[DNSOP] Re: Paul Wouters' Discuss on draft-ietf-dnsop-zoneversion-08: (with DISCUSS and COMMENT)

"Wessels, Duane" <dwessels@verisign.com> Tue, 18 June 2024 17:41 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0782C1D6202; Tue, 18 Jun 2024 10:41:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m32OfaOiQPgb; Tue, 18 Jun 2024 10:40:59 -0700 (PDT)
Received: from mail5.verisign.com (mail5.verisign.com [69.58.187.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC6FCC1D6207; Tue, 18 Jun 2024 10:40:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=12049; q=dns/txt; s=VRSN; t=1718732459; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=/2NevXRkUABpCapDUmqP0pFzoL5RTtLUz4mI6brgqwU=; b=cSRlLhOpf4Dlc6WVZmn/HdlgVw13DBw8qcZzkr+JpDOjy6MZl5BhRA9b Ghxt4sKO8VynxrNC7BWRz9rD6zsOs0F5jj45Ry/0ASLtrdGbOgxxwvLED 1wnWxSjkNQSd2DId6WvFKO2u9p4Hp/PLemjwOy4PHofai0Eu/yKRWpsmJ JHRgZpFIhljQZTdmur0Zzi1fibyPM495fl1+dbJNsJmJl5Vzw7s2SyyIu +DeyLJuSVDRhKYpIKPA8VSUyicmW5EpJ7+3EW0PL8xIqg8HF9MxAiFCP/ B5HSM5S4h+X/H4QeiQGQNGMZskf+vwlT7zOrjQUyxNngrafOyBQWZkTfx A==;
X-CSE-ConnectionGUID: +mWsTaMTROatrpVigIuy5w==
X-CSE-MsgGUID: CwaRPnfsS+C+xO8nLPqPxg==
X-ThreatScanner-Verdict: Negative
IronPort-Data: A9a23:5gdeOqOsh17cT7PvrR2VkMFynXyQoLVcMsEvi/8bNHDolHp+jmZWi jtAB3bGYazJZX+2Io4oOcnztx82DaSljYs6FVdy7S52J54hgZHMD93Fd0usMXPLJ5eTF0k2t s4QOtTOdZtkQCeH+h3zP7PsoHVwiK3XG+GsWb7JNHl8HFBoEXwtgEs9x75ki9cAbbSRChuVv dL5qtHeP1niwz1/KT1R8KOMrhpzoe7/0N89lgVWiadj4AWGxhH5da43Jb2tNym/BY5fBfb8S +fMzbq05H+f9BAoUnlMOF/GGnHmOYU+QTWzonpKR7DwxV9apS131a0gLLwQaEhWgDiTg5Z6z 9AVmN/ow+/hb63QhPxPFBJRGCxke7ZX/bbaPXj5usuWiEjecHqrz/RhDUo7J5EToP13CHtD+ ecdKTUAZRnFjPiqmNqHppJXargewLPDZMVH0kxIzS3FFe10BtfcXLqM6d5X3Tw9nNwIFvHbI OEhUmLFhb89IEXl0/z3YK7S59xE8UQTCRUE7gr9mII3/3TL1142l6fyL5zZe9OLTshPggCTo WeB5XzwRwwTbLSjJUG+HgWRapXnwWWjML86FKGk7uU4xxqM2XNVBBwZVFC2u+X/gUm7HMhHI gkJ83IExZTej3dHOeQRJTXk5ibsgyMhZjZwLwEbwFnVkPrYv13FCGYKEGRINYB65J9uTDV73 QPQx96zXmVi7OTFGHmQyOyZ/Gi4UcQ3wc3uRgdfFFdYvIOzyG0XpkiSJjq2OPft1rUZIRmpn nbX6nF43+hO5SIy//3T1UjdhD6xrYT+QAcw5wHGNkqo9QoRiLSNPuRE0nCFq64QRGqlZgPZ5 iRcxZHOtLtm4aylz0Rhfs1cRNlF2N7YaFUwsXY3d7E9+jKk/WKUfIw4yFlWOEdzP88YTiTia UnVtBk5zMc70KyCNPIfjyqZUqzG/IC4fTjXfqm8gulmO/CdQDS6EBRGPiZ86Ui2yRRxzvtvU XusWZ3E4X4yUcyLxRLoH7tNiedDKioWnQs/Trijp/irPCb3iNd4ht7pPXPXBt3V4p9ory2W9 ulEC8Kv9y94WfHkehfW/q8OPA0VeC1T6ZDe86S7d8apGCw/J0cMO6eLh60qfJZ92a1Z0PnS5 Xf7UUhdoLb9rSSfb1zVMTY6NeipAccXQXETZETAOX6kxHU4eour948BeoE2Zrgo8qpoyvsco /wtIJzZUqsREm+vFzI1Rob0lrRkeg+QxinNLw31ZhwHZqZwSFmckjPjVk61nMUUNQKvvNY65 aKnyx/WW4ErTgV8AcCQafXH51K8pnc1me9uUQ3PONY7UEn2+YZ2bi38kvFyL8cXLg2G1Dyc2 hibGwwZou/looIp/p/On6/sh4uvCOxmW0FaFmjB9p63ODXUuG25zudoXOCTeij1VW7o9uOlf +o95+3+L7sGkUpEm4V5Grdvi6k54rPSS6RyxB5iRWrNYkTzUPZ7PGPA2MhU86dKgLVDv1LwR FiU/J9RPrDh1N7ZLWP97TENNoyrvcz4UBGLhRjpCC0WPBNKwYc=
