Re: [dnssd] Review of draft-ietf-dnssd-srp-02
Jonathan Hui <jonhui@google.com> Thu, 29 October 2020 19:31 UTC
Return-Path: <jonhui@google.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 485693A084D for <dnssd@ietfa.amsl.com>; Thu, 29 Oct 2020 12:31:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XNX-lp-9p_YA for <dnssd@ietfa.amsl.com>; Thu, 29 Oct 2020 12:31:46 -0700 (PDT)
Received: from mail-oi1-x233.google.com (mail-oi1-x233.google.com [IPv6:2607:f8b0:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EFF33A003F for <dnssd@ietf.org>; Thu, 29 Oct 2020 12:31:46 -0700 (PDT)
Received: by mail-oi1-x233.google.com with SMTP id 9so4219260oir.5 for <dnssd@ietf.org>; Thu, 29 Oct 2020 12:31:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=b+/wMby9Bq57udhlAG/QwFuenhFOdPQ7bLlOBnlIR24=; b=elo98VMYS9NBFSSaHfapWyCu5WClp2yYLjdGtthl4ZezFb8iy+QlD1zsyDMM1OddxP hKFj/ayW75Fg2gXzHZTVf3DZmt/zs+u9w9PPH3275ZWtip9sbulbagTFXgrhuJafcvGX ond4sOrrysg8yMX3rBDi/JPGRMyIBmazNzpbrHAHWtx52VLsnk+enNtfyQflv0bNYbKf 99mwS9J1qk6Kr/8bJ2+c2A/3Op3OuuhA9mO7u81tb7RH5/YHSWx/ui1EvYOPwmZb0iuU 7eZm0numiivVbs1P+OneJsUIsqseje/qgTWhgu57HXwFtCNCT9VF1SlimjjJCg+poI8q X9iQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=b+/wMby9Bq57udhlAG/QwFuenhFOdPQ7bLlOBnlIR24=; b=nvDwDnt8JFDHdDyjEq+ILlAFs0tCwaXEBHFjWr+4B8YAiZxoIgcc3ZVQMb66no7Ujw TX8h4yKhfTS/1QqQOtDJLabmRxoGGuL9bu3sP/eiAOeV28G5mYY/qVlV/oRjVUdsZ4r0 aknIjYA+Nojj/m+NNB3j+Ssp3eBRa4qtXhoIpl1J6nX25dX5JqaHWfKrFrqQ09hfXIkP 5iAynm5Smerhnt90OpeZDjC/MvrkUnCbsxDOFtDPtVQUjLXBNMXflYqkiUmGqjbB7bYX UsrF/Mk7SVhZLcDujMZIQz9LbUFKYiBTJWNyBL+5cCzabTj2eFaDfo/GSYRbBoTWOAf6 6EMw==
X-Gm-Message-State: AOAM533qfhxgXUErcMX7FxWB7vqRFfWTqiZ5LkikaF0FdSxEBHjjZ8vm KEuyEXYzrRASBAYNoYv/+tl/VTjiiDJf23P69D82WFyfnGpdiHw+
X-Google-Smtp-Source: ABdhPJzqiH3/XgneKzaIWzqG9e2Rij1W7udMQCpZRpSZRdGcKoleqW/Rr2TG7KZ7HSrZ5lON0Jk6yRnFJuLQsYJvR7o=
X-Received: by 2002:aca:6746:: with SMTP id b6mr877611oiy.24.1603999905062; Thu, 29 Oct 2020 12:31:45 -0700 (PDT)
MIME-Version: 1.0
References: <CAGwZUDvAXr=oKsUtpZAB0PUoR8f+CSGC-4RBkcqoxM2j4QNzeQ@mail.gmail.com> <B9834CA0-4E46-4F8C-9AA1-6EB78AA38AC4@fugue.com>
In-Reply-To: <B9834CA0-4E46-4F8C-9AA1-6EB78AA38AC4@fugue.com>
From: Jonathan Hui <jonhui@google.com>
Date: Thu, 29 Oct 2020 12:31:33 -0700
Message-ID: <CAGwZUDsnGec-8s=J5MUcCkujZHSa5oNKky6PQzn44isgjH2qMg@mail.gmail.com>
To: Ted Lemon <mellon@fugue.com>
Cc: dnssd@ietf.org
Content-Type: multipart/alternative; boundary="00000000000090131205b2d454da"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/AVoGSOsp5DX4Xa-y8tEmn1G12vI>
Subject: Re: [dnssd] Review of draft-ietf-dnssd-srp-02
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Oct 2020 19:31:48 -0000
Ted, Thanks for working to resolve my comments! Responses below: On Thu, Oct 29, 2020 at 9:27 AM Ted Lemon <mellon@fugue.com> wrote: > On Oct 8, 2020, at 3:19 PM, Jonathan Hui < > jonhui=40google.com@dmarc.ietf.org> wrote: > > Intended status: Informational >> > > Why not standards track? > > Because I accidentally put “info” in the XML instead of “std”. :) > Draft-05 still indicates Informational. > [RFC6763] that allows services to automatically register their > > > It's not clear to me at this point what "automatic" really means. It > becomes clear later in the doc (e.g. Section 2.6.1), but I think it would > help to be clear in the Introduction. > > Thanks, this is a really good catch. I’ve substantially updated the > introduction to explain this in more detail. > The additional 4.5 paragraphs of text in the introduction looks great and the detail is certainly helpful. > using UDP unless TCP is required due to the size of the update. It >> is the responsibility of a Constrained-Node Network supporting SRP to >> provide appropriate anycast routing to deliver