IETF Logo Mail Archive

Re: [dnssd] Strategy of advertising proxy for hostname conflicts during key lease period? (draft-ietf-dnssd-advertising-proxy-00)

Ted Lemon <mellon@fugue.com> Thu, 16 June 2022 17:25 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3262C157B37 for <dnssd@ietfa.amsl.com>; Thu, 16 Jun 2022 10:25:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 325BYD6ZByLh for <dnssd@ietfa.amsl.com>; Thu, 16 Jun 2022 10:25:27 -0700 (PDT)
Received: from mail-oa1-x2f.google.com (mail-oa1-x2f.google.com [IPv6:2001:4860:4864:20::2f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 337DFC14F74F for <dnssd@ietf.org>; Thu, 16 Jun 2022 10:25:26 -0700 (PDT)
Received: by mail-oa1-x2f.google.com with SMTP id 586e51a60fabf-fe51318ccfso2724777fac.0 for <dnssd@ietf.org>; Thu, 16 Jun 2022 10:25:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=blf18z9pDjdeYOxOKuw7DZWzVuATj8utrL1ps4vmvQs=; b=H0Rq3HG1n/yGoEgy+uZtyeZZFKbcymOn3qv2j32M0NYaVZZgB5QY1bYIAWclBRIyUX XCtPqkAoFGNN38ROhoOpi61yrs37WRkP5LOf6NPVnjcwnX5ABK9IH1Q65Y7+wbTCsnIc +WDtNi39w95Adsc6kolDGMXKuWaTWALXvxVXtgEV76Cy1HDCnkZBTjmAsVWgIyDFOnsG BNeWEJc7pX0vMpLVPBQRwgU1t6uPXMOehyuSY4j6/ucMA7V2HSYRvw++5ZzhsLMVG2xB Xo/BD5d6CyW9Vy/xLbbnboeNKyUVbkxP8cBWuoToBKQaDYM5P7uw16lkNRmjhFt2XzO/ s7qg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=blf18z9pDjdeYOxOKuw7DZWzVuATj8utrL1ps4vmvQs=; b=XZRAI/qFQ7gAEFWYJnDBQVoVyN1PxPWWK/6IGziumXnrSry7xPYzD0QpElKLJ9crL/ oi+PiP1Y4iThJOlxU2WHFyO5inLuCiA3lwpGahYKMaUivtRnP60SSDZPKEHASOFwLrF9 m/KNbFNUhLKeJctsHwRwJmh/tHDdFd/LHEHm9UYf16FKQx1YtYRkD4c0V4TH18hNQgpv UgXowyXnzoh/CxGlgqc+GZexJJW8WFoknIap2DzaonRwqa/M8BQuT4QZHZPNSQfkVGiM IHtZJZBV9MJp89Waw2MXfYcsmT7RpAXCJCxv74dHVRHNm8DeYypwS15rICz55PITIcgq tSgQ==
X-Gm-Message-State: AJIora9xN2mKGtwrwtmrBp5VOLyNNVsnz5HLwY8QblgJFnjN+gjzKE/u 89plb3wjIlkrI1Gid5uG28pkrEmTxhOu10qg9BiEb6im9YE=
X-Google-Smtp-Source: AGRyM1vE1X8fSxY31u54ONTL4ngFtV6KAklIatXb8Ug+Z3A8gJd42xns3QO2R14AuLYl7UtB/I8n+jgqkhLraCzm6p4=
X-Received: by 2002:a05:6870:b40a:b0:101:a393:4cb9 with SMTP id x10-20020a056870b40a00b00101a3934cb9mr283313oap.12.1655400325196; Thu, 16 Jun 2022 10:25:25 -0700 (PDT)
MIME-Version: 1.0
References: <DU0P190MB1978D4C3F784B67C8AF39A7DFDA49@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM> <CAPt1N1nFYVMYiEuhSM4Kuickvb2VBgyanEV=VgGtX996oZW5EA@mail.gmail.com> <DU0P190MB197866CA95A9ABBB013ED9D9FDA79@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM> <DU0P190MB1978B2BF4465D735DF2FC24BFDAC9@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
In-Reply-To: <DU0P190MB1978B2BF4465D735DF2FC24BFDAC9@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
From: Ted Lemon <mellon@fugue.com>
Date: Thu, 16 Jun 2022 13:24:49 -0400
Message-ID: <CAPt1N1n-cmg4bydwM56Z9EZF_si19Ve1YNbBg=4H2YksWDd++A@mail.gmail.com>
To: Esko Dijk <esko.dijk@iotconsultancy.nl>
Cc: "dnssd@ietf.org" <dnssd@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000058408705e193ecd2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/YI4rpLU67Rh98Asu6bej2Z0-0p4>
Subject: Re: [dnssd] Strategy of advertising proxy for hostname conflicts during key lease period? (draft-ietf-dnssd-advertising-proxy-00)
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jun 2022 17:25:30 -0000

Sorry for not responding quickly to this. You're asking about fairly deep
technical details of the mDNS protocol, and I am not actually an expert, so
I can't say that your understanding is correct or not.

