Re: [dnssd] Dnsdir telechat review of draft-ietf-dnssd-srp-22
Ted Lemon <mellon@fugue.com> Tue, 11 July 2023 12:45 UTC
Return-Path: <mellon@fugue.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5305EC15152D for <dnssd@ietfa.amsl.com>; Tue, 11 Jul 2023 05:45:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20221208.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ISW09Yjo7RmW for <dnssd@ietfa.amsl.com>; Tue, 11 Jul 2023 05:45:19 -0700 (PDT)
Received: from mail-vs1-xe30.google.com (mail-vs1-xe30.google.com [IPv6:2607:f8b0:4864:20::e30]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54F4BC072E8B for <dnssd@ietf.org>; Tue, 11 Jul 2023 05:44:43 -0700 (PDT)
Received: by mail-vs1-xe30.google.com with SMTP id ada2fe7eead31-44350ef5831so2069290137.2 for <dnssd@ietf.org>; Tue, 11 Jul 2023 05:44:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20221208.gappssmtp.com; s=20221208; t=1689079475; x=1691671475; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=l3RUUEnaV2GWi7tIRklmxJoG6HMuxlozl9T7f5NgVIw=; b=0WXuhB7Lp8MXfl112yQkm4eTxq8TWykoF2N9QE/HY+aFKw9mmsSbYJLt1sSdeDsc+l VLQJ7ZRQnAr3Djw25OLiqKXpXMLOCStKmbI3uAaVyYOKJ3IY26h/mA6IHyAh+G48iI9s LhDHPTXKjzwFYOU2wcf0IV0Tv6hSkBSGIVQ6QNGz5Ec2+9mL05zeBZ0lVaonapYN3XIb YRq9uaPtl6Op8qkPSIIx3SwXuh+Noo+k/zbV6kUVniCaH7zSSa0d2yJz2SAkPpa432+G fBw5Cy6o/n8Pa6hcqSekXkjjR3AbIOIiRlhh6wMHczJeVJRhQ3jyc62tyNGmo3VttFtC AoKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689079475; x=1691671475; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=l3RUUEnaV2GWi7tIRklmxJoG6HMuxlozl9T7f5NgVIw=; b=ZqHXwJ+4RbO3yQuvILBhAGH1FlBs49JBE1XSpESkbTsILcIQ96QJjAmaDSVsgdkNDe ns8OMlcmFt9lQSRsKrsHQ2OO/kBiSXYXKIFIOXvywMASWYbw58B9Mn/YJjkdPFKUSh8g KZBT4ALMNdLCUTz+KTsYWjUtIrBiHYlJnCmqaaClemkncxldlHRzawXvJHGNNRGDalo2 kRXdRYzPcXps1QLHexbTYRUVAukfrkBilUf60MpwlaMtlkf5E1RP2H8PHM4ydbYElXdE PCl6fgHdX5VWLYDJwrrhXDJ52WMTFSdHWT3Pip5oCF/itA3OpbGpsqLUM1ZGo6Jw/eEk byww==
X-Gm-Message-State: ABy/qLaz0tBALuHSFHE4fZwUO1xx5ON9xmeOiv2bkvYddPsESY7UUpTW f2o6y9htN4mzyJb5AW1B32Mna8MCroZj2wvJlTGNeRXQTdkOqsg9dFoH9Q==
X-Google-Smtp-Source: APBJJlEurDEjBBLZ12OwYbZQcUxyHV7/EkbHTdM34cPWbEUlxkGyFuMEEzs47UW0hTVQTvNAl4CXZlgs38j+CbJzPhY=
X-Received: by 2002:a67:f851:0:b0:443:66c5:a4e3 with SMTP id b17-20020a67f851000000b0044366c5a4e3mr7885498vsp.15.1689079474709; Tue, 11 Jul 2023 05:44:34 -0700 (PDT)
MIME-Version: 1.0
References: <168906853443.11151.16067864177657674976@ietfa.amsl.com>
In-Reply-To: <168906853443.11151.16067864177657674976@ietfa.amsl.com>
From: Ted Lemon <mellon@fugue.com>
Date: Tue, 11 Jul 2023 08:43:59 -0400
Message-ID: <CAPt1N1kqe-TpN4y5s7k4CMiGieDbrkoMpjoiqhkWiNuyi+D1Fw@mail.gmail.com>
To: Anthony Somerset <anthony.somerset@liquid.tech>
Cc: dnsdir@ietf.org, dnssd@ietf.org, draft-ietf-dnssd-srp.all@ietf.org, last-call@ietf.org
Content-Type: multipart/alternative; boundary="000000000000167a0e06003576e2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/VHb6V-GogIW5OeFZsvxrjnw7Q1k>
Subject: Re: [dnssd] Dnsdir telechat review of draft-ietf-dnssd-srp-22
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jul 2023 12:45:20 -0000
For some reason your review didn't show up (and still doesn't) when I search for it. I should just use the datatracker for these searches I guess. I do see some things I'd address in your review if the IESG wants a document update. Since I didn't reply to it earlier, I will do so now. And thank you for doing that review—I know these are significant effort, and I am sorry that I didn't see it earlier! I would suggest being consistent with the naming, Apple should probably be > referred to as MacOS, iOS (and likely the derivatives like iPadOS etc) or > perhaps: > e.g. Android, Windows, Linux, and Apple based Operating Systems That's a good point—I hadn't noticed that. I'm not sure this desperately needs to be fixed, but we can discuss it during the RFC editor phase if the IESG doesn't ask for a fix. Should there be some commentary about preventing a domain/service squatting > type denial of service in the security considerations? or am I just being > overly cynical here? Sounds like this is covered. Section 4 > TTLs sent in SRP Updates are advisory: they indicate the SRP > requestor's guess as to what a good TTL would be. SRP registrars may > override these TTLs. SRP registrars SHOULD