the DNS updates to the >> appropriate server. It is the responsibility of the SRP server >> > > Is "appropriate" well-understood here? I could use some clarification on > what requirements are placed on the Constrained-Node Network to support SRP > anycast. For example, can there be more than one SRP server on the network? > If so, does the anycast address always need to map to the same SRP server > for a given host? > > > Interesting, this was actually fixed in a newer version. So the whole > discussion of how to configure SRP on “constrained-node networks” is now > left up to the specification for that network type. > Somehow I reviewed an older draft. The latest text looks good to me! > o The Host Description records for a service are a KEY RR, used to >> claim exclusive ownership of the service registration, and one or >> more RRs of type A or AAAA, giving the IPv4 or IPv6 address(es) of >> the host where the service resides. >> > > Are there recommendations/thoughts on how an SRP server should handle SRP > updates containing multiple IPv6 addresses of varying scopes? Is this a > topic within scope of this document? > > I’ve added a paragraph to the validation section saying that link-scope > and IPv4 autoconf addresses are invalid, and registrations that include > them should be treated as invalid registrations. I’ve also mentioned that > addresses must be in scope for all potential clients of the SRP server, but > haven’t explained this in more detail. I may add a section about this later. > Updated text looks good to me. > The service generates a public/private key pair. This key pair MUST >> be stored in stable storage; if there is no writable stable storage >> on the client, the client MUST be pre-configured with a public/ >> private key pair in read-only storage that can be used. This key >> pair MUST be unique to the device. >> > > Strictly speaking, we require the service to retain the key pair for as > long as it would like to make updates to its existing service information. > For example, should we recommend that a device generate a new key pair > after factory reset (if it has the ability to do that)? I'm thinking that > the public key can serve as a static identifier. > > Yes, that’s intended. I’ve added some text. > Updated text looks good to me. > lease time Section 2.6.1. Shorter TTLs will result in more frequent >> data refreshes; this increases latency on the client side, and >> increases load on any caching resolvers and on the authoritative >> server. Longer TTLs will increase the likelihood that data in caches > > > Worth mentioning effect on network utilization? Or is that already implied? > > OK. I added text. > Typo: "be an + issue for" -> "be an issue for" Otherwise, the updated text looks good. > 4. Privacy Considerations > > > Should we mention UDP here? > > Dunno what you mean about this. > The current text recommends using TLS when using TCP to mitigate privacy concerns. Are there any recommendations or warnings to state here when host implementations are using UDP? > Should we mention the public key here? > > I’ve added some text. I think we may also want to allow the client to say > “don’t show my key.” > Updated text looks good. Giving the client that flexibility sounds interesting. > specification in [RFC8375]Section 7. > > > "Section 7" link not pointing to the appropriate doc. > > I’m not following this. > The "Section 7" link in https://tools.ietf.org/html/draft-ietf-dnssd-srp-05 points to https://tools.ietf.org/html/draft-ietf-dnssd-srp-05#section-7. Thanks! -- Jonathan Hui
- [dnssd] Review of draft-ietf-dnssd-srp-02 Jonathan Hui
- Re: [dnssd] Review of draft-ietf-dnssd-srp-02 Ted Lemon
- Re: [dnssd] Review of draft-ietf-dnssd-srp-02 Jonathan Hui