.8844.3304986435489944536@ietfa.amsl.com>
To: Roman Danyliw <rdd@cert.org>
X-Mailer: Apple Mail (2.3445.9.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pgSg4PErfvycZexBK2ugk7JR1Hw>
Subject: Re: [DNSOP] Roman Danyliw's No Objection on draft-ietf-dnsop-no-response-issue-20: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Apr 2020 00:23:12 -0000


> On 8 Apr 2020, at 11:25, Roman Danyliw via Datatracker <noreply@ietf.org> wrote:
> 
> Roman Danyliw has entered the following ballot position for
> draft-ietf-dnsop-no-response-issue-20: No Objection
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-no-response-issue/
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Thanks for this document – it is allows for a very approachable way to verify
> conformance.
> 
> ** Section 2. Per “Working around issues due to non-compliance with RFCs is not
> sustainable”, this seems like a bold statement.  What is the basis for it?

20 years of experience writing recursive servers.  We have given up trying to
work around so misbehaviour and just let the resolution fail.

> ** Section 4.  This section repeats several times that firewall should not drop
> DNS traffic with unknown parameters and such traffic should not be construed as
> an attack.  In the general case with “normal clients”, this is good advice. 
> However, for certain highly controlled enclaves where a white-list-style
> approach to traffic is taken, this is not realistic.  The presence of
> unexpected classes of new DNS traffic would be a bad sign (e.g., of compromise,
> a new software load whose features were not understood, or a configuration
> which was not validated)

And if you have such scenarios you are not looking at Internet facing servers.

> ** Section 8.  For completeness, per “The test below use dig from BIND 9.11.0”,
> please provide a reference.

Added.

> ** Section 8 dig examples.  It would be worth explaining $zone and $server.

added.

> ** Section 10.  Per “Testing protocol compliance can potentially result in
> false reports of attempts to break services from Intrusion Detection Services
> and firewalls.”, thanks for calling this out.  I would recommend tuning this
> language:
> 
> -- s/break services/attack services/
> 
> -- to acknowledge that uncommon DNS protocol fields or traffic (from this test
> regime) might trigger anomaly-detection/profile-based IDS alerts too
> 
> ** Editorial Nits:
> 
> -- Section 8. s/is know/is known/

done.

> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org