IETF Logo Mail Archive

[DNSOP] Re: Paul Wouters' Discuss on draft-ietf-dnsop-zoneversion-08: (with DISCUSS and COMMENT)

Paul Wouters <paul.wouters@aiven.io> Tue, 18 June 2024 19:21 UTC

Return-Path: <paul.wouters@aiven.io>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92B50C1D876D for <dnsop@ietfa.amsl.com>; Tue, 18 Jun 2024 12:21:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pr0RntlvliKR for <dnsop@ietfa.amsl.com>; Tue, 18 Jun 2024 12:21:22 -0700 (PDT)
Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48883C1D876A for <dnsop@ietf.org>; Tue, 18 Jun 2024 12:21:22 -0700 (PDT)
Received: by mail-ed1-x52a.google.com with SMTP id 4fb4d7f45d1cf-57d044aa5beso957614a12.2 for <dnsop@ietf.org>; Tue, 18 Jun 2024 12:21:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; t=1718738480; x=1719343280; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=qhpZw+oZT1ZlWIbvMM+i0xQ7Hc15D+ZxiaOGkTgpaoQ=; b=aqW0QhSrnbwzVlK0hr3JO+NvzIl3qOiU4Ng5b/GK92RsDIOKlTvwzyyeVssmHgB1aX M+TVqpJ27f6tDYB5EnGNQL9v38+RT20mbNj1oWjqbuqkiGRfvp4YUhhhJXlEwA7ESFVL goyuL7tnvQElnwkdL/7Z42u3Et2u1xzU5gyvA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718738480; x=1719343280; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qhpZw+oZT1ZlWIbvMM+i0xQ7Hc15D+ZxiaOGkTgpaoQ=; b=LlPj4PP9dWc9acSN6r+wSB20/P37tEbv5BiM/d+AngLh7tdBH8AmtqQv/CvVrAg25o 6nrfDNTVhcIiIZcQCkWlX3J8NgVcKS0ainqAuLYIpk1M6hSjK7N1s0IkRt94WboIa7HC 482eXymv8Ld3djQBe1De1PQhDukAGvjajNdwIDSJ0vooalL9vhlB8cfyJlWcvFPccVz1 Bz7WJOoNBNry4UGqdzL7GpNl8hlEfDRWxsS3ffD0JP9/BEvqDsGlR10gKlPO26/Ivt1J RiXKI1kGVm9sJHIwGSlk7O6m29YXju43VE/+jAMMkmIgA9EJA/LVcni3D8s8MuSZ1Txa 0W8g==
X-Forwarded-Encrypted: i=1; AJvYcCXfB9j9yBEjdR/h55EL1m7vbNhoVeRgirPllEHGGEcoeFQorv2gnOjwhKicTWJcZpbD62e7QVYhRFeoSWPrSQ==
X-Gm-Message-State: AOJu0Yw8v4NFjfylZy0xmtpdwp+A7Bi77g0x0rO3t9WqIUzuKPWutXGb vDvhJ1Y2fGUCa7dfm5xE07aReCZVad5NFsduoG4rF1emVUYIRk26ojdJ2FwNEgq/24P5zx9sdZb xprZjLErrygjpU2jsMAGuK087eBpp9s4IqSTB6w==
X-Google-Smtp-Source: AGHT+IEE3VH/VkVHjKzUWTRw6BJdegt5lwgu1oWfbz2aQnAIZ/FZqZR5SEzDwKt1jX4HKby5/YmSMTII6rvSqAstJsU=
X-Received: by 2002:a50:ba85:0:b0:57c:61a2:ed47 with SMTP id 4fb4d7f45d1cf-57d07e6b664mr214719a12.24.1718738480052; Tue, 18 Jun 2024 12:21:20 -0700 (PDT)
MIME-Version: 1.0
References: <171866661003.804.6572056160990742967@ietfa.amsl.com> <3BED375B-86EA-444E-9604-C4C9D5321DA6@verisign.com>
In-Reply-To: <3BED375B-86EA-444E-9604-C4C9D5321DA6@verisign.com>
From: Paul Wouters <paul.wouters@aiven.io>
Date: Tue, 18 Jun 2024 15:21:08 -0400
Message-ID: <CAGL5yWYYcYSxTJsyeRJWgH7-ch9hy-Fi504vAuJrqK+XXbsu_Q@mail.gmail.com>
To: "Wessels, Duane" <dwessels@verisign.com>
Content-Type: multipart/alternative; boundary="0000000000009130ca061b2efcfa"
Message-ID-Hash: VDTKVLYWE5JM4KENLX2BHRS5AK2PYMIM
X-Message-ID-Hash: VDTKVLYWE5JM4KENLX2BHRS5AK2PYMIM
X-MailFrom: paul.wouters@aiven.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: The IESG <iesg@ietf.org>, "draft-ietf-dnsop-zoneversion@ietf.org" <draft-ietf-dnsop-zoneversion@ietf.org>, dnsop-chairs <dnsop-chairs@ietf.org>, dnsop <dnsop@ietf.org>, "tjw.ietf@gmail.com" <tjw.ietf@gmail.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Paul Wouters' Discuss on draft-ietf-dnsop-zoneversion-08: (with DISCUSS and COMMENT)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/wQFkHuH2fJUttJt3kLpziRy33Fk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Tue, Jun 18, 2024 at 1:40 PM Wessels, Duane <dwessels@verisign.com>
wrote:

> Hi Paul, thanks for the review.  Comments inline…
>
>
>
> > On Jun 17, 2024, at 4:23 PM, Paul Wouters via Datatracker <
> noreply@ietf.org> wrote:
> >
> >
> >
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> > Just a few hopefully minor issues to talk about.
> >
> > In section 3.2, why is NXDOMAIN not listed? When asking for "
> foobar.nohats.ca",
> > couldn't it be useful to get the zone version, if the nameserver is
> > authoritative for "nohats.ca" and has no delegation for "
> foobar.nohats.ca." ?
>
> The intention certainly is for a server to return zone version information
> in
> an NXDOMAIN response.  Would this change to the start of 3.2 address your
> concern?
>
> OLD:
> A name server that … is authoritative for the original QNAME,
>
> NEW:
> A name server that … is authoritative for the zone of the original QNAME,
>
> Or would you also like to see NXDOMAIN specifically mentioned like this?
>
>    A name server SHOULD include zone version information in a name error
>    (NXDOMAIN) response, even though the response does not include any
>    Answer section RRs.
>

If you call out NODATA, I think for clarity you should call out NXDOMAIN as
well. Perhaps the
text for both can be conbined in a single sentence/paragraph?


> > What should an authoritative nameserver return as zone version if it is
> > configured as authoritative nameserver but can't get the zone version (eg
> > because "no permission to read file")  One way would be to allow it to
> return
> > a zero length for ANY type and define that as an error condition.
>
> I think the authors will need to discuss how to handle error conditions
> like this
> and get back to you.
>

Ok.


>
> >
> > It seems DNAMEs could lead to involving two or more zones the nameserver
> is
> > authoritative for. How should this be handled? Only use the first DNAME's
> > zone's version?
>
> I don’t see the issue.  The version corresponds to the QNAME zone (and is
> type agnostic).
> It doesn’t depend on Answer RR names.
>

Oh, you are right. It's not the job of the authoritative server to follow
the DNAME, so there is
just one zone and one zone version and so there is no issue. I was wrong,
thanks :)



> One thing we could do is allow multiple ZONEVERSIONs as long as
> (TYPE,LABELCOUNT)
> remains unique.  Then the server could return multiple zone versions if it
> happens to be authoritative for multiple zones of the QNAME.
>

I thought about that as solution but since DNAME's could end up being
chained, the label
count is not guaranteed to be different for all entries in the chain. But
anyway, you convinced
me no issue exists surrounding DNAME,


