Re: [DNSOP] Consensus check on underscore names and draft-ietf-dnsop-rfc7816bis

Petr Špaček <pspacek@isc.org> Tue, 13 July 2021 10:22 UTC

Return-Path: <pspacek@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A15D3A11EF; Tue, 13 Jul 2021 03:22:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=lyOu8Cg7; dkim=pass (1024-bit key) header.d=isc.org header.b=GogoBJR+
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id psc6JxlIqK_g; Tue, 13 Jul 2021 03:22:06 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA6793A11EA; Tue, 13 Jul 2021 03:22:05 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 0FACA3AB023; Tue, 13 Jul 2021 10:22:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1626171725; bh=HOv7W53E10TVrLLcwGoUv8uLefdZTRSMDqyeP8RB+PM=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=lyOu8Cg7UeNaYI4keP5R+JCTl60VjCptafb9D5ZJ//OYcnz0kZaPdjvhBcCWmFeh5 RdRL90DGlciu4VIvuSonykqIGIZ+aA/pjKZkKtP2gjsxWfZ/oxA7sDVxbDB2Z7fbPx nNHuTtmfzPZltIdgFK+efZZLOsv7db2a1RQP/azM=
Received: from zmx1.isc.org (localhost.localdomain [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id ABC4016006D; Tue, 13 Jul 2021 10:22:04 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 688C4160046; Tue, 13 Jul 2021 10:22:04 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.9.2 zmx1.isc.org 688C4160046
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1626171724; bh=0dFooDT6LTy0fkMlBPghCIC7U727vvljCNqcsJ3U8rQ=; h=Subject:To:From:Message-ID:Date:MIME-Version:Content-Type: Content-Transfer-Encoding; b=GogoBJR+R3JQAvnQOQDymMtBYncH8cFYfA4nbTb5+9/ay8vjVA0uPxzZx2YDX9Y6Z LVifTGMuMhhPIGUV7WnApUQ8JetUvjEon/v53mugavmnesdtcFRgT0H0n88ixvbG/G 0YEFFU2pLI/6s/2Swwef1tx27RiS3iiot81f+8MQ=
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Hm3OizFEA_ph; Tue, 13 Jul 2021 10:22:04 +0000 (UTC)
Received: from [192.168.1.86] (ip-94-113-163-223.net.upcbroadband.cz [94.113.163.223]) by zmx1.isc.org (Postfix) with ESMTPSA id EA21B160079; Tue, 13 Jul 2021 10:22:02 +0000 (UTC)
To: Brian Dickson <brian.peter.dickson@gmail.com>
Cc: Warren Kumari <warren@kumari.net>, dnsop <dnsop@ietf.org>, DNSOP-Chairs <dnsop-chairs@ietf.org>
References: <CAHw9_iKhvHwUfJMOp-YhJkimmnN0f3DLbh+JWYxhCiZ9CjEEQQ@mail.gmail.com> <0ed6efa6-c981-fa64-472c-eef0c5453f4a@isc.org> <CAH1iCipP2C0fPgFYBGeR3Esvzf4eMxVv+EJKgKkfSiVX3MCqnA@mail.gmail.com> <c225cb3d-7682-4bf0-831d-c841540d1f74@isc.org> <CAH1iCirP64PV1a7mAqUgi0mrg05WJySy8jq62HiEUuftQEF2TA@mail.gmail.com>
From: =?UTF-8?B?UGV0ciDFoHBhxI1law==?= <pspacek@isc.org>
Message-ID: <832f7712-1dc3-e563-f98e-8ec0ede25577@isc.org>
Date: Tue, 13 Jul 2021 12:22:01 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <CAH1iCirP64PV1a7mAqUgi0mrg05WJySy8jq62HiEUuftQEF2TA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/teX4weW7uNRUcJZ4FwudDXDW5dY>
Subject: Re: [DNSOP] Consensus check on underscore names and draft-ietf-dnsop-rfc7816bis
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2021 10:22:11 -0000

