Re: [DNSOP] Alias mode processing in auths for draft-ietf-dnsop-svcb-https-01

Mark Andrews <marka@isc.org> Wed, 05 August 2020 21:13 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6843C3A0F95 for <dnsop@ietfa.amsl.com>; Wed, 5 Aug 2020 14:13:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AFvAuVfxqLLf for <dnsop@ietfa.amsl.com>; Wed, 5 Aug 2020 14:13:53 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F14ED3A0DCC for <dnsop@ietf.org>; Wed, 5 Aug 2020 14:13:52 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id D8C173AB00A; Wed, 5 Aug 2020 21:13:52 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id CA9BF16005B; Wed, 5 Aug 2020 21:13:52 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id B8B5F160096; Wed, 5 Aug 2020 21:13:52 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Mhpf1EO3I33P; Wed, 5 Aug 2020 21:13:52 +0000 (UTC)
Received: from [172.30.42.68] (unknown [49.2.101.160]) by zmx1.isc.org (Postfix) with ESMTPSA id 9A0FB16005B; Wed, 5 Aug 2020 21:13:51 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.6\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <cd6021e7-4aad-c2fc-e9ef-948fbeab0809@powerdns.com>
Date: Thu, 6 Aug 2020 07:13:48 +1000
Cc: Brian Dickson <brian.peter.dickson@gmail.com>, Ben Schwartz <bemasc=40google.com@dmarc.ietf.org>, dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8BC20DED-784F-4004-9E56-8BB2F6356FA7@isc.org>
References: <00cfd965-bf69-d1cb-2df3-1a9bb110d7e0@powerdns.com> <CAHbrMsAJ-cbcW3v4T34f8-gzgzgHSkoBO545_Y3N8D6rof7Nmw@mail.gmail.com> <CAH1iCipZ25XaES0C4MFt3+aOm=d1U5LKigJe5AwKUWG-+yETFw@mail.gmail.com> <cd6021e7-4aad-c2fc-e9ef-948fbeab0809@powerdns.com>
To: Pieter Lexis <pieter.lexis@powerdns.com>
X-Mailer: Apple Mail (2.3445.9.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/uSoyn5VD1l5IO5nAbvFyN3Ne840>
Subject: Re: [DNSOP] Alias mode processing in auths for draft-ietf-dnsop-svcb-https-01
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2020 21:13:55 -0000


> On 6 Aug 2020, at 04:51, Pieter Lexis <pieter.lexis@powerdns.com> wrote:
> 
> On 8/5/20 8:03 PM, Brian Dickson wrote:
>> 
>> 
>> On Wed, Aug 5, 2020 at 10:08 AM Ben Schwartz
>> <bemasc=40google.com@dmarc.ietf.org
>> <mailto:40google.com@dmarc.ietf.org>> wrote:
>> 
>>    On Wed, Aug 5, 2020 at 12:06 PM Pieter Lexis
>>    <pieter.lexis@powerdns.com <mailto:pieter.lexis@powerdns.com>> wrote:
>>    ...
>> 
>>    Conceptually, AliasMode is not a CNAME: it only affects SVCB queries
>>    (not other RR types), and can safely be implemented entirely as an
>>    RFC 3597 Unknown RR Type.  That suggests that it is at least safe,
>>    and perhaps least-surprising, for the authoritative server to put
>>    all responses for other owner names in the Additional section, as
>>    the current text seems to indicate fairly clearly.
>> 
>> 
>> I beg to differ, in that I would view AliasMode as a constrained CNAME.
> 
> I agree with Brian here. Compliant DNS servers (be it auth or recursor)
> MUST treat an Alias-mode SVCB (or derived) record as a CNAME for the
> purposes of processing that SVCB or derived record.
> 
> i.e. foo.example.com SVCB 0 srv1.example.net == (logically)
> foo.example.com CNAME srv1.example.com when QType = SVCB, but not for
> any other QType.
> 
>> What I would suggest is the following, paraphrased (i.e. please clean it
>> up before using in the I-D, if you agree it's the right semantics):
>> 
>>  * In-bailiwick CNAME, SVCB, A, and AAAA records SHOULD be added (and
>>    for CNAME and SVCB, in-bailiwick RDATA for those SHOULD also be
>>    iteratively processed for inclusion)
>>  * CNAME and SVCB records MUST be placed in the Answer section (because
>>    of existing CNAME rules and because of RRTYPE match to the query)
>>  * A and AAAA records MUST be placed in the Additional section (since
>>    those would not match the query RRTYPE of SVCB)
> 
> +1 to this summary. It reflects how I see the semantics of alias mode as
> well.

-Infinity. Definitely not. 

>> (I am not sure of the question/issue of including the SOA, or where that
>> would go, but I'll defer to anyone who knows or has an opinion. My gut
>> says, do whatever gets done for CNAME.)
> 
> The SOA MUST go in the packet. As a compliant resolver talking to an
> auth that does not implement SVCB will follow the chain and the auth
> will respond with NODATA (and thus the SOA).

You make a SVCB query you will get a CNAME if it exists at the QNAME, SVCB
if it exists at the QNAME or you will get NODATA if neither exists.  If you
find a CNAME you repeat at the target of the CNAME.

If the server is SVCB aware it will then process the SVCB RRset and add those
records to the additional section, if any of those trigger additional section
processing those records too get added to the additional section.  This is
consistent with STD 13 that says words to the effect of “add anything useful” (I’m
not going to look up the exact words).  The additional section rules for SVCB say
to add CNAME, SVCB, A and AAAA to the additional section.

> After reading section 4.2, I also think that a resolver that implements
> this MUST include the SOA as well if the final target has no SVCB
> record, to indicate that the answer to the actual question
> (example.com|SVCB) yielded NODATA after alias chaining. A compliant
> client can ignore the fact that the DNS says NODATA and use the A/AAAA
> records from the ADDITIONAL section (or send a query for them based on
> the final target).
> 
>> All the in-bailiwick stuff is essentially an optimization. Authority
>> servers may not implement that, and would still be compliant if they did
>> not.
>> Resolvers MUST be prepared to handle the non-inclusion of in-bailiwick
>> stuff from authority servers, as this would not be an error or violation
>> of the (eventual) RFC.
> 
> Yes.
> 
>>    P..S. The text on this point has recently
>>    changed:
> https://github.com/MikeBishop/dns-alt-svc/pull/199#discussion_r444979971.
>>    One of the questions there is what should happen for
>>    AliasMode->CNAME->ServiceMode->AAAA, all in-bailiwick.  The draft
>>    says "Clients and recursive resolvers MUST follow CNAMEs as
>>    normal.", but it no longer says anything about authoritatives.
>> 
>> 
>> IMHO, I think this is correct, or at least consistent with what I wrote
>> above. (If there are any inconsistencies, could you highlight what those
>> would be, please?)
> 
> I believe you are correct.
> 
> 
> Cheers,
> 
> Pieter
> 
> -- 
> Pieter Lexis
> PowerDNS.COM BV -- https://www.powerdns.com
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org