Re: [dnssd] Paul Wouters' Discuss on draft-ietf-dnssd-srp-23: (with DISCUSS and COMMENT)
Ted Lemon <mellon@fugue.com> Mon, 04 March 2024 18:17 UTC
Return-Path: <mellon@fugue.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01228C1654EC for <dnssd@ietfa.amsl.com>; Mon, 4 Mar 2024 10:17:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R_peRwM74gr2 for <dnssd@ietfa.amsl.com>; Mon, 4 Mar 2024 10:17:09 -0800 (PST)
Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8B47C180B46 for <dnssd@ietf.org>; Mon, 4 Mar 2024 10:16:54 -0800 (PST)
Received: by mail-qk1-x734.google.com with SMTP id af79cd13be357-7882b1e87c4so38587985a.1 for <dnssd@ietf.org>; Mon, 04 Mar 2024 10:16:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20230601.gappssmtp.com; s=20230601; t=1709576213; x=1710181013; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=YGebaf4g0M74P8/qlpSpuMiIDrF2068UNYPPhnzwSEU=; b=DEODdnrSvGGpxV+yt4DHA4QVGYqTNJ5Uouw7zhpb82nLLHJivKtz9xPNVBf19R+zl9 PY0KOTvZfj0TiwCsx/bGviIkD4XvOquDnh4VtN0O0hP6a+qMC5IQpmvmKmbhDsnYZ9Q4 wIunedYamAbRB4qMynmcbJtwMw1oyGY75qjuRG/Og7US+l2eCW13lNAfAFcCCpnOKD+8 9baQ1wJc7FemL6QvkR/gdNAfE9ljFkMk91WHiMlyjO3iYL3ooVjiGngPJcu13g7h9gij yn8mGWXc7nlBuzLzLHcooZwQ+IPv59eW4AEBRkgbCA5+6BNiqVen6oKX4Y7DzcWcybfF s8Vg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709576213; x=1710181013; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=YGebaf4g0M74P8/qlpSpuMiIDrF2068UNYPPhnzwSEU=; b=qd0TSGNBGn3IK5u0hUJWSxmRsL5YHAKwsgZ09Oc3gr4m5nAp8I95k15P2ygNjz1Rh3 wyyhYinginxtRAoU+7TGcF34byMmImI6oaztWaIpKootNDHRKqaVgA8NObuiVntHiosN NEmV66vVus3VsBJHF9oRGpWKuv/UBFFmGdv1asGUz+VPh0VErt4tSX0+lsnIY7l+LQvh CLk0LxMAobdrfCmYwg9M2t50NxnJ0r2H+YudfWXSyLqkOJirvoCiwXvKzyMCAw9nICmV Hb0flgB7T87R/ipcmHZLnHHnnbOFFeEY0oWqXEuLlS2t3xciJ1gpjTCahp1Z2ptofxIZ 3vSw==
X-Forwarded-Encrypted: i=1; AJvYcCXVFlYVTJtwKXCLicqz4wTiZvx0lkIrWSE16ybRDVL75DCT+w95/rlAFfLssS5bMEkQSJS8oN/Qqonn4Q/S8A==
X-Gm-Message-State: AOJu0Yx0mf/vjGrP2B22OEbR4LfQsZmt3g0vQt0RU5+ktJrXW3VOYpBa 2glZlRTt6WxZaKWidH9AJC57vaCjZdLgAFhckdSFsEw6eRIYHGtFmmaK7eJUY0OdTb/FKer0Vo3 EuK8bhti3rFwhuUlgCtd+hLq8tBMRCHPO8hXU/A==
X-Google-Smtp-Source: AGHT+IFYXTWisRlFZ44Q/zal5XAPetVo3/4bcGnreYF0Di2wHtLG6UZw1PEIwt4V9O71M7kgVIfczPdJa/rBs5o1r2g=
X-Received: by 2002:a0c:9792:0:b0:68f:69bb:4b97 with SMTP id l18-20020a0c9792000000b0068f69bb4b97mr10587487qvd.24.1709576213604; Mon, 04 Mar 2024 10:16:53 -0800 (PST)
MIME-Version: 1.0
References: <169161776539.42424.17593491652625092336@ietfa.amsl.com> <CAPt1N1kLZMGvp89mUnHzpMH_i0P3hFdzJyM4OZ694+-vx=D_dA@mail.gmail.com> <CAGL5yWaZ7kSq2Zcx4wRPrurZGmL6S7JrvBwHnRYgU95t9x=sKg@mail.gmail.com> <CAPt1N1mn0mAMgHSM-BPbw0SfcDTGWgJWgyntX53cKA5X0oZw2g@mail.gmail.com> <CAPt1N1kukunsZaQkz=fJkomjSztO32aan_Eeqh0L8e7EYCAXhg@mail.gmail.com> <CAGL5yWZCAD2U_aDA0QL0SM3O+-jCvVgcTfcH0X=1TCyL41fHcg@mail.gmail.com>
In-Reply-To: <CAGL5yWZCAD2U_aDA0QL0SM3O+-jCvVgcTfcH0X=1TCyL41fHcg@mail.gmail.com>
From: Ted Lemon <mellon@fugue.com>
Date: Mon, 04 Mar 2024 13:16:17 -0500
Message-ID: <CAPt1N1=SG++mFXevGz_vxrCE1MNY7r2k5KjCk2oHtL5Mn4LruA@mail.gmail.com>
To: Paul Wouters <paul.wouters@aiven.io>
Cc: The IESG <iesg@ietf.org>, draft-ietf-dnssd-srp@ietf.org, dnssd-chairs@ietf.org, dnssd@ietf.org, dschinazi.ietf@gmail.com
Content-Type: multipart/alternative; boundary="000000000000edc1460612d9ba81"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/Zxd5-xe_4j3tGdA5_k62-QV1Zkw>
Subject: Re: [dnssd] Paul Wouters' Discuss on draft-ietf-dnssd-srp-23: (with DISCUSS and COMMENT)