On 13. 07. 21 0:13, Brian Dickson wrote:
> 
> 
> On Mon, Jul 12, 2021 at 2:20 AM Petr Špaček <pspacek@isc.org 
> <mailto:pspacek@isc.org>> wrote:
> 
>     On 08. 07. 21 18:15, Brian Dickson wrote:
>      >
>      >
>      > On Thu, Jul 8, 2021 at 7:29 AM Petr Špaček <pspacek@isc.org
>     <mailto:pspacek@isc.org>
>      > <mailto:pspacek@isc.org <mailto:pspacek@isc.org>>> wrote:
>      >
>      >     On 07. 07. 21 19:54, Warren Kumari wrote:
>      >      > Hi there all,
>      >      >
>      >      > I wanted to check the consensus on a point brought up
>     during IETF
>      >     LC /
>      >      > OpsDir review of draft-ietf-dnsop-rfc7816bis.
>      >      >
>      >      > Please see:
>      >      >
>      >
>     https://mailarchive.ietf.org/arch/msg/last-call/fuDyx2as6QsK8CT_7Nvci5d7XQQ/
>     <https://mailarchive.ietf.org/arch/msg/last-call/fuDyx2as6QsK8CT_7Nvci5d7XQQ/>
>      >   
>       <https://mailarchive.ietf.org/arch/msg/last-call/fuDyx2as6QsK8CT_7Nvci5d7XQQ/ <https://mailarchive.ietf.org/arch/msg/last-call/fuDyx2as6QsK8CT_7Nvci5d7XQQ/>>
>      >      > and
>      >      >
>      >
>     https://mailarchive.ietf.org/arch/msg/dnsop/_H4aM5AquCSRlz0Pz3ncwl7Plpk/
>     <https://mailarchive.ietf.org/arch/msg/dnsop/_H4aM5AquCSRlz0Pz3ncwl7Plpk/>
>      >   
>       <https://mailarchive.ietf.org/arch/msg/dnsop/_H4aM5AquCSRlz0Pz3ncwl7Plpk/ <https://mailarchive.ietf.org/arch/msg/dnsop/_H4aM5AquCSRlz0Pz3ncwl7Plpk/>>
>      >      >
>      >      > If resolving " _ldap._tcp.ad.example.com
>     <http://tcp.ad.example.com>
>      >     <http://tcp.ad.example.com <http://tcp.ad.example.com>>",
>     once you hit the _tcp label
>      >      > you are quite likely in ENT territory, and some
>     implementations
>      >      > (especially those behind firewalls / middleboxes) are
>     still broken.
>      >      > There is also a performance hit.
>      >      >
>      >      > Version 10 of the document added:
>      >      > "Another potential, optional mechanism for limiting the
>     number of
>      >      > queries is to assume that labels that begin with an
>     underscore (_)
>      >      > character do not represent privacy-relevant administrative
>      >      > boundaries. For example, if the QNAME is
>      >     "_25._tcp.mail.example.org <http://tcp.mail.example.org>
>     <http://tcp.mail.example.org <http://tcp.mail.example.org>>"
>      >      > and the algorithm has already searched for
>     "mail.example.org <http://mail.example.org>
>      >     <http://mail.example.org <http://mail.example.org>>", the
>      >      > next query can be for all the underscore-prefixed names
>     together,
>      >      > namely "_25._tcp.mail.example.org
>     <http://tcp.mail.example.org> <http://tcp.mail.example.org
>     <http://tcp.mail.example.org>>"."
>      >      >
>      >      > (unsurprisingly the document does a much better job of
>     explaining the
>      >      > issue than I did :-))
>      >      >
>      >      > Viktor is suggesting that QNAME Minimization should be
>     stopped when
>      >      > you run into an underscore ("_") label, instead of this
>     being worded
>      >      > as a potential, optional mechanism.
>      >      >
>      >      > Obviously there is a tradeoff here -- privacy vs deployment.
>      >      > 1: while it's **possible** that there is a delegation
>     point at the
>      >      > underscore label, (IMO) it is unlikely. If there is no
>      >     delegation, you
>      >      > will simply be coming back to the same server again and
>     again, and so
>      >      > you are not leaking privacy sensitive information.
>      >      >
>      >      > 2: some recursives are less likely to enable QNAME
>     minimization
>      >      > because of the non-zero ENT and slight performance issues.
>      >      >
>      >      > What does the WG think? Does the privacy win of getting
>     this deployed
>      >      > and enabled sooner outweigh the potential small leak if
>     there *is* a
>      >      > delegation inside the _ territory of the name?
>      >      >
>      >      > Should the advice above be strengthened to SHOULD /
>     RECOMMENDED?
>      >
>      >     With my implementer hat on, I say "no", I don't see a
>     compelling reason
>      >     to "mandate" it.
>      >
>      >
>      > Did you actually read what Viktor wrote?
> 
>     Of course, I did, and I'm not too fond of the tone you used above.
>     Let's
>     skip to the constructive part, please.
> 
> 
> Let me start by apologizing to you (and the group) for the tone (whether 
> intended or not).
> (I was literally inquiring as opposed to intending to having tone.)
> 
> 
> 
>       > It is a known fact that there ARE implementations where ENT
>     handling (on
>       > the authoritative side) are broken.
> 
>     I agree that there are some, but anecdotal evidence of existence tells
>     us nothing about
>     a) prevalence
>     b) significance of these broken auths and domains hosted on them.
>     AFAIK both of these are parameters taken into account by resolver
>     vendors when deciding what types of non-compliance need to be worked
>     around.
> 
> 
> So, let me counter by illustrating the scope of the problem, if it 
> occurs, and the challenges created depending on whether or not any 
> work-around is RECOMMENDED, or not.