ensure that TTLs are > reasonable: neither too long nor too short. The TTL should never be > longer than the lease time (Section 5.1). > > I would suggest a RECOMMENDED TTL or upper and lower bound - otherwise > this is > vague. I like how you handled a similar suggestion around leases in > section 5.1 > which could be applied here, the rest of the section makes a good > explanation > to the various tradeoffs which helps bring context. I would not be averse to updating this text if the IESG thinks it's worth doing. However, I think the last sentence (should never be longer than the lease time) addresses the main concern. Our experience has been that users of SRP choose short leases when they expect the registration to be withdrawn quickly. So if the record expires out of the cache after a maximum of one lease interval after the SRP registration expires, this is probably okay. I actually thought about recommending a TTL of 10% of the lease interval, but that only makes sense if the lease is going to be allowed to expire immediately. Most of the time that's not the situation. Section 6.1 mentions UDP - but earlier says only TCP in 3.1.3, also 10.4 > and 10.5 only reference TCP service entries We expect that anycast will be used for UDP, but it could be worth explaining this (I thought we had, but it wouldn't surprise me if we never actually did). There is no matching reference to UDP in 3.1.2 as the reference in 6.1 is to > constrained networks. Maybe a reference to state that UDP is possible in > constrained networks? It isn't our intention that constrained devices be _required_ to use UDP. It's just available as an option there. In some cases TCP may actually be a better choice. So that's why we don't mention it explicitly. Also does the smallest possible SRP update fit inside a UDP datagram in the > first place, especially given the use of public keys in updates? Yes, absolutely. The signature isn't that big, nor is the key, since we're using ECDSA. Anyway, I'm going to note this reply in the github tracker; if the IESG wants me to do an update to address these points, I will, but since we're past the submission cutoff, and the document is with the IESG for review, I will defer this decision to them. On Tue, Jul 11, 2023 at 5:42 AM Anthony Somerset via Datatracker < noreply@ietf.org> wrote: > Reviewer: Anthony Somerset > Review result: Ready > > Hello > > I have been selected as the DNS Directorate reviewer for this draft. The > DNS Directorate seeks to review all DNS or DNS-related drafts as > they pass through IETF last call and IESG review, and sometimes on special > request. The purpose of the review is to provide assistance to the ADs. > For more information about the DNS Directorate, please see > https://wiki.ietf.org/en/group/dnsdir > > Please note that I previously reviewed version 20 of this draft and at that > time stated that the document was "Ready" > > I am therefore only reviewing the differences between version 20 and > current > version (22) > > There are are clear and direct references to various DNS RFC's and this > draft is not in any conflict with the wider DNS space. > > All in all I think this is a very well written document, although quite > lengthy and makes lots of references to the appropriate RFC's it is well > understandable and didn't take me too long to get to grips with the > context. > > All but one of my previous editorial comments still remain except for my > notes > on security around domain/service squatting, this particular aspect I > believe > has been dealt with excellently with the additional text in 6.1 and I agree > with the authors statements here. As previously noted the other items were > more > editorial comments rather than substantive. > > The additional sections 8.3 through 8.7 add much better clarity to the > specific > considerations around authoritative and recursive servers > > Therefore I continue to consider this document as "Ready" > > Many Thanks to the authors for this work. > > Best Regards > > Anthony Somerset > DNS Directorate > > > >
- [dnssd] Dnsdir telechat review of draft-ietf-dnss… Anthony Somerset via Datatracker
- Re: [dnssd] Dnsdir telechat review of draft-ietf-… Ted Lemon
- Re: [dnssd] Dnsdir telechat review of draft-ietf-… Anthony Somerset