Re: [DNSOP] Dnsdir early review of draft-ietf-dnsop-domain-verification-techniques-02
Shivan Kaul Sahib <shivankaulsahib@gmail.com> Sat, 22 July 2023 20:44 UTC
Return-Path: <shivankaul.1993@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF44FC15198F; Sat, 22 Jul 2023 13:44:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.845
X-Spam-Level:
X-Spam-Status: No, score=-1.845 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SqrY7_04_NuB; Sat, 22 Jul 2023 13:44:06 -0700 (PDT)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E961EC151AE0; Sat, 22 Jul 2023 13:44:05 -0700 (PDT)
Received: by mail-wr1-x42d.google.com with SMTP id ffacd0b85a97d-314172bac25so2208643f8f.3; Sat, 22 Jul 2023 13:44:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1690058644; x=1690663444; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Dp2lZTepBNRujwj/rucV3sRP5t9yygFZglbn8Km4ZCg=; b=NEUdgfR3TEW3W2wblMCuMwccd1jH7D8m4z8CMF7Okx/yR1ATFiZwi2KTuyFjWcXhWE VGCvonYWrOgFyeNArVfrzc0jYBKoCfT4KHHRLA5FRUT+Ko5EhBCe8vK+3uS5Ag2BORW6 CMW20w3JLy7eQzSLOQSJBRJOuvZGgl3SXVvEeNPIIjC5Qgx6M7OP59+jEQx0ue1OCtgL SQIxMaiYvYW2YpKJ1IldI9FkdECbJOeGQtj+swgrIs/qmDSYZschka3Ccwu5yl5nM3XH QPnCqO/28nCgcZcz0ErKsRgUCnD8ClbF4eeSuwDy9pZgOK19YRRE0F6r1o4bXpnbk8ow fBqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690058644; x=1690663444; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Dp2lZTepBNRujwj/rucV3sRP5t9yygFZglbn8Km4ZCg=; b=MixMVmL2sceUv7R0CKLKjQhqrgvB8DoLC1jA6UMxsGBOkOcuCGsusIJF6n8JMHy+S4 IaswUWoeDdTk9DRaopSb2XasLrcLQyphwUYBmS/mbjFK3CA/LB3HqfQmpB7SLTyNa4vL M5twzaCfzuSZIJFXJl+x5eGzEDnUQTX1Z6gq0M4oa1JOu88ci2mvXv1KUpgnaRrDw5// Zn9SA1dH0ijkxccON70VK291qUiiLVGhv5jBuFyfq+IZqs8OwCQWzmcGPagS/2uCDIge HDpsMlEFD+09MEQRkCATRyf7r27/vYe77AysBqIl7mOjEy4pEjuZ3f9dR/nU5Azj21tY TRkQ==
X-Gm-Message-State: ABy/qLa91V4moj6IyJ/1osdN42O4C4fQq+mwUgZcj3RBbdaOD8rEXBLB r3P41q1U5VFHNC3GU0AVEZ4zOiWHtVcVoEmj32udguqvA6Y=
X-Google-Smtp-Source: APBJJlEiyCqRz9uf8X95UoGMyY/UGI/mhmdu1xFBH/3lpvybVfuW0fIWo7jX+T5s1UoZZ0w1XwcwdsRLRf/E/DwqYLw=
X-Received: by 2002:adf:f1cc:0:b0:313:fbd0:9810 with SMTP id z12-20020adff1cc000000b00313fbd09810mr3685149wro.4.1690058643922; Sat, 22 Jul 2023 13:44:03 -0700 (PDT)
MIME-Version: 1.0
References: <168920929560.2740.18371942370313966688@ietfa.amsl.com>
In-Reply-To: <168920929560.2740.18371942370313966688@ietfa.amsl.com>
From: Shivan Kaul Sahib <shivankaulsahib@gmail.com>
Date: Sat, 22 Jul 2023 13:43:27 -0700
Message-ID: <CAG3f7Mhjo-Btz+Ww1QGDOPLDt9DHVid7iBT7b6p-KSme=Hth8Q@mail.gmail.com>
To: Jim Reid <jim@rfc1035.com>
Cc: dnsdir@ietf.org, dnsop@ietf.org, draft-ietf-dnsop-domain-verification-techniques.all@ietf.org
Content-Type: multipart/alternative; boundary="0000000000001ee4a9060119713b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/zSCx-f7Uytvmpr3S2tW7XzgQIaU>
Subject: Re: [DNSOP] Dnsdir early review of draft-ietf-dnsop-domain-verification-techniques-02
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Jul 2023 20:44:10 -0000
Hi Jim, thanks for the review, but it looks like you reviewed an older version of the draft, not -02. -02 addresses a lot of the feedback you have: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-domain-verification-techniques-02 On Wed, 12 Jul 2023 at 17:48, Jim Reid via Datatracker <noreply@ietf.org> wrote: > Reviewer: Jim Reid > Review result: Not Ready > > Since this I-D was submitted for early dnsdir review, the draft is > essentially a work in progress and much remains to be done. > > I doubt this I-D will be a valuable addition to the DNS oeuvre that > merits WG attention. As written, it's a mixture of implementation > guidelines and a survey of current approaches to domain verification > techniques. These might be better as discrete documents on the ISE > track. However the I-D has been adopted by the WG. It's not adding or > changing the core protocol and therefore won't be a burden to the DNS > Camel. > > There are quite a few gaps that need to be filled. Which is to be > expoected in early versions of a draft. > > There isn't a clear enough problem statement or use case: what > problems does this I-D solve and how does it do that? > In -02, there's a Common Pitfalls section pretty early on that outlines the issues we've seen running DNS operations which motivates this document. > > The I-D is unclear about the roles and responsibilities commonly found > in today's DNS where the domain name holder is not the controller or > administrator for the domain and neither provides authoritative DNS > service for it. How could/should domain verification work in these > settings? > In -02, we have sections on delegated domain control validation, and described it in a fair bit of detail. Beyond that, I don't think the outsourcing of the record management causes the draft's recommendations to not apply. > > The doc could be clearer on the semantics of these validation domain > RRs. ie Their presence only proves who had control of the domain when > these RRs were added or removed, not who holds the domain name or is > ultimately responsible for it. This is important, especially when so > many aspects of DNS operations are outsourced these days. > In -02, we have a section on optional metadata that could provide context on the RR. In practice we haven't seen either a demand or example