IETF Logo Mail Archive

[DNSOP] draft-sah-resolver-information and forwarding topologies

Ben Schwartz <bemasc@google.com> Tue, 16 July 2019 20:34 UTC

Return-Path: <bemasc@google.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B5EE120113 for <dnsop@ietfa.amsl.com>; Tue, 16 Jul 2019 13:34:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.499
X-Spam-Level:
X-Spam-Status: No, score=-17.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a63Ldd3ziVP2 for <dnsop@ietfa.amsl.com>; Tue, 16 Jul 2019 13:34:54 -0700 (PDT)
Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69E6512006A for <dnsop@ietf.org>; Tue, 16 Jul 2019 13:34:54 -0700 (PDT)
Received: by mail-io1-xd32.google.com with SMTP id j6so9888434ioa.5 for <dnsop@ietf.org>; Tue, 16 Jul 2019 13:34:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=vomBU2DnHbSYVWkfplBtJSK1Y4KxE++6mSL80zPtc/o=; b=RxvKvr1WY0jFrYYS0O2m0RektC/7dA2vKZM5v7GbVLIi1wdzOBABiLUskoLRqlLbvC ebhBuJTVQEBH855jtlipqab4v4kNR/FgAiL7icuBZ1aXmMjwg0W/bNEOoxLrIPwYMUaj OEWyBiYRVUKlZ9AN8jRaNY4C1cXROjFlOvKP4iiANLkqerJ6iY1l9qY0OaNOCHId21so Nm5N+ejis/yYFJp3HJD3Zy3HdOpJmHN7iuD/0l37VeCXPfX5kN1ueRjou0tAMLW69H9P dPUWfGMb+vUVNWS0Av0lBQA24ACtab+5pcPm2Zc/HXGb+OfmP+wR8ltjZXX5P1GtwmEM WIiA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=vomBU2DnHbSYVWkfplBtJSK1Y4KxE++6mSL80zPtc/o=; b=P68u8XwVd/2Fug8HlqbgFdFQNFY/KXLwy4Poc8EOv6v+rD0m8nlqlIJZyVi8le76bL sRNQWkYkDft1cllcQ0z8ZUGkdb8OTEFfrRmN9de90OwzzXAV8cvsukSvuOYk7gKFKZpr ygmCkOoRntG22bUZhpmlf8Usn1+swFblE3dRb4gymSZiPdp5PSt82SW6ODfDh9PUsXui n44RTEwOFhUfcnAZJNE6UsHQc3p6dwNLKgNJJ4Pk4vtNXcs0cdF2kXRN3V8vl/nL+p1Z nOzSzVVfWr8OwIFWx7B/smm1ndttJVTbLVBOjDzKyp+kHTTWZQOTMXmmCFaVEn1QyMGa H7pw==
X-Gm-Message-State: APjAAAVFvuzniuatbbSlFY89i04MurH3bBkHVpV1EHkSryAYrxgcRQOw YIVbn/Copd7yVXP6BarGYcUs24Z01Kehi5QHWBfRx1fO+/8lTQ==
X-Google-Smtp-Source: APXvYqz+tUP9uQDoJVyHnoXHWYFmCKCBxWlIj5XfecYLMWddRC7OPSuQizEcPyZ2p6tNCV3AAdOQmKOLP6CR3j9vv+A=
X-Received: by 2002:a6b:d008:: with SMTP id x8mr31294337ioa.129.1563309293196; Tue, 16 Jul 2019 13:34:53 -0700 (PDT)
MIME-Version: 1.0
References: <F00B09EC-24D8-40C1-8A6C-86C2FD63A062@icann.org> <A6531A7F-1D7E-4598-A102-34415BEF5B97@fl1ger.de> <EB48B718-D77F-40E5-A571-DD5DD3D2D032@icann.org> <5858D79F-AF7B-42A4-84A1-C89BF8D59CD7@fl1ger.de>
In-Reply-To: <5858D79F-AF7B-42A4-84A1-C89BF8D59CD7@fl1ger.de>
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 16 Jul 2019 16:34:41 -0400
Message-ID: <CAHbrMsD1kOGMvsMufM3w9_5z0a5vz36ZnAF0rHAwDVo0VYKy1A@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000002105fc058dd24f7d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/w8XB7XLO88xBM6fjsGZ-7pK9V9M>
Subject: [DNSOP] draft-sah-resolver-information and forwarding topologies
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2019 20:34:57 -0000

On Sun, Jun 30, 2019 at 4:09 AM Ralf Weber <dns@fl1ger.de> wrote:

> On 30 Jun 2019, at 1:01, Paul Hoffman wrote:
> >> Should there be a fallback (TXT)?
> >
> > I'm not sure how that would help if it can't be configured due to
> > address issues.
> DNS proxies can forward stuff and you could put wildcard answers on the
> link local/RFC1918 addresses. So you could actually make it work.


This is an interesting idea, but plenty of forwarders aren't on RFC 1918
addresses.  To work through forwarders and complex server deployments, I
think we would have to go even further, e.g. recommending that
participating resolvers respond to _all_ RESINFO queries, whether or not
the address matches their own.

If that doesn't seem appealing, I think we'd be better off reverting to the
"-00" draft's approach of using "resolver-info.arpa".  The change to
<rev-ip>.in-addr.arpa was made to enable secure validation of the resolver
info, in cases where the original IP address was delivered securely (i.e.
trusted DHCP).  For those use cases, I think we would be better off
defining a DHCP option to deliver the I-JSON blob over DHCP alongside the
IP address.

--Ben

v2.23.0 | Report a Bug | By Email