I'm sorry for not replying in full, but I think it's more efficient this 
way:

I agree that DNS is complex and has tons of failure modes, but this 
specific case does not seem special enough to me to warrant special 
treatment.

As Viktor pointed out in 
https://mailarchive.ietf.org/arch/msg/dnsop/w7JBD4czpGKr46v-DlycGbOv9zs/ 
, it seems that this problem plagues roughly tens out of 150k domains he 
surveyed. I think this makes further discussion about _necessity_ of the 
workaround kind of moot.

This leaves us with performance optimization, to which I replied already 
in 
https://mailarchive.ietf.org/arch/msg/dnsop/h9BlBI0hQ0MtDAQAK_s8Tmj2bUc/ .

Thank you for your time.
Petr Špaček @ ISC


> 
> This is specifically concerned only with underscore names which are 
> registered with IANA, and the implications of ENT-based resolution errors.
> For reference, the list is published here: 
> https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#underscored-globally-scoped-dns-node-names 
> <https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#underscored-globally-scoped-dns-node-names>
> 
> Not all entries in the underscore table have the same degree of 
> utilization, or relevance, etc.
> 
> The ones that jump out from that list, as well as not-yet-published 
> entries, at least in my opinion, are:
> 
>   * TLSA
>   * SVCB
>   * DMARC
>   * DKIM
>   * ACME
>   * validation-contactemail
>   * validation-contactphone
>   * SPF use of _spf
>   * X.509 URIs
>   * DNS SD
> 
> The reason I'm interested in ensuring that the REASON (rationale) 
> matches the CHOICE we make in the WG, is precisely that the collective 
> knowledge about the deployment prevalence and issues is little better 
> than anecdotal.
> And, that the impact of picking one (MAY vs SHOULD) might affect lots of 
> other applications and protocols.
> 
> DNS is a necessary and fundamental service, used by not only the various 
> parties (end-users and servers, zone owners) but also the services which 
> rely on the DNS itself and proper resolution of entries in the DNS.
> 
> The problem MAY be present in middle-boxes (of all sorts of functions 
> and flavors), but MAY NOT be anything under operator control, and might 
> not be easy to identify.
> The problem MAY ALSO exist in other software, firmware, or hardware, 
> which is acting as an actual DNS device (rather than multi-function 
> middlebox).
> 
> So, basically, my suggestion is, that if the WG wants to use "MAY", it 
> should ensure the guidance to implementers is clear, on what might 
> happen, and if it does, how to detect it, report it, and what 
> documentation to provide to operators/users.
> 
> The old adage of, "Never test for an error condition you don't know how 
> to handle" has relevant corollaries here:
> 
>   * If you do know how to handle an error condition, test for it and
>     handle it
>   * If you are unable to test for an error condition, maybe don't create
>     it in the first place
>   * Don't blame the victim
> 
> Examples of problems that aren't easy or even possible to fix, and may 
> not be possible to work around, include (but are not limited to):
> 
>   * Mandated services or equipment
>   * Service-provider (ISP) provided equipment
>   * Consumer-grade equipment without support
>   * Third party operators of services (e.g. DNS)
>   * MITM functionality (e.g. government-operated, or public WiFi
>     operated, or hotel service, etc)
> 
> The implications to borked stuff, based on the underscore registry 