of folks putting point-in-time domain ownership data in the RR. > > Section 1 describes how domain verification is performed today but > doesn't explain why. Or discuss the strengths and weaknesses of this > approach. Could non DNS-based approaches - some out of band method - > work or not? Are there scenarios where these could be better than > using something stored in the DNS? Or does the DNS-based approach > obliterate these? > In -02, Section 3 talks about why. We define non-DNS methods to be out of scope. > > A definition for the counterpart of Provider is missing. Client > perhaps? > We don't use the word Client in the document; we say user. We can add a definition for the user to be "entity trying to avail of a Provider's services" but didn't feel like it added much. If it would be helpful I can add text for that in Section 2 around that. > > Several Sections are missing. The I-D jumps directly from Definitions > to Recommendations! The authors need to show their working. In > detail. ;-) This should include details of which approaches were > considered and their advantages and disadvantages. There needs to be > an explanation why TXT records are RECOMMENDED and, by implication, > why other RRTypes are not. CERT records for instance could be a valid > alternative that offer additional security features. Section 3.2 > explains (somewhat clunkily) why CNAMEs are unsuitable. But that's > only a small part of the story. > We got the advice to not bury the lede, and that's what we did. This is a BCP document, and we've laid out the advice upfront, and provided hopefully detailed text on why those choices are made. The Appendix describes the survey of existing techniques and why they do or don't work. > > A Section on procedural/process issues is needed: how the Provider and > Client synchronise their updates, how this gets agreed and documented, > when/how validation domain names get added or removed, max/min TTL > values, problem escalation considerations, etc. > > The discussion of the TXT record in Section 3.1 is defective. The > validation domain name probably needs to have a unique owner-name as > well as some unique token in the RDATA. There's no explanation or > justification for using a random token with at least 128 bits of > entropy. Why not 256 or 64 (say)? A small number of entropy bits could > be "good enough", for instance when the validation RRtype is > short-lived or only used once. Similar issues arise from mandating > SHA-256. One day that algorithm will be deprecated => updating this > prospective RFC. A "strong" hash algorithm isn't always necessary > either. That's also holds for RFC4086's randomness requirements. > Should the validation domain name include a timestamp to > detect/prevent replay attacks? > If these parameters are to be requirements and/or mandatory to > implement, the rationale for their adoption needs to be given. > > Is this part of the I-D documenting one provider's approach? Should it > be defining a generalised, interoperable solution? > There's no Section 3.1 in the current draft version, but I think you mean 5.1. In general though, this is a BCP document, not a new protocol. We've largely taken ACME's approach and recommended that, and given considerations for enhancements or alternative approaches. > > The last paragraph of 3.1 is in the wrong place. It belongs in a > section on implementation considerations. Some of the text is > fluffy. What would "offer detailed help pages that are accessible > without needing a login on the provider website" look like in > practice? What content should be in the detailed help pages? The > sentence beginning "Similarly, for clarity," is confusing. Who is > expected to provide the full DNS record? How? And in what format? > The Security Considerations Section needs a lot more work. It should > document the threat model which outlines roles and responsibilities as > well as potential attack vectors and how to mitigate them. These would > include MitM attacks, spoofing, (D)DoS, Client-side or Provider-side > bad actors, poorly chosen TTL values, replay attacks, securing the > Client-Provider channel(s), etc. > There was a security review done, and we've incorporated those suggestions. Looking for specific text that would help, but not sure how to make further changes. > > Appendix A is an excellent idea and much appreciated. Some of tha > material needs to go elswhere in the document though. A 1.3 and A1.4 > should be in the main body of the I-D. It should not be in an appendix > which describes the domain verification techniques used by significant > Providers. The discussion of fragmentation also needs to move from > Appendix A. It should explain that using discrete owner-names for each > validation domain RR would avoid fragmentation concerns. Guidance on > the size of validation domain RRs - ie TXT records - and any > accompanying DNSSEC-related RRtypes might also help here. > > > Minor but annoying nits: > > It's domain name holder, not domain name owner. > > Standards documents shouldn't use personal pronouns: tThe "you"s in > Appendix A. > >
- [DNSOP] Dnsdir early review of draft-ietf-dnsop-d… Jim Reid via Datatracker
- Re: [DNSOP] Dnsdir early review of draft-ietf-dns… Shivan Kaul Sahib