IronPort-HdrOrdr: A9a23:eHLNBKspyjwk5secd1V7RQO07skDq9V00zEX/kB9WHVpm6uj5q WTdZUgpH3JYVkqOE3I9ervBEDiexzhHPdOiOEs1NyZLWrbUQWTTb1K3M/NzzrtACXi+uMY/r cIScRDIey1KVRhl8717E2bH8ZI+rO62ZHtoevF1X9iQUVRdqd6425CZzqzCEFsWwVcP5Y/Ga ed4sYvnVGdRUg=
X-Talos-CUID: 9a23:u2DGEmnvd9gzAznw8itdwD/8qPHXOT7Y82zsKmqEM0FgVKeNd16f2b51ztU7zg==
X-Talos-MUID: 9a23:Jk756gxqb7GDY7qtUIZ0QO08xoeaqI+xAXo1l5sdgIqvdjxXazG5tC2PUoByfw==
X-IronPort-AV: E=Sophos;i="6.08,247,1712620800"; d="p7s'346?scan'346,208,346";a="31187603"
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.37; Tue, 18 Jun 2024 13:40:57 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) by BRN1WNEX01.vcorp.ad.vrsn.com ([10.173.153.48]) with mapi id 15.01.2507.037; Tue, 18 Jun 2024 13:40:57 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Paul Wouters <paul.wouters@aiven.io>
Thread-Topic: [EXTERNAL] Paul Wouters' Discuss on draft-ietf-dnsop-zoneversion-08: (with DISCUSS and COMMENT)
Thread-Index: AQHawQ1eTeP6iYHQgUSdIPFiCyy0mbHODkAA
Date: Tue, 18 Jun 2024 17:40:56 +0000
Message-ID: <3BED375B-86EA-444E-9604-C4C9D5321DA6@verisign.com>
References: <171866661003.804.6572056160990742967@ietfa.amsl.com>
In-Reply-To: <171866661003.804.6572056160990742967@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3774.600.62)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_08AC1295-1504-4C6F-90E2-899859D30075"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
Message-ID-Hash: 64RKZ7TUC4G2BKYKRUTP5PVI2Y5IU3MA
X-Message-ID-Hash: 64RKZ7TUC4G2BKYKRUTP5PVI2Y5IU3MA
X-MailFrom: dwessels@verisign.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: The IESG <iesg@ietf.org>, "draft-ietf-dnsop-zoneversion@ietf.org" <draft-ietf-dnsop-zoneversion@ietf.org>, dnsop-chairs <dnsop-chairs@ietf.org>, dnsop <dnsop@ietf.org>, "tjw.ietf@gmail.com" <tjw.ietf@gmail.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: Paul Wouters' Discuss on draft-ietf-dnsop-zoneversion-08: (with DISCUSS and COMMENT)
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/yztiHHwsUaulKqKkO56lY_Txilg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hi Paul, thanks for the review.  Comments inline…



