IETF Logo Mail Archive

Re: [DNSOP] DNSOPWorking Group Last call for draft-ietf-dnsop-dns-error-reporting

Roy Arends <roy@dnss.ec> Fri, 16 June 2023 14:12 UTC

Return-Path: <roy@dnss.ec>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 470F7C14CE4A for <dnsop@ietfa.amsl.com>; Fri, 16 Jun 2023 07:12:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dnss.ec
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h8gowXZu-AaQ for <dnsop@ietfa.amsl.com>; Fri, 16 Jun 2023 07:12:46 -0700 (PDT)
Received: from mail-wr1-x444.google.com (mail-wr1-x444.google.com [IPv6:2a00:1450:4864:20::444]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 569B3C14CE36 for <dnsop@ietf.org>; Fri, 16 Jun 2023 07:12:44 -0700 (PDT)
Received: by mail-wr1-x444.google.com with SMTP id ffacd0b85a97d-31126037f41so274299f8f.2 for <dnsop@ietf.org>; Fri, 16 Jun 2023 07:12:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dnss.ec; s=google; t=1686924762; x=1689516762; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=tnWEQRdz1jtLXZnm41Tr9QaB6AX4Ons8HTbaTtdX0Jk=; b=W9WuPtaV/l6T0Cqcq0BXpOd9SytdLVE5KeiH9h4g4KKZwgHS+28U15lj/xufjnmHfR 5eJvaTTQBh3ZTypMzxjNZhMfE8RifXbDirzZoEK+V6NLfnzuQZ2hq7OUzKHC5h1MCLGX xfaev4yciSiVUo98E4YViGOkJXqcM3bDeHQEg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686924762; x=1689516762; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=tnWEQRdz1jtLXZnm41Tr9QaB6AX4Ons8HTbaTtdX0Jk=; b=G1QagBcheqstKjFBudpSFEFuAh2AlKtnkMIVA2P9sciGo//1pw/5YU8+S42tb6T0nS 7RSV0lruxuqOUOapesFyumlFwBUXcfkti4mGlPcpwbtLglnDIwiQflmxXp7TGGGckXkr 4LsYvjp1Y0YFu6Xoctbw1d69Q/PjSydH7Be6bbR/K4RRaLS97QP3ICbkL4SUfhCDI50O /87LqaBBaT+sapt/m6oGS8f7OdBE+vgy30pXCgCpFgatUy62I1j3q31+cKaOVyKcRYPt WFZSKkp6lj9Cj0xEbDM2KU8AR/tPWAuWScQKXzdwHMKhLnuK0wIIVLMcu7QkP9rzJTh8 3lew==
X-Gm-Message-State: AC+VfDxlV7Q2/Ydf917XNT8BsArE7INgelva/FKVi/8GJwtARjVjmSD0 9GfklN2E7N296DORFwdtqb6IgA==
X-Google-Smtp-Source: ACHHUZ4Nho8ZIn/ThuQ0MtRefdNDqy4KhzfQIPrmFLDTEB/w+36rx713atEfLGeA5DBXPa6oe+Brmw==
X-Received: by 2002:a5d:5305:0:b0:30a:8e83:5b1a with SMTP id e5-20020a5d5305000000b0030a8e835b1amr1797905wrv.13.1686924762215; Fri, 16 Jun 2023 07:12:42 -0700 (PDT)
Received: from smtpclient.apple ([89.33.15.144]) by smtp.gmail.com with ESMTPSA id f13-20020a056000036d00b0030aefa3a957sm23758748wrf.28.2023.06.16.07.12.41 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 16 Jun 2023 07:12:41 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
From: Roy Arends <roy@dnss.ec>
In-Reply-To: <ybly1kswsrq.fsf@wx.hardakers.net>
Date: Fri, 16 Jun 2023 15:12:29 +0100
Cc: Benno Overeinder <benno@NLnetLabs.nl>, DNSOP Working Group <dnsop@ietf.org>, DNSOP Chairs <dnsop-chairs@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <504D8E15-981A-4C18-AC47-E8E761DF7495@dnss.ec>
References: <fa6ec641-0eab-dec6-2267-3ca818402812@NLnetLabs.nl> <ybly1kswsrq.fsf@wx.hardakers.net>
To: Wes Hardaker <wjhns1@hardakers.net>
X-Mailer: Apple Mail (2.3731.600.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/tjvNbDgNJrHXH_mWxXv5qT44Ue4>
Subject: Re: [DNSOP] DNSOPWorking Group Last call for draft-ietf-dnsop-dns-error-reporting
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jun 2023 14:12:50 -0000