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2024 18:17:15 -0000
You're right, with server policy 2 cookies would protect against spoofing. I guess one way to think about this is that we could face a DoS attack where we're being forced to validate a lot of bogus signatures and the TCP connection wouldn't protect against that if it's a DDoS attack from real reachable hosts? Is that why you're interested in this? It's the only reason I can think of to consider doing it—otherwise it's needless complexity. On Mon, Mar 4, 2024 at 12:47 PM Paul Wouters <paul.wouters@aiven.io> wrote: > > On Mon, Mar 4, 2024 at 11:30 AM Ted Lemon <mellon@fugue.com> wrote: > >> Paul, first of all in no way should you take this message as a request >> for immediate attention—I know an AD's life in the run-up to IETF is very >> busy. So it's perfectly fine if you don't deal with this until after IETF. >> >> I was hoping that you'd have time to respond to my previous note so that >> we could negotiate on changes, but since you didn't have time, I'm making >> my best attempt at addressing the remaining open issues prior to today's >> draft submission cutoff in hopes that you'll be satisfied with the changes. >> > > I hadn't had time to formulate my response but I had some disagreements or > else I would have signaled ok :) > > >> >> Regarding SRV target compression, I've made the following update: >> >> Although <xref target="RFC2782"/> requires that the target >> name in the SRV record not be compressed, an SRP requestor >> - SHOULD compress the target in the SRV record. The >> motivation for <em>not</em> compressing in <xref target="RFC2782"/> >> + MAY compress the target in the SRV record. The motivation >> for <em>not</em> compressing in <xref target="RFC2782"/> >> > > + <t> >> >> + Note that this does not update <xref target="RFC2782"/>: >> DNS servers still MUST NOT compress SRV record targets. The >> + requirement to accept compressed SRV records in updates >> only applies to SRP registrars, and SRP registrars that are >> + also DNS servers still MUST NOT compress SRV record targets >> in DNS responses. We note also that >> + <xref target="RFC6762"/> recomments that SRV records be >> compressed in mDNS messages, so <xref target="RFC2782"/> does >> + not apply to mDNS messages.</t> >> + <t> >> + In addition, we note that an implementor of an SRP >> requestor might update existing code that creates SRV records >> + or compresses DNS messages so that it compresses the target >> of an SRV record. Care must be taken if such code is >> + used both in requestors and in DNS servers that the code >> only compresses in the case where a requestor is generating >> + an SRP update.</t> >> >> > this looks great. Thanks. > > >> I don't think we need to say "SHOULD" for compression since it's not an >> interop issue; the only interop issue is that if we let the SRP requestor >> compress, then we have to require that SRP registrars correctly handle >> compressed SRV targets. I hope the extra two paragraphs address the concern >> that this might pollute other DNS implementations. >> >> Regarding DNSSEC validation, I wasn't satisfied with the previous edit I >> made to the text about recursive resolvers, so I made the following change: >> >> - <li>Recursive resolvers at sites using 'service.arpa.' MUST >> transparently support DNSSEC queries: queries for DNSSEC >> - records