Re: [DNSOP] I-D Action: draft-ietf-dnsop-resolver-information-00.txt

Brian Dickson <> Thu, 31 October 2019 21:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 90312120818 for <>; Thu, 31 Oct 2019 14:27:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ypwzHj4UoIMB for <>; Thu, 31 Oct 2019 14:27:10 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::e2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 389E5120145 for <>; Thu, 31 Oct 2019 14:27:10 -0700 (PDT)
Received: by with SMTP id k1so5120536vsm.0 for <>; Thu, 31 Oct 2019 14:27:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qlgR6rl1/eg7c5FZp+Bs1zooF/QkkinD0S5US7D5uL4=; b=DaZlX2R9XDkzYQLHUAajkizJhzN7XGg+n+B8OSPw5QS5DNrIsd/c69U5ZVA9CKIWNQ /PRbU+j6zteUBNlgfFGtDv2FHl7zUZGIVE3F+d5nAP4wDWjbVYR27zFfwWmV0OO7nrB9 GNSDlrpicZAM+vp3SzeFdmcrIgG4g5ldFphOpYgSgT84QEunYnsNxpdiSzn9xfzf+96F YY0XWL65gW7BIZ5rXGKeFeyMAl7aqzXKG4e3gsAF1wf5SOfz/3ZZ0m1H7Sy1IlGULHyD 9m6fiH39HNUjOqzu/TPiLTLwFV5h0n9PX+g3id8xlYGNhq+lmRrJE1QrvRpnFRhBk2wl 0PoQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qlgR6rl1/eg7c5FZp+Bs1zooF/QkkinD0S5US7D5uL4=; b=skq7GOBBnlVrELTIWvrCVN9gszHLBP+HjECsAqjdC0qFSjgsfqAIw8XybRSayhKSc0 jYebcse5Lo1ToYzVs2H6XULQMvCf8ylkpM5dTS4BuuxiqIQSB/bIt/vPMMosnyc/bxDK pwbT1KOzeM/beszsgFGocglvcLY2mP6iIH3+i6+zyGjS8/M7j9A6r8WDf/aZSyddMat1 Au1CmOjE1oyi5wecExQMNC6i8gEfv1hars3KJlpnvG9jye5MT3V2J4Bk12eTUGcRisoi pqTAKCqWnSL8rr2yLk7FhXGkAXlZEm8W+LWDKFr8DCZqj+4AD9RcM6mXHNq3FE6qR2HD PDgg==
X-Gm-Message-State: APjAAAUdHRgcso1+vsuQRd1wjFy+wjTb0neUQ9gwoD8rUs/4RwNH1zIN 6WHn1QK4ZX0pMcR2TcZCRbFYE2xNckqPlgxjTsJ4+A==
X-Google-Smtp-Source: APXvYqwd8DKDhz2o3ktJ7xaqQSCqUC1JZjyvu71h4NLrRj/a+fFti7RKuxHbKmydKtKVfK9mklqcfj6GGY7bqUeRivM=
X-Received: by 2002:a67:dd15:: with SMTP id y21mr4177424vsj.199.1572557229048; Thu, 31 Oct 2019 14:27:09 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <>
In-Reply-To: <>
From: Brian Dickson <>
Date: Thu, 31 Oct 2019 16:26:37 -0500
Message-ID: <>
To: Ben Schwartz <>
Cc: Erik Kline <>, Neil Cook <>, dnsop <>
Content-Type: multipart/alternative; boundary="00000000000006f3db05963b8346"
Archived-At: <>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-resolver-information-00.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 31 Oct 2019 21:27:14 -0000

Top-reply to highlight a question:
I think there may be a different rationale for using some of the novel
ideas that Ben and Neil have raised, and am wondering if putting those in a
different draft makes sense?

I think so, and am very interested in working on those. The current draft
can be useful for a subset of use cases (e.g. where not problems exist and
where security is desired), so they are not completely competing things.

In particular, I'm interested in a DNS-only approach, which provides more
information with traditional DNS RR types.

More noodling follows, about what/how etc, stuff that probably can go into
a potential new draft.

The goals of the alternate draft for resolver discovery, are (IMHO):

   - Work in backward compatible, incremental deployment scenarios
   - Provide signed (DNSSEC) information as much as possible
   - Handle clients moving between networks (laptops would be a
   typical client with these kinds of requirements)
   - Handle forwarders/resolvers with no public DNS name, and no public IP
   address, but ALSO handle forwarders/resolvers that have public DNS names
   and/or public IP addresses
   - Provide enough information to identify topologies and places where
   conflicts might first occur (especially overlapping DHCP/NAT addresses)
   - Enable clients to identify viable resolver choices that support
   requested transport and are directly reachable (e.g. DoT, DoH, UDP)

The basic nuts and bolts that IMHO would be required are:

