IETF Logo Mail Archive

Re: [DNSOP] Call for Adoption: draft-wkumari-dnsop-extended-error

Joe Abley <jabley@hopcount.ca> Sat, 29 July 2017 14:04 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82EAB131CCB for <dnsop@ietfa.amsl.com>; Sat, 29 Jul 2017 07:04:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.799
X-Spam-Level:
X-Spam-Status: No, score=-0.799 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DqbL95T7Svwj for <dnsop@ietfa.amsl.com>; Sat, 29 Jul 2017 07:04:10 -0700 (PDT)
Received: from mail-it0-x22d.google.com (mail-it0-x22d.google.com [IPv6:2607:f8b0:4001:c0b::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35ED8131822 for <dnsop@ietf.org>; Sat, 29 Jul 2017 07:04:10 -0700 (PDT)
Received: by mail-it0-x22d.google.com with SMTP id v205so91879310itf.1 for <dnsop@ietf.org>; Sat, 29 Jul 2017 07:04:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=mNxRQFVNfl600AcOaWh9G+QsW8ckcYpiVisl7nQv3zs=; b=Tv+T70whFO4JiodYpuRSgWtONSLuvvXCPKjPYSS81M80jDLyVqSIzhLuOuvnmdwxON yLs+xUtdrhv/ArtuR85yMoR4OAD6paayI+/AlMLlb2nF0B+KPONW1pXQBQL/XIbThFID jITX2GtUykAQj6e2a8yW0MkdxXPJEMVfH/Q+Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=mNxRQFVNfl600AcOaWh9G+QsW8ckcYpiVisl7nQv3zs=; b=OQQy9KrRqnZCZCDeHGW1JqrFhqNCi27XW4PG2WgwH7tMsrj2m5oryCyDwElbwtQfgl AxwKcyXRHwnT7LmiJE6jlpJA+k4NGYyGb/UhPCd8c/7deUflSredufHYopQekbtrLQ4o qKi9lgnr4rDjMVflvpXCn0D+NGMBp750Jr8Nj5ehhXUZl+5BcJRicYzCJlrlTcBV49eO ObcRVnxw45LZAT9vHmSdS9D9j8wRA9BAcI231vlAp0yxmcEmcEWQGO/Qw7hj66TW0o5a coGu8XSXn6mxTzYH5DurMRI1pP9anltK37ZxDxO7QFqgcMrc+tipsxszLz8n1RNSKpoT c3Gg==
X-Gm-Message-State: AIVw112ECeuxdaK7vbA6ie9uyM0f7fJYpYVFkRi7aQjXmbb5mhDrvK27 vDyM6kdtX4l0xUoETyqvDg==
X-Received: by 10.36.14.201 with SMTP id 192mr12094257ite.81.1501337049005; Sat, 29 Jul 2017 07:04:09 -0700 (PDT)
Received: from ?IPv6:2607:f2c0:101:3:a02c:7b54:9191:917c? (node-131dv5a6sb193pmmpo.ipv6.teksavvy.com. [2607:f2c0:101:3:a02c:7b54:9191:917c]) by smtp.gmail.com with ESMTPSA id o131sm3290299itc.44.2017.07.29.07.04.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 29 Jul 2017 07:04:07 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Joe Abley <jabley@hopcount.ca>
X-Mailer: iPad Mail (14G60)
In-Reply-To: <53F8E12A-85F9-44F1-9CA5-F546244832D0@time-travellers.org>
Date: Sat, 29 Jul 2017 10:04:06 -0400
Cc: dnsop@ietf.org, Paul Wouters <paul@nohats.ca>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8506D4D8-E31B-4AEB-AC7E-4C89EAEEA9DC@hopcount.ca>
References: <CADyWQ+Ffu8JOn6co184PC-Uvv4G1qYU3d0ZchupRJEDDmfYKaw@mail.gmail.com> <CAJE_bqf7R7ZW5ixcZdOcaHDso+C5QbtGbz+Z1mOs+p9_C2_cAg@mail.gmail.com> <alpine.LRH.2.21.1707290851010.26738@bofh.nohats.ca> <53F8E12A-85F9-44F1-9CA5-F546244832D0@time-travellers.org>
To: Shane Kerr <shane@time-travellers.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/yh3xW09yHU2yNBDEOTPFD76nHSI>
Subject: Re: [DNSOP] Call for Adoption: draft-wkumari-dnsop-extended-error
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Jul 2017 14:04:11 -0000

Hi Shane,

On Jul 29, 2017, at 09:05, Shane Kerr <shane@time-travellers.org> wrote:

> I guess that I understand your concern, but we don't have any way to authenticate servers in DNS today and we already send error messages back. 
> 
> I'm happy with error codes that are informational, but don't change client behavior. Yes, I realize that users may be tricked, but that's also the case today, right? 

In the case of validation failures, today a DNS client (of whatever kind) can receive a SERVFAIL of unknown authenticity from a resolver and has to do more work to figure out what that means. It can't just assume that there has been a validation failure upstream. Ultimately it can re-fetch records with CD=1 and do its own validation if it needs to understand the reason for the failure in detail.

The motivation for extended RCODEs is to be able to provide more fine-grained indiciations to a client than are currently provided. In the case of a conventional SERVFAIL response, for example, the client might also receive some information that further indicates that the reason for the SERVFAIL was an upstream validation failure.

It feels like there is more potential in this second case for a client to believe what it was told and avoid further checking (this is an example of your "change client behaviour"). Without an authenticated response, should we not be concerned about the threat that a bogus response from a third party system might mask an otherwise legitimate and positive response? If client behaviour is not supposed to change when you return an extended RCODE, why bother returning one?

I'm not saying this particular threat is credible or high-probability necessarily, but it seems sensible to think about this with a little more energy than "it's no worse than what we have today". Maybe the answer is to say "don't use this mechanism to indicate validation failures". Maybe there's a different approach that could accommodate signed extended responses, and writing that up from scratch is more sensible than adapting what's currently on the table. I'm not presupposing the answer, just thinking aloud.

I don't have a strong opinion about it, but it does seem reasonable to consider these kinds of things before assuming that any particular draft fits the requirements and should be adopted.

Nothing against Warren's fine draftsmanship, of course!


Joe

v2.23.0 | Report a Bug | By Email