and queries with the DNSSEC OK (DO) bit set (<xref >> target="RFC4035" section="3.2.1" sectionFormat="of"/>). >> - While validation is not required, it is strongly encouraged: >> a caching recursive resolver that does not validate answers >> - that can be validated may cache invalid data. This, in >> turn, will prevent validating stub resolvers from successfully >> - validating answers. We can't place normative requirements on >> DNS recursive resolvers, but we remind implementors that >> - DNSSEC validation is a Best Current Practice <xref >> target="RFC9364"/>.</li> >> + <li>For correctness, recursive resolvers at sites using >> 'service.arpa.' must in practice transparently support DNSSEC >> + queries: queries for DNSSEC records and queries with the >> DNSSEC OK (DO) bit set (<xref target="RFC4035" section="3.2.1" >> + sectionFormat="of"/>). DNSSEC validation is a Best Current >> Practice <xref target="RFC9364"/>: although validation is >> + not required, a caching recursive resolver that does not >> validate answers that can be validated may cache invalid data. >> + This, in turn, would prevent validating stub resolvers from >> successfully validating answers. Hence, as a practical >> + matter, recursive resolvers at sites using 'service.arpa' >> should do DNSSEC validation.</li> >> >> This is a change to the previous proposed change, but I think it stands >> by itself. The goal here is to make it clear that we really want recursive >> resolvers to validate, and that there's a BCP that says they should, and >> also motivate why regardless of SHOULDs and MUSTs, sites that use >> service.arpa really have to do DNSSEC correctly. >> > > This also looks great. > > >> >> I haven't done an update to address the question about DNS cookies >> because it still doesn't make sense to me. I don't think there's a problem >> to solve here—there's no downside to using TCP transport for SRP updates as >> far as I can tell, and cookies doesn't actually solve the problem of source >> address validation. >> > > I'm not sure why you don't see that TCP and DNS COOKIES offer the same > guarantees on source address validation? > > You can push out these changes, and perhaps at IETF we can chat about > COOKIES? > > Paul > > > > >> >> On Tue, Feb 27, 2024 at 5:03 PM Ted Lemon <mellon@fugue.com> wrote: >> >>> Thanks for getting back to me, Paul. I know the response was a long time >>> coming and it's always extra work to get back up to speed after a big time >>> gap. >>> >>> I'm going to respond to the points on which there remains disagreement >>> and leave the rest out. >>> >>> On Fri, Feb 23, 2024 at 4:15 PM Paul Wouters <paul.wouters@aiven.io> >>> wrote: >>> >>>> >>>> On Wed, Aug 9, 2023 at 7:59 PM Ted Lemon <mellon@fugue.com> wrote: >>>> >>>>> On Wed, Aug 9, 2023 at 5:49 PM Paul Wouters via Datatracker < >>>>> noreply@ietf.org> wrote: >>>>> >>>>>> 2) finding the domain name to use >>>>>> >>>>> >>>>>> In Section 3.2.2 on where to publish, hosts need to somehow know their >>>>>> domain name. Especially for roaming devices, this seems unlikely and >>>>>> the only choice to participate would be to assume the name given by >>>>>> DHCP for the 'search domain'. I feel that by not stating this >>>>>> explicitly, >>>>>> that is what is going to happen anyway. So why not state it? Or if >>>>>> this >>>>>> is really unwanted, add such a statement to Section 3.2.2. >>>>>> >>>>> >>>>> RFC 6763 actually