Re: [dnssd] Intended behavior for eliding KEY record in DNS query response? (draft-ietf-dnssd-srp)
Ted Lemon <mellon@fugue.com> Mon, 29 January 2024 23:17 UTC
Return-Path: <mellon@fugue.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A99CCC1CAF49 for <dnssd@ietfa.amsl.com>; Mon, 29 Jan 2024 15:17:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.908
X-Spam-Level:
X-Spam-Status: No, score=-6.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iDbr5pi-qD7v for <dnssd@ietfa.amsl.com>; Mon, 29 Jan 2024 15:17:18 -0800 (PST)
Received: from mail-qv1-xf35.google.com (mail-qv1-xf35.google.com [IPv6:2607:f8b0:4864:20::f35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 486B3C18DBB8 for <dnssd@ietf.org>; Mon, 29 Jan 2024 15:17:18 -0800 (PST)
Received: by mail-qv1-xf35.google.com with SMTP id 6a1803df08f44-6818f3cf00aso29521346d6.0 for <dnssd@ietf.org>; Mon, 29 Jan 2024 15:17:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20230601.gappssmtp.com; s=20230601; t=1706570237; x=1707175037; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=KsmRussuqT48h/k4FZ+bkJrrbxZHtY920JGwJdHmP4Q=; b=2vxO+KIahAP02N5gBgJruT4fBn1WhQ17V2KeUsOfU5Tutt9oC2xEGOmLLh/5TlJWYS /WLiP34hCybwErtOMR1iZHn+g+aoy+ZH/wx+edZIlMkQLsvtkCIGSeJUc46JPrfGTwnm h1754gkZpXz6H0jVfP2ZDllyzUjZx8xZCzvU+t15zYt02K4OVkT/NXU0KNhTrVqdvRj7 uvAqt2AY3iBZvAMPoY6Ce4zCoQhIZusOn2VkfLnyq2u7sTbORjrnS/qQbXNkGtO8fa1G NWtx2zXeWwQ5S9Gos+P1xZMMfw7VoeOHIvEe4Wd+On/FYf+U50++hBCIH+tPovqJIIsH mCug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706570237; x=1707175037; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=KsmRussuqT48h/k4FZ+bkJrrbxZHtY920JGwJdHmP4Q=; b=jCYn6Mx1xzqOMdBnRqK/OBXznwVRmrBNv9NnbXMI8g1mHfMUgIItY7WiAsrovrmJq4 Z8ImxTC0tIOzdm1MzAthOhYmogVid8aOg0+Y8OqA47dwgElLiwNBql2MTmiMbbRTahyG nog9+hxO66gzda76BsIJ5iwJBuJjhjJvfBHw1s6ckx/QZuXjb9JUq6HpVkBnAsEL2skv UAh10vehFE3J2MGkbJjCIqa11dd+qRNk5DmNVtUx/z/kfURdFXSohmXvKtGCU5Suhq/b +lSHYhe2hvxb5gkzEbbv5JqoL4fK2IbL1q4mg5Ooy/rRAS1VrDsB45C2vSjlJTEHq5NX zBFQ==
X-Gm-Message-State: AOJu0YySdmgTYTnct2JHsU9TwQTWPmnjPD5I+tlmXlGHfWHiyTy2Ye1W VjgmRlmTj/ldCTclRBuZsG5I/FEZicZ5jUPkwnZFpszNoyDOtmvO0gHQZYzRcYpr9NhgjMQHSpc IfNr15WYFNCUY823YxtpZwPQ4Byy+bQOmNLCU6rS1A2ExlrgPdzI=
X-Google-Smtp-Source: AGHT+IHcr+3SJIThUhvB1F5eCGGAgjn47VUsPA6t0kfA9VaGl7yz+4t7beM7SnA2Ferb+nsboBbV+DHZbUVNYZ0wLuA=
X-Received: by 2002:a05:6214:250c:b0:68c:544c:fae7 with SMTP id gf12-20020a056214250c00b0068c544cfae7mr2405393qvb.37.1706570237373; Mon, 29 Jan 2024 15:17:17 -0800 (PST)
MIME-Version: 1.0
References: <DU0P190MB1978200A6FCB7259C8B3B0C5FD2EA@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM> <CAPt1N1knidoVUHDFvd+6BW2msCVkjRfRi3COxpHpZKtjGFZFOQ@mail.gmail.com> <DU0P190MB1978076949E643E64EDC73E7FD2FA@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM> <CAPt1N1mi+6ma=MyEofp_gzRF9So1=EhKnXiqwwr8gAPxK=ecyA@mail.gmail.com> <CAPt1N1mdc0ULdmqb2aGgRqXJxx_vgDRTpCVpeAc5YhgHzV02qg@mail.gmail.com> <DU0P190MB19787D95527477F9DCE6C396FD1DA@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
In-Reply-To: <DU0P190MB19787D95527477F9DCE6C396FD1DA@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
From: Ted Lemon <mellon@fugue.com>
Date: Mon, 29 Jan 2024 18:16:41 -0500
Message-ID: <CAPt1N1krZY8Lf+LMLRpeMGTmqFsR9kpXEDbSQ5XoEnidVyo4pw@mail.gmail.com>
To: Esko Dijk <esko.dijk@iotconsultancy.nl>
Cc: dnssd <dnssd@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c87f3406101dd8dc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/Uak-k-AKev6daAe3bRT8YA3JN0Y>
Subject: Re: [dnssd] Intended behavior for eliding KEY record in DNS query response? (draft-ietf-dnssd-srp)
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jan 2024 23:17:20 -0000