> On Jun 17, 2024, at 4:23 PM, Paul Wouters via Datatracker <noreply@ietf.org> wrote:
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> Just a few hopefully minor issues to talk about.
> 
> In section 3.2, why is NXDOMAIN not listed? When asking for "foobar.nohats.ca",
> couldn't it be useful to get the zone version, if the nameserver is
> authoritative for "nohats.ca" and has no delegation for "foobar.nohats.ca." ?

The intention certainly is for a server to return zone version information in
an NXDOMAIN response.  Would this change to the start of 3.2 address your concern?

OLD:
A name server that … is authoritative for the original QNAME, 

NEW:
A name server that … is authoritative for the zone of the original QNAME,

Or would you also like to see NXDOMAIN specifically mentioned like this?

   A name server SHOULD include zone version information in a name error
   (NXDOMAIN) response, even though the response does not include any
   Answer section RRs.


> 
> What should an authoritative nameserver return as zone version if it is
> configured as authoritative nameserver but can't get the zone version (eg
> because "no permission to read file")  One way would be to allow it to return
> a zero length for ANY type and define that as an error condition.

I think the authors will need to discuss how to handle error conditions like this
and get back to you.

> 
> It seems DNAMEs could lead to involving two or more zones the nameserver is
> authoritative for. How should this be handled? Only use the first DNAME's
> zone's version?

I don’t see the issue.  The version corresponds to the QNAME zone (and is type agnostic).
It doesn’t depend on Answer RR names.

One thing we could do is allow multiple ZONEVERSIONs as long as (TYPE,LABELCOUNT)
remains unique.  Then the server could return multiple zone versions if it
happens to be authoritative for multiple zones of the QNAME.



> 
> The type leaves no room for proprietary (or somehow encrypted) zone versions,
> as the DE advise states:
> 
>        In particular the reference should state clear instructions for
>        implementers about the syntax and semantic of the data
> 
> If you did not mean to exclude encrypted zone version data, perhaps clarify
> the advise to the DE? Or are those deployments meant to use the
> "local/experimental" use, in which case calling it "private use" might be
> better?
> 
> Have you considered leaving a small initial space for "RFC Required" policy?
> Eg 0-15 ?  With only 253 types available, I'd feel happier with that,
> especially if this supports proprietary types.

Does changing the range 246-254 from “experimental” to “private use”
sufficiently address your concern about proprietary types?

> 
> Should implementers be warned not to blindly copy this EDNS(0)
> options from the query of a DNS client onwards? Doing this could cause
> amplification attacks if some server uses a non-SOA-SERIAL type with a
> long length.

How’s this (inspired by RFC 5001 NSID)?

3.2.1.  ZONEVERSION Is Not Transitive

   The ZONEVERSION option is not transitive.  A name server (recursive
   or otherwise) MUST NOT blindly copy the ZONEVERSION option from a
   query it receives into a subsquent query that it sends onward to
   another server.  A name server MUST NOT send a ZONEVERSION option
   back to a client which did not request it.


> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
>       A name server SHOULD include zone version information for
> 
> Can this be rephrased as:
> 
>        When asked for a zone version, a responding name server SHOULD
>        include zone version information for [...]
> 
> Just to avoid implementers from reading this and adding it when the DNS
> client did not ask for it.

I feel like it would be repetitive to make that change all the times we
say “A name server SHOULD include…”. How about this change to the start of 3.2
(item (b) new):

   A name server that (a) understands the ZONEVERSION option, (b)
   receives a query with the ZONEVERSION option, (c) is authoritative
   for the zone of the original QNAME, and (d) chooses to honor a


> 
> 
>        The OPTION-LENGTH for this type MUST be set to 6 in responses.
> 
> Maybe say:
> 
>        The EDNS(0) OPTION-LENGTH for this type MUST be set to 6 in
>        responses.

Done.

> 
> 
> My OCD triggers on these unbalanced parentices:
> 
>        ; ZONEVERSION: 02 00 78 95 a4 e9 ("SOA-SERIAL: 2023073001 (example.com.)")
> 
> (note it seemed to render badly in my browser, but copy&paste seemed to fix it again?)

I’m not sure what you saw but maybe its better to remove the quotes there.

> 
> The example dig command should have +norecurse :)

Done.

> 
> Why does the example contain an AUTHORITY SECTION for an AA answer
> with data? Seems .com does that but other nameservers I tested do
> not (eg nohats.ca or .nl). This makes it a bit unclear if the setting
> of zoneversion requires that the Authority Section is included. Maybe
> a clarifying note can be added? I assume this related to query minimalization?
> 

I think this is just the effect of “minimal-responses” feature available 
in some implementations?

DW