I will try to get Stuart to weigh in on this.

On Thu, Jun 16, 2022 at 9:03 AM Esko Dijk <esko.dijk@iotconsultancy.nl>
wrote:

> FYI - I’m now assuming the following behavior of an advertising proxy, for
> an incoming mDNS query. This is for the case  there’s only a single
> registered (SRP) service that is expired; and host lease is also expired at
> the same time. And the host’s key-lease is still active:
>
>
>
>    - QTYPE = PTR , QNAME=<service instance name or service type name> :
>    No response
>    - QTYPE = SRV, QNAME=<service instance name or service type name> : No
>    response
>    - QTYPE = ANY, QNAME=<service instance name or service type name> : No
>    response
>    - QTYPE = AAAA, QNAME=<host name> : Response with success (NoError)
>    status and 0 answer records
>    - QTYPE = ANY, QNAME=<host name> : Respond with KEY record for <host
>    name>.local
>    - QTYPE = KEY, QNAME=<host name> : Respond with KEY record for <host
>    name>.local
>
>
>
>
>
> Same case but when using the authoritative DNS server on the same host,
> for an incoming unicast DNS query:
>
>
>
>    - QTYPE = PTR , QNAME=<service instance name or service type name> :
>    Respond NXDOMAIN
>    - QTYPE = SRV, QNAME=<service instance name or service type name> :
>    Respond NXDOMAIN
>    - QTYPE = ANY, QNAME=<service instance name or service type name> :
>    Respond NXDOMAIN
>    - QTYPE = AAAA, QNAME=<host name> : Response with success (NoError)
>    status and 0 answer records
>    - QTYPE = ANY, QNAME=<host name> : Respond with KEY record for <host
>    name>.default.service.arpa
>    - QTYPE = KEY, QNAME=<host name> : Respond with KEY record for <host
>    name>.default.service.arpa
>
>
>
> Esko
>
>
>
> *From:* dnssd <dnssd-bounces@ietf.org> *On Behalf Of * Esko Dijk
> *Sent:* Thursday, June 9, 2022 12:14
> *To:* Ted Lemon <mellon@fugue.com>
> *Cc:* dnssd@ietf.org
> *Subject:* Re: [dnssd] Strategy of advertising proxy for hostname
> conflicts during key lease period? (draft-ietf-dnssd-advertising-proxy-00)
>
>
>
> That sounds like a good approach. So a potential competitor would first
> send a probe-query for the hostname with rrtype “ANY”; and then the
> advertising proxy would respond with its answer including the hostname and
> an rrtype “KEY’ record  - is that correct?
>
>
>
> Does this also mean the SRP server will answer DNS unicast queries for
> this hostname and e.g. rrtype ANY, with the KEY record? While the key lease
> is still valid.
>
>
>
> Esko
>
>
>
> *From:* Ted Lemon <mellon@fugue.com>
> *Sent:* Wednesday, June 8, 2022 20:45
> *To:* Esko Dijk <esko.dijk@iotconsultancy.nl>
> *Cc:* dnssd@ietf.org
> *Subject:* Re: [dnssd] Strategy of advertising proxy for hostname
> conflicts during key lease period? (draft-ietf-dnssd-advertising-proxy-00)
>
>
>
> You are correct. Fortunately, we always have a KEY record that we can
> publish on the owner name. This is what the advertising proxy should do to
> defend the name. If some non-SRP service tries to register the name, it
> will get a hostname conflict.
>
>
>
> On Wed, Jun 8, 2022 at 9:36 AM Esko Dijk <esko.dijk@iotconsultancy.nl>
> wrote:
>
> Hi all,
>
>
>
> Something that could be added to draft-ietf-dnssd-advertising-proxy-00 is
> the handling of hostname conflicts; and how an advertising proxy would
> “defend” an SRP registration on the mDNS link side. (There was a previous
> thread on this too.)
>
>
>
> In particular, what if a host registration has already expired but the
> key-lease is still active? In SRP, then no-one else can claim this
> hostname. But in mDNS, we don’t seem to have such mechanism i.e. the
> advertising proxy doesn’t “defend” the hostname registration on the mDNS
> link. Or does it?
>
> So it could happen that this hostname is claimed on the mDNS side by an
> mDNS native device, even though a particular SRP client still has the
> key-lease on this name.
>
>
>
> The original name owner (SRP client) could later come back online and it
> may need to claim the name again – conflicting with the mDNS link.
>
>
>
> Best regards
>
> Esko
>
>
>
> *IoTconsultancy.nl*  |  Email/Teams: esko.dijk@iotconsultancy.nl    |
> +31 6 2385 8339
>
>
>
> _______________________________________________
> dnssd mailing list
> dnssd@ietf.org
> https://www.ietf.org/mailman/listinfo/dnssd
>
>

v2.23.0 | Report a Bug | By Email