> > The type leaves no room for proprietary (or somehow encrypted) zone
> versions,
> > as the DE advise states:
> >
> >        In particular the reference should state clear instructions for
> >        implementers about the syntax and semantic of the data
> >
> > If you did not mean to exclude encrypted zone version data, perhaps
> clarify
> > the advise to the DE? Or are those deployments meant to use the
> > "local/experimental" use, in which case calling it "private use" might be
> > better?
> >
> > Have you considered leaving a small initial space for "RFC Required"
> policy?
> > Eg 0-15 ?  With only 253 types available, I'd feel happier with that,
> > especially if this supports proprietary types.
>
> Does changing the range 246-254 from “experimental” to “private use”
> sufficiently address your concern about proprietary types?
>

That would address my rannge concern yes. It still leaves the issue of
"syntax and emantic". eg, want
if I submit a template for:

TYPE:  NOHATS
Value: An encrypted opague blob containing proprietary information that can
be returned to the operator
           of the nameserver.

If we get 15 vendors doing this, would they use their own type? Or should
the draft document a special
type for this use, eg TYPE: OPAQUE and make everyone who wants to hide
stuff to use the OPAQUE type?


> > Should implementers be warned not to blindly copy this EDNS(0)
> > options from the query of a DNS client onwards? Doing this could cause
> > amplification attacks if some server uses a non-SOA-SERIAL type with a
> > long length.
>
> How’s this (inspired by RFC 5001 NSID)?
>
> 3.2.1.  ZONEVERSION Is Not Transitive
>
>    The ZONEVERSION option is not transitive.  A name server (recursive
>    or otherwise) MUST NOT blindly copy the ZONEVERSION option from a
>    query it receives into a subsquent query that it sends onward to
>    another server.  A name server MUST NOT send a ZONEVERSION option
>    back to a client which did not request it.
>

Perfect!

>       A name server SHOULD include zone version information for
> >
> > Can this be rephrased as:
> >
> >        When asked for a zone version, a responding name server SHOULD
> >        include zone version information for [...]
> >
> > Just to avoid implementers from reading this and adding it when the DNS
> > client did not ask for it.
>
> I feel like it would be repetitive to make that change all the times we
> say “A name server SHOULD include…”. How about this change to the start of
> 3.2
> (item (b) new):
>
>    A name server that (a) understands the ZONEVERSION option, (b)
>    receives a query with the ZONEVERSION option, (c) is authoritative
>    for the zone of the original QNAME, and (d) chooses to honor a
>

Sounds good!


>
>
> >
> >
> >        The OPTION-LENGTH for this type MUST be set to 6 in responses.
> >
> > Maybe say:
> >
> >        The EDNS(0) OPTION-LENGTH for this type MUST be set to 6 in
> >        responses.
>
> Done.
>

Thanks!


>
> >
> >
> > My OCD triggers on these unbalanced parentices:
> >
> >        ; ZONEVERSION: 02 00 78 95 a4 e9 ("SOA-SERIAL: 2023073001
> (example.com.)")
> >
> > (note it seemed to render badly in my browser, but copy&paste seemed to
> fix it again?)
>
> I’m not sure what you saw but maybe its better to remove the quotes there.
>

It might have been wrapping / cut on the view due to larger than average
font to compensate for
worse than average eye sight.


>
> >
> > The example dig command should have +norecurse :)
>
> Done
>

:)


>
> >
> > Why does the example contain an AUTHORITY SECTION for an AA answer
> > with data? Seems .com does that but other nameservers I tested do
> > not (eg nohats.ca or .nl). This makes it a bit unclear if the setting
> > of zoneversion requires that the Authority Section is included. Maybe
> > a clarifying note can be added? I assume this related to query
> minimalization?
> >
>
> I think this is just the effect of “minimal-responses” feature available
> in some implementations?
>

I think so too. Just wondering if this would lead to confusion where people
might
think ZONEVERSION requires an Authoritative Section?

Paul

v2.37.1 | Report a Bug | By Email | System Status