I made a small adjustment to the document. I think it was already fairly clear, but I added: "To avoid DNSSEC validation failures, an SRP registrar that signs the zone for DNSSEC but refuses to return a KEY record MUST NOT store the KEY record in the zone itself." "No data" is a well-understood term in DNS, so I think it's okay to use it here. "signs the zone" is referring to DNSSEC. I added "for DNSSEC" above to make that clear. Replacing the key contents with a dummy value is probably also a valid approach, but why specify two different ways to do the same thing? The dummy key value would have to be included in the DNSSEC signature, so it's just a more complicated way to solve the same problem. You are correct about "server" versus "registrar"—thanks for noticing that! On Thu, Aug 24, 2023 at 4:11 AM Esko Dijk <esko.dijk@iotconsultancy.nl> wrote: > > I've updated the text to say: > > > > > > To avoid DNSSEC validation failures, an SRP server that refuses to > return a KEY record MUST NOT store the > > KEY record in the zone itself. Because the key record isn't in the zone, > the nonexistance of the KEY record can be > > validated. If the zone is not signed, the server MAY instead return a > negative non-error response (either NXDOMAIN or > > no data). > > > > Thanks; at first glance this seemed ok for me. However today I have > trouble understanding the requirement. > > > > - Is the “MUST NOT” condition always applicable? Or only if the SRP > Registrar keeps a “zone that is not signed” i.e. conditional. > - If the MUST NOT is conditional then maybe the text should be > rephrased to make this clear. > - I.e. it seems ok to store the KEY record in the zone and delete > that KEY record from any query answer, as long as the SRP Registrar doesn’t > apply DNSSEC security for its zone. > - What is the “SRP server” ? Should this be “SRP Registrar”? > - See also other references to “SRP server” in the document. > - “no data” is kind of cryptic – should we just say “NOERROR with zero > answer records” ? > - What does it mean for a “zone to be not signed” ? (I’m probably > missing some DNS background here. In my mind, SRP updates can be signed but > not an entire zone.) > - A related question that came is why not just replace the KEY record > contents by a dummy value (e.g. 0x0) if the purpose is to hide the contents > of the KEY record only. > > > > > > Regards > > Esko > > > > > > *From:* Ted Lemon <mellon@fugue.com> > *Sent:* Friday, July 7, 2023 21:15 > *To:* Esko Dijk <esko.dijk@iotconsultancy.nl>; dnssd <dnssd@ietf.org> > *Subject:* Re: [dnssd] Intended behavior for eliding KEY record in DNS > query response? (draft-ietf-dnssd-srp) > > > > I've updated the text to say: > > > > To avoid DNSSEC validation failures, an SRP server that refuses to return > a KEY record MUST NOT store the > KEY record in the zone itself. Because the key record isn't in the zone, > the nonexistance of the KEY record can be > validated. If the zone is not signed, the server MAY instead return a > negative non-error response (either NXDOMAIN or > no data). > > > > On Wed, Jul 5, 2023 at 11:03 AM Ted Lemon <mellon@fugue.com> wrote: > > Op wo 5 jul 2023 om 03:06 schreef Esko Dijk <esko.dijk@iotconsultancy.nl> > > The “why” is maybe not so relevant – if something is optional in a spec to > NOT do, implementers will jump on it by NOT doing the thing. They even > don’t implement RECOMMENDED functions in my experience ;-) > > For the testers, it means they have to test for the possible variants and > need to know what to test against. Right now as specified there’s 3 cases > possible: 1) return KEY ; 2) return RCODE=0; 3) return RCODE=5 . > > > > Okay, that makes sense. This is a pretty late clarification. Chairs, do > you object to me including this in the forthcoming update? > >
- [dnssd] Intended behavior for eliding KEY record … Esko Dijk
- Re: [dnssd] Intended behavior for eliding KEY rec… Ted Lemon
- Re: [dnssd] Intended behavior for eliding KEY rec… Ted Lemon
- Re: [dnssd] Intended behavior for eliding KEY rec… Esko Dijk
- Re: [dnssd] Intended behavior for eliding KEY rec… Ted Lemon