   - A forwarder/resolver doing "this" would :
      - have a name for itself, that it already has been assigned (FQDN) or
      that it "picks" at random with local-only significance (high-entropy name
      to minimize collision risk, a la ULA in IPv6)
      - have a trust anchor for a domain at its name (either FQDN or picked
      name), used to DNSSEC sign data it self-publishes (including everything
      listed here)
      - publish the names and/or IP addresses of upstream resolvers (if it
      is a forwarder), or indicate that it is a resolver
      - publish which transport protocols it answers/serves (e.g. DoT, DoH,
      TCP, etc.)
      - publish the TLSA record for its name (FQDN or picked) if
      appropriate (DoT, DoH)
      - have a certificate (either self-generated/self-signed, or issued by
      another party) corresponding to the TLSA record, if appropriate (DoT, DoH)
      - be authoritative for a "well-known" name such as ""
      that is a CNAME to its actual name (FQDN or picked name)
   - Upstream resolver/forwarder discovery would use queries for the above,
   for the configured/assigned resolver address
      - If the upstream is not doing "this", and is a forwarder, the query
      for "" would be forwarded upstream
      - if the upstream is doing "this", all the information would be
      available to populate the "upstream" portion of the published data
      - If the next upstream forwarder doing "this" is NOT the immediate
      upstream, the "upstream" portion would have both the immediate upstream
      (IP) and the next "this" upstream
      - If any upstream forwarder returns NXDOMAIN, the upstream forwarder
      sequence ends at a resolver that does not do "this"
   - Each downstream forwarder would add all the information from the
   upstream to its set
   - The "tail end" forwarder would have an upstream "graph" of names
   and/or IPs, including whether the resolver(s) at the leaf nodes of the
   graph do "this", or not
   - Each leaf node can be evaluated as to whether it does "this", and
   whether it can be reached directly (important for DoT/DoH for network
      - The leaf nodes are a "candidate set"; the set of leaf nodes
      directly reachable are the "resolver set". The resolver set may be empty,
      in which case client upgrade is not possible.
   - Changes that occur would require changes to the publication zone (at
   the FQDN or picked-name zone) including change to the SOA serial number.
   This would trigger re-signing, and would be learned by downstream nodes in
   the graph when TTL expires. TTL choice is important, as a result.

The benefits of this scheme include:

   - DNS traceroute
   - Identification of DHCP/NAT conflicts across resolver boundaries
   - If no conflicts occur, the largest possible set of resolvers providing
   $service would be discovered and could be used automatically
   - The discovery mechanism would involved DNSSEC-signed data, preventing
   MITM attacks against resolver selection/identification
   - DoT/DoH certificate validation would be supported even for
   forwarders/resolvers without public names or addresses
   - DNSSEC key rolls could be RFC 5011 compatible, even with these
   self-named resolvers
   - For FQDN-named resolvers, only the single DNS root trust anchor would
   be needed

IMHO, the implementation would not be overly complex, and most of the
operational performance issues are avoided for the discovery aspects
(occasional DNSSEC signing, but mostly just serving signed data in the
This would not itself alter the DoT/DoH service that a resolver does, it
would only facilitate the discovery/identification/validation steps in
establishing the DoT/DoH connection.

Comments welcome.
(I realize this might not work or scale, but if it does, I think it solves
a number of interesting and important problems for DoX deployment in
small/private environments, including possible consumer-grade devices with
upgraded software, or other methods of deploying/operating resolvers from
within such environments.)


On Mon, Oct 28, 2019 at 1:56 PM Ben Schwartz <bemasc=> wrote:

> On Mon, Oct 28, 2019 at 2:40 PM Erik Kline <> wrote:
>> IIRC Ben Schwartz at the mic (Prague? Montreal?) mentioned he was
>> interested in seeing something like "traceroute but for DNS", which (a) is
>> what your described scenario sounds like to me and (b) is a
>> separate objective from this draft.  I think it's just...unrelated.
> I'm not sure that it's unrelated.  I hazily imagined something like an
> "upstream" field in the RESINFO object, which contains the upstream
> resolver's RESINFO object (etc.).  In other words, I think that use case
> might be well-served by this design.
>>   I don't think we have DNS hop-by-hop -type semantics, which would make
>> the discovery of intermediate resolvers/forwarders easier.
>> On Mon, Oct 28, 2019 at 9:03 AM Neil Cook <> wrote:
>>> I was quite surprised that there was no reaction to my comments. Are
>>> they not worth replying to, or is there just not enough interest in this
>>> draft?
> FWIW, I've previously stated a preference for dropping the use
> of ".well-known" entirely, and using draft-00's "" name
> instead of reverse-IP, in order to improve support for passive forwarders.
> I understand this was changed in the hope of offering some kind of security
> here with DNSSEC, but I think it's unlikely to work in practice, and we're
> better off keeping things simple.
>>> Resolver discovery seems like such an important topic given what is
>>> happening with DoH and DoT, I can’t believe that folks aren’t interested in
>>> progressing this, and I think ensuring that it works for the extremely
>>> widely deployed use-case of a DNS proxy/forwarder is very important.
>>> Neil
>>> > On 11 Oct 2019, at 14:41, Neil Cook <> wrote:
>>> >
>>> > I have some comments on this draft.
>>> >
>>> > I’m particularly concerned about the extremely common use-case where a
>>> DNS proxy is used in front of the actual resolver; this is the case for
>>> many home routers/CPEs, particularly those provided by ISPs. They tend to
>>> give out DNS via DHCP on a private IP address e.g. 192.168.0.x, and then
>>> use dnsmasq (or homegrown software) to proxy to the actual resolver of the
>>> ISP located in the network on a public IP address.
>>> >
>>> > TL;DR - there are two mechanisms defined in this draft. The first
>>> mechanism "Retrieving Resolver Information by DNS” seems like it would work
>>> ok with the above scenario. The second mechanism "Retrieving Resolver
>>> Information by Well-Known URI” would require changes to every CPE of the
>>> type described above, which IMO makes it unworkable for that scenario. (BTW
>>> for CPE insert any kind of DNS proxy/forwarder, which would have the same
>>> issue).
>>> >
>>> > My main concern is that given that there are two mechanisms specified,
>>> clients may choose only to implement one of them. The draft doesn’t appear
>>> to specify that client authors must implement one or the other, or both. So
>>> I’d like to see the draft mandate that if only one of the mechanisms is
>>> implemented, it must be the "Retrieving Resolver Information by DNS” method.
>>> >
>>> > I’d like to see the draft give due consideration to this very common
>>> use-case, (both CPEs and the more general case of DNS proxies/forwarders).
>>> >
>>> > A few additional comments which I think need to be considered:
>>> >
>>> > - For the Well-Known URI mechanism by resolver IP, clearly private IP
>>> addresses can never get valid certificates, so even if CPEs were to
>>> implement this mechanism, they can never be authenticated.
>>> >
>>> > - For the DNS method, given that a resolver never knows if DNS proxies
>>> are being used (in CPEs or elsewhere) or indeed what IP addresses are being
>>> used behind those proxies, I would imagine that at a minimum it would need
>>> to answer RESINFO queries for *all* RFC1918 addresses. This does then lead
>>> to the question, why include the IP address in the query at all? I assume
>>> the answer is “DNSSEC”, but see below for some more questions/comments on
>>> that.
>>> >
>>> > - There is an acknowledgement "Erik Kline suggested using
>>> "<reverse-ip>.{in-addr,ip6}.arpa" as the
>>> >   domain name to allow for the possibility of DNSSEC-signed responses.”
>>> >
>>> > I think it’s worth noting that RESINFO queries for private IP
>>> addresses will never be able to generate DNSSEC-signed responses. Also
>>> given the restriction "Authoritative servers MUST NOT answer queries that
>>> are defined in this protocol.” it seems unlikely that many resolvers would
>>> be capable of generating DNSSEC-signed responses, especially given that
>>> resolvers and authoritative servers tend to be completely separate entities
>>> these days.
>>> >
>>> > This also begs the question, why create that restriction at all? Why
>>> must Authoritative Servers not answer those queries? The draft also states
>>> that "if the resolver can be configured to also be authoritative for some
>>> zones, it can use that configuration to actually be authoritative for the
>>> addresses on which it responds.” Which seems to contradict the previous
>>> MUST NOT - surely this is an implementation detail that should not be
>>> mentioned in an IETF draft?
>>> >
>>> > Neil Cook
>>> >
>>> >> On 19 Aug 2019, at 20:28, wrote:
>>> >>
>>> >>
>>> >> A New Internet-Draft is available from the on-line Internet-Drafts
>>> directories.
>>> >> This draft is a work item of the Domain Name System Operations WG of
>>> the IETF.
>>> >>
>>> >>       Title           : DNS Resolver Information Self-publication
>>> >>       Authors         : Puneet Sood
>>> >>                         Roy Arends
>>> >>                         Paul Hoffman
>>> >>      Filename        : draft-ietf-dnsop-resolver-information-00.txt
>>> >>      Pages           : 9
>>> >>      Date            : 2019-08-19
>>> >>
>>> >> Abstract:
>>> >>  This document describes methods for DNS resolvers to self-publish
>>> >>  information about themselves, such as whether they perform DNSSEC
>>> >>  validation or are available over transports other than what is
>>> >>  defined in RFC 1035.  The information is returned as a JSON object.
>>> >>  The names in this object are defined in an IANA registry that allows
>>> >>  for light-weight registration.  Applications and operating systems
>>> >>  can use the methods defined here to get the information from
>>> >>  resolvers in order to make choices about how to send future queries
>>> >>  to those resolvers.
>>> >>
>>> >>
>>> >> The IETF datatracker status page for this draft is:
>>> >>
>>> >>
>>> >> There are also htmlized versions available at:
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> Please note that it may take a couple of minutes from the time of
>>> submission
>>> >> until the htmlized version and diff are available at
>>> >>
>>> >> Internet-Drafts are also available by anonymous FTP at:
>>> >>
>>> >>
>>> >
>>> _______________________________________________
>>> DNSOP mailing list
>> _______________________________________________
>> DNSOP mailing list
> _______________________________________________
> DNSOP mailing list