Re: [DNSOP] DNSOPWorking Group Last call for draft-ietf-dnsop-dns-error-reporting
Roy Arends <roy@dnss.ec> Fri, 16 June 2023 14:12 UTC
Return-Path: <roy@dnss.ec>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 470F7C14CE4A for <dnsop@ietfa.amsl.com>; Fri, 16 Jun 2023 07:12:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dnss.ec
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h8gowXZu-AaQ for <dnsop@ietfa.amsl.com>; Fri, 16 Jun 2023 07:12:46 -0700 (PDT)
Received: from mail-wr1-x444.google.com (mail-wr1-x444.google.com [IPv6:2a00:1450:4864:20::444]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 569B3C14CE36 for <dnsop@ietf.org>; Fri, 16 Jun 2023 07:12:44 -0700 (PDT)
Received: by mail-wr1-x444.google.com with SMTP id ffacd0b85a97d-31126037f41so274299f8f.2 for <dnsop@ietf.org>; Fri, 16 Jun 2023 07:12:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dnss.ec; s=google; t=1686924762; x=1689516762; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=tnWEQRdz1jtLXZnm41Tr9QaB6AX4Ons8HTbaTtdX0Jk=; b=W9WuPtaV/l6T0Cqcq0BXpOd9SytdLVE5KeiH9h4g4KKZwgHS+28U15lj/xufjnmHfR 5eJvaTTQBh3ZTypMzxjNZhMfE8RifXbDirzZoEK+V6NLfnzuQZ2hq7OUzKHC5h1MCLGX xfaev4yciSiVUo98E4YViGOkJXqcM3bDeHQEg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686924762; x=1689516762; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=tnWEQRdz1jtLXZnm41Tr9QaB6AX4Ons8HTbaTtdX0Jk=; b=G1QagBcheqstKjFBudpSFEFuAh2AlKtnkMIVA2P9sciGo//1pw/5YU8+S42tb6T0nS 7RSV0lruxuqOUOapesFyumlFwBUXcfkti4mGlPcpwbtLglnDIwiQflmxXp7TGGGckXkr 4LsYvjp1Y0YFu6Xoctbw1d69Q/PjSydH7Be6bbR/K4RRaLS97QP3ICbkL4SUfhCDI50O /87LqaBBaT+sapt/m6oGS8f7OdBE+vgy30pXCgCpFgatUy62I1j3q31+cKaOVyKcRYPt WFZSKkp6lj9Cj0xEbDM2KU8AR/tPWAuWScQKXzdwHMKhLnuK0wIIVLMcu7QkP9rzJTh8 3lew==
X-Gm-Message-State: AC+VfDxlV7Q2/Ydf917XNT8BsArE7INgelva/FKVi/8GJwtARjVjmSD0 9GfklN2E7N296DORFwdtqb6IgA==
X-Google-Smtp-Source: ACHHUZ4Nho8ZIn/ThuQ0MtRefdNDqy4KhzfQIPrmFLDTEB/w+36rx713atEfLGeA5DBXPa6oe+Brmw==
X-Received: by 2002:a5d:5305:0:b0:30a:8e83:5b1a with SMTP id e5-20020a5d5305000000b0030a8e835b1amr1797905wrv.13.1686924762215; Fri, 16 Jun 2023 07:12:42 -0700 (PDT)
Received: from smtpclient.apple ([89.33.15.144]) by smtp.gmail.com with ESMTPSA id f13-20020a056000036d00b0030aefa3a957sm23758748wrf.28.2023.06.16.07.12.41 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 16 Jun 2023 07:12:41 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
From: Roy Arends <roy@dnss.ec>
In-Reply-To: <ybly1kswsrq.fsf@wx.hardakers.net>
Date: Fri, 16 Jun 2023 15:12:29 +0100
Cc: Benno Overeinder <benno@NLnetLabs.nl>, DNSOP Working Group <dnsop@ietf.org>, DNSOP Chairs <dnsop-chairs@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <504D8E15-981A-4C18-AC47-E8E761DF7495@dnss.ec>
References: <fa6ec641-0eab-dec6-2267-3ca818402812@NLnetLabs.nl> <ybly1kswsrq.fsf@wx.hardakers.net>
To: Wes Hardaker <wjhns1@hardakers.net>
X-Mailer: Apple Mail (2.3731.600.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/tjvNbDgNJrHXH_mWxXv5qT44Ue4>
Subject: Re: [DNSOP] DNSOPWorking Group Last call for draft-ietf-dnsop-dns-error-reporting
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jun 2023 14:12:50 -0000
> On 9 Jun 2023, at 16:38, Wes Hardaker <wjhns1@hardakers.net> wrote: > > Benno Overeinder <benno@NLnetLabs.nl> writes: > >> This starts a Working Group Last Call for: >> draft-ietf-dnsop-dns-error-reporting. > > Overall: I support the publication of this document and believe it is a > good addition to the DNS specifications. > > Some suggestions: > > - section 1: "reported via social media" -> "report via E-Mail or social > media" -- anyone subscribed to dns-operations and various *og lists > will know that a lot of errors are reported to operational communities > over email. Ack. Will add. > - Terminology: Why is a reporting resolver listed as validating here? > From what I can tell from the rest of the document, this should be a > more generic reporting mechanism even if the examples are DNSSEC > related. The EDE document has many errors that have nothing to do > with DNSSEC (filtering being one example). Ack. Will remove the term. > - Terminology: Report Query's last sentence is hard to read. Maybe "The > content of the error report is encoded in the QNAME of a DNS request > to the reporting agent." Better. Will change. > - TBD: Terminology: Monitoring agent: I'm not sure that the monitoring agent > has to respond or not? The monitoring agent has to respond. This will dampen the amount of subsequent requests if the reporting resolver caches the response. That is a good thing. Leaving a request without a response may cause timeouts and re-querying, eating up resources. Thanks for the heads-up, will make it clear! > - Terminology: Agent Domain isn't really describing what the agent > domain actually is used for, but rather just where it's encoded. How > about "A domain name which is returned in the DNS Error Reporting > EDNS0 option that indicates where DNS resolvers can send error reports." Better. > - section 5: option-code "indicates error reporting support is TBD". I > suggest it would more clearly understood if it included a reference to > the fact it's an EDNS0 code: "an EDNS0 code that is used in an EDNS0 > option to indicate support for error reporting. The name for this > EDNS0 option code is Report-Channel" Ack. Better. Will change. > - 6.1 reporting resolver specification: "The EDNS0 report channel option > MUST NOT be included in queries" -- above you label it as > "Report-Channel" and I suggest you be consistent with the usage > everywhere (I didn't check if "report channel" in lower case with a > space exists elsewhere too) Will make it consistent. > - 6.2: I'm not sure the reason behind this requirement. Why would it > matter if more than one agent supported *receiving* reports? I think > the real requirement should be that authoritative servers SHOULD only > send a single reporting agent to a client and thus only a single > Reporting Channel EDNS0 option. (I could even argue this should be a > MUST.) But on the server side (either the authoritative server or the > report-receiving authoritative server) I don't see the point in > putting this restriction on them. Ack. The intent was always to have a single agent domain in a response, not more. I “translated” this requirement back to simply have a single one per zone, to avoid the specification of a selection algorithm that specifies which agent domain (if there is more than one) to send back. > - security considerations: In the last paragraph I'd mention that there > is a concern that large measurement query networks (RIPE atlas) or > bot-networks could misuse this and likely achieve an amplification > attack against a name put in the reporting option. I actually wonder > if it would be good to put in a time-bound rate limit to the number of > error reports that should be sent anywhere as I have concerns that > this could be too easily misused and caching may not be a completely > sufficient mitigation. That, IMHO is already captured by the last paragraph. I did not explicitly write a recipe of how to do that, and which servers could be used for that :-). Could you suggest text to improve the last paragraph without naming services? Thanks Wes, this is really helpful and much appreciated. Warmly, Roy > > -- > Wes Hardaker > USC/ISI > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- [DNSOP] Working Group Last call for draft-ietf-dn… Benno Overeinder
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] DNSOPWorking Group Last call for draf… Wes Hardaker
- Re: [DNSOP] Working Group Last call for draft-iet… Benno Overeinder
- Re: [DNSOP] DNSOPWorking Group Last call for draf… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
- Re: [DNSOP] Working Group Last call for draft-iet… Willem Toorop
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
- Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
- Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Paul Wouters
- Re: [DNSOP] DNSOPWorking Group Last call for draf… Wes Hardaker
- Re: [DNSOP] Working Group Last call for draft-iet… Ben Schwartz
- Re: [DNSOP] Working Group Last call for draft-iet… Viktor Dukhovni
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Viktor Dukhovni
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Ben Schwartz
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Viktor Dukhovni
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Viktor Dukhovni
- Re: [DNSOP] Working Group Last call for draft-iet… Benno Overeinder
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Roy Arends