> On 9 Jun 2023, at 16:38, Wes Hardaker <wjhns1@hardakers.net> wrote:
> 
> Benno Overeinder <benno@NLnetLabs.nl> writes:
> 
>> This starts a Working Group Last Call for:
>> draft-ietf-dnsop-dns-error-reporting.
> 
> Overall: I support the publication of this document and believe it is a
> good addition to the DNS specifications.
> 
> Some suggestions:
> 
> - section 1: "reported via social media" -> "report via E-Mail or social
>  media" -- anyone subscribed to dns-operations and various *og lists
>  will know that a lot of errors are reported to operational communities
>  over email.

Ack. Will add.

> - Terminology: Why is a reporting resolver listed as validating here?
>  From what I can tell from the rest of the document, this should be a
>  more generic reporting mechanism even if the examples are DNSSEC
>  related.  The EDE document has many errors that have nothing to do
>  with DNSSEC (filtering being one example).

Ack. Will remove the term.

> - Terminology: Report Query's last sentence is hard to read.  Maybe "The
>  content of the error report is encoded in the QNAME of a DNS request
>  to the reporting agent."

Better. Will change.

> - TBD: Terminology: Monitoring agent: I'm not sure that the monitoring agent
>  has to respond or not?

The monitoring agent has to respond. This will dampen the amount of subsequent requests if the reporting resolver caches the response. That is a good thing. Leaving a request without a response may cause timeouts and re-querying, eating up resources.

Thanks for the heads-up, will make it clear!

> - Terminology: Agent Domain isn't really describing what the agent
>  domain actually is used for, but rather just where it's encoded.  How
>  about "A domain name which is returned in the DNS Error Reporting
>  EDNS0 option that indicates where DNS resolvers can send error reports."

Better.

> - section 5: option-code "indicates error reporting support is TBD".  I
>  suggest it would more clearly understood if it included a reference to
>  the fact it's an EDNS0 code: "an EDNS0 code that is used in an EDNS0
>  option to indicate support for error reporting.  The name for this
>  EDNS0 option code is Report-Channel"

Ack. Better. Will change.

> - 6.1 reporting resolver specification: "The EDNS0 report channel option
>  MUST NOT be included in queries" -- above you label it as
>  "Report-Channel" and I suggest you be consistent with the usage
>  everywhere (I didn't check if "report channel" in lower case with a
>  space exists elsewhere too)

Will make it consistent.

> - 6.2: I'm not sure the reason behind this requirement.  Why would it
>  matter if more than one agent supported *receiving* reports?  I think
>  the real requirement should be that authoritative servers SHOULD only
>  send a single reporting agent to a client and thus only a single
>  Reporting Channel EDNS0 option.  (I could even argue this should be a
>  MUST.)  But on the server side (either the authoritative server or the
>  report-receiving authoritative server) I don't see the point in
>  putting this restriction on them.

Ack. The intent was always to have a single agent domain in a response, not more. I “translated” this requirement back to simply have a single one per zone, to avoid the specification of a selection algorithm that specifies which agent domain (if there is more than one) to send back.

> - security considerations: In the last paragraph I'd mention that there
>  is a concern that large measurement query networks (RIPE atlas) or
>  bot-networks could misuse this and likely achieve an amplification
>  attack against a name put in the reporting option.  I actually wonder
>  if it would be good to put in a time-bound rate limit to the number of
>  error reports that should be sent anywhere as I have concerns that
>  this could be too easily misused and caching may not be a completely
>  sufficient mitigation.

That, IMHO is already captured by the last paragraph. I did not explicitly write a recipe of how to do that, and which servers could be used for that :-). Could you suggest text to improve the last paragraph without naming services?

Thanks Wes, this is really helpful and much appreciated.

Warmly,

Roy

> 
> -- 
> Wes Hardaker
> USC/ISI
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email