> entries highlighted could include:
> 
>   * Loss of privacy
>   * Inability to validate certificates or to discover revoked certificates
>   * Loss of spam-prevention ability to receivers
>   * Loss of spam-prevention protection to domain owners
>   * Inability to discover services
>   * Degradation of web performance
>   * Inability to auto-renew certificates
> 
> The current text does not provide any guidance on the 
> broken-ENT-NXDOMAIN problem, and basically ignores the problem entirely.
> 
> If keeping MAY is the approach chosen, I would like to suggest that some 
> text be added to the effect that (a) the specific ENT problem may exist, 
> and (b) what to do to detect it and handle it, or whether to add a 
> "knob" to add support for operators to enable such support.
> 
> I'm not sure if Viktor has already supplied language that would work.
> 
> If not, something like this (but maybe easier to read, parse, implement, 
> etc) would be helpful:
> 
> "When doing QNAME minimization, if an iterative query whose first label 
> begins with an underscore "_", results in an NXDOMAIN, the owner name 
> may be an ENT (empty non terminal). A signed response would include a 
> proof of non-existence, and no additional action is needed in that 
> situation. However, an unsigned response MAY be treated as a possible 
> indicator of an ENT, and the algorithm MAY choose to ignore the NXDOMAIN 
> if the current QNAME is not the same as the original QNAME, and proceed 
> to the next label in the algorithm."
> 
> There is a difference between mandating workarounds, and supporting use 
> cases where the impacted party is not in a position to change the 
> outcome of failed DNS resolution.
> 
> Brian
> 
> P.S. I am genuinely interested in what implementers plan on doing, 
> regardless of whether that is mandated or not. If anyone is willing to 
> share, please do so.
> 
> 
>     I'm arguing against mandating workarounds. The recommendation might be
>     sound in 2021, but that's not a good enough reason for me to mandate it
>     as it might change next month when one major player fixes its
>     deployment.
> 
> 
>     Historical context:
>     Based on experience with Knot Resolver, various workarounds present in
>     older resolver implementations were not "needed" by the time Knot
>     Resolver came about. Multiple types of formerly-prevalent protocol
>     non-compliance became so marginal that it was not worth the complexity
>     to implement and maintain workarounds for them anymore.
> 
> 
> 
>       > Given that the vast majority of the first underscore queries
>     would be
>       > hitting ENTs, this would seem to me, at least, to be compelling.
>       >
>       > Why would you not strongly suggest to other implementers to
>     avoid this
>       > problem (by stopping the QNAME minimization)?
> 
>     When you reach this line, I think it should be clear that I consider
>     this a wrong question. We should be asking why RFC should mandate a
>     workaround that might get obsolete in an inestimable amount of time.
> 
>     Need for workarounds changes, and for this reason I don't consider RFCs
>     to be a good place to _mandate_ workarounds which are by definition
>     dependent on current (and constantly changing) situation. (To be clear,
>     describing workarounds without mandate is fine with me!)
> 
>     I hope it clears up why I'm against mandating this.
> 
>     Petr Špaček @ ISC
>