Re: [dnssd] Genart last call review of draft-ietf-dnssd-push-20

Tom Pusateri <pusateri@bangj.com> Tue, 02 July 2019 18:36 UTC

Return-Path: <pusateri@bangj.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF0A41206F3; Tue, 2 Jul 2019 11:36:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id InnAP-bBJQI5; Tue, 2 Jul 2019 11:36:18 -0700 (PDT)
Received: from oj.bangj.com (69-77-154-174.static.skybest.com [69.77.154.174]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20B9012010F; Tue, 2 Jul 2019 11:36:18 -0700 (PDT)
Received: from [192.168.77.104] (199-255-11-3.static.celitofiber.net [199.255.11.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by oj.bangj.com (Postfix) with ESMTPSA id B463333AC2; Tue, 2 Jul 2019 14:36:16 -0400 (EDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3560.7\))
From: Tom Pusateri <pusateri@bangj.com>
In-Reply-To: <156175221593.21875.9525138908968318905@ietfa.amsl.com>
Date: Tue, 2 Jul 2019 14:36:16 -0400
Cc: gen-art@ietf.org, draft-ietf-dnssd-push.all@ietf.org, DNSSD <dnssd@ietf.org>, IETF <ietf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <9E6DE124-9262-4870-A920-4E707A38DC08@bangj.com>
References: <156175221593.21875.9525138908968318905@ietfa.amsl.com>
To: Robert Sparks <rjsparks@nostrum.com>
X-Mailer: Apple Mail (2.3560.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/IrFJS68WTVOvdSEhDj9uwQvNRwo>
Subject: Re: [dnssd] Genart last call review of draft-ietf-dnssd-push-20
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jul 2019 18:36:21 -0000


> On Jun 28, 2019, at 4:03 PM, Robert Sparks via Datatracker <noreply@ietf.org> wrote:
> 
> Reviewer: Robert Sparks
> Review result: Ready with Issues
> 
> I am the assigned Gen-ART reviewer for this draft. The General Area
> Review Team (Gen-ART) reviews all IETF documents being processed
> by the IESG for the IETF Chair.  Please treat these comments just
> like any other last call comments.
> 
> For more information, please see the FAQ at
> 
> <https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.
> 
> Document: draft-ietf-dnssd-push-20
> Reviewer: Robert Sparks
> Review Date: 2019-06-28
> IETF LC End Date: 2019-07-05
> IESG Telechat date: Not scheduled for a telechat
> 
> Summary: Ready for publication as a Proposed Standard but with an Issue to
> consider before publication,
> 
> Issue:
> 
> The discussion of recursive resolvers in section 6.1 may need additional
> consideration. In particular, the recommendation to pass a received error code
> along to a client has, I think, some unintended consequences for the client. If
> the recursive server receives a NOTIMP, for example, passing that to the client
> tells the client the wrong thing about the server it is connected to. Perhaps
> it would be better for the recursive server to return SERVFAIL in this
> circumstance? (Similar to what it would do if it couldn't connect to the next
> server as described at the bottom of page 10).

Let me think about this some more before I respond.

> 
> Nits:
> 
> Page 5, Section 3, 3rd paragraph, last sentence: NOT REQUIRED is not a
> 2119/8174 keyword. I suggest using lowercase 'not required' in this sentence.

Fixed.

> 
> Page 7, Section 4, 3rd paragraph: The first sentence alludes to concerns about
> anonymous subscriptions, saying TCP alleviates those concerns. As written this
> is pretty vague. Can you expand on what you mean by an anonymous subscription
> in this context?

Now says:

"Connection setup over TCP ensures return reachability and alleviates concerns of state overload at the server which is a potential problem with connection-less protocols using spoofed source addresses. All subscribers are guaranteed to be reachable by the server by virtue of the TCP three-way handshake.”

> 
> Page 10, Section 6.1, first sentence: Suggest s/first step in DNS Push/first
> step in a DNS Push/
> 

Fixed.

> Page 15, last paragraph: Why MUST the server immediately terminate a connection
> in this situation? Just accepting the request seems safe - having subscription
> requests show up for the same name seems nearly idempotent, and only one PUSH
> would result from having multiple such subscriptions. Is this close an attempt
> to avoid resource denial attacks buy some node subscribing many times to the
> same thing? That feels extreme, especially since tearing down the connection
> would cancel other subscriptions the client already has established on that
> connection.

The discussion about case insensitivity here is a side note. The main point is that if you receive a subscription for something you already have a subscription for, the two sides are out of sync. There is no protocol mechanism built in to regain synchronization and the best way is then to close the connection and try again. The most common reason that the two ends are out of sync is likely software bugs and if this keeps occurring, the administrator will begin to see a pattern of connections closing and can report the problem.

> 
> Page 16, second paragraph: I suggest replacing the second sentence with
> something like "A name in a SUBSCRIBE message that matches only a literal CNAME
> in the zone will only receive notifications of changes to the CNAME (assuming
> the subscription asks for that type), and nothing else."
> 

The SUBSCRIBE contains the record type not just a name. The point is that a subscription of a CNAME is only to the CNAME record and not to the record it points to. How about:

"Aliasing is not supported. That is, a CNAME in a SUBSCRIBE message matches only a literal CNAME record in the zone, and not to any records referenced by the owner name."

> Page 23, top of page: Since section 4 restricts this protocol to TLS over TCP,
> the "(or equivalent for other protocols)" phrase should be removed.

Good catch. I removed all instances of "(or equivalent for other protocols)”

Thanks!

Tom