includes information on how to figure this out, in >>>>> section 11. This is discussed in detail in sections 3.1.1 and 3.1.2. Maybe >>>>> it would be worth adding a pointer to that here? >>>>> >>>> >>>> Thanks. That does explain it. I'll leave it up to you to add a pointer >>>> or not. >>>> >>> >>> I've added: >>> >>> As described above, full-featured devices are responsible for knowing >>> the domain in which to register their services. >>> Such devices MAY optionally support configuration of a registration >>> domain by the operator of the device. However, >>> such devices MUST support registration domain discovery as described >>> in <xref target="RFC6763" section="11" sectionFormat="of"/>, >>> "Discovery of Browsing and Registration Domains". >>> >>> >>>> 5) Basically Updates: 2782 without saying so >>>>>> >>>>>> Section 3.2.5.4 Compression in SRV records basically updates RFC >>>>>> 2782 without >>>>>> stating so via an Updates: clause. As we are talking about DNS >>>>>> library code reuse, >>>>>> I think this would be unwise to update. I would drop the option of >>>>>> allowing the >>>>>> compressing of SRV target names. >>>>>> >>>>> >>>>> I don't agree that this updates RFC 2782. Only SRP registrars are >>>>> required to support this. We are not saying that DNS authoritative servers >>>>> need to support this (or indeed that they should do it) nor are we saying >>>>> that DNS caching resolvers need to support this when parsing answers to >>>>> queries sent to authoritative servers or that they should do it when >>>>> sending responses to clients. The only case where this is required is when >>>>> parsing SRP updates. Would it help to say that more explicitly? I thought >>>>> we were clear on this, but I don't mind being even clearer if you think >>>>> it's necessary. >>>>> >>>> >>>> My focus here is on DNS library code being re-used and affected. Is >>>> packet size really such a big issue on a LAN that you say SHOULD for >>>> compression? If this was a MAY I would be happier, >>>> as using a stock dns library would not cause breaking a SHOULD clause. >>>> >>> >>> The problem is that it's no use if the server isn't required to support >>> it. I see your point about libraries—we don't want to accidentally cause >>> some DNS server to start sending SRV responses to regular DNS queries where >>> the target is compressed. However, this feels like it's kind of our of our >>> control. I can add some text here reminding implementors to avoid this >>> mistake if you think it would help. I agree that this is problematic, but >>> if you think about an 802.15.4 network with a frame size of 127 bytes, the >>> extra bytes we're saving here really do matter at least in principal. >>> >>> 6) DNSSEC on resolvers >>>>>> >>>>>> Section 8.4 point 1 is true for all recursive resolvers and I think >>>>>> it is harmful >>>>>> to call it out here as if it is still acceptable to run resolvers >>>>>> without DNSSEC >>>>>> enabled. I would remove the entire point 1. >>>>>> >>>>> >>>>> Hm. The thing is, the resolvers we're talking about here are home >>>>> router resolvers, and I don't know of any home routers other than those >>>>> sold by cz.nic that actually support this. >>>>> >>>> >>>> dnsmasq supports DNSSEC and I believe that is the most common dns >>>> resolver on routers ? >>>> >>>> >>>>> So from my POV we are making things better with this text. If we >>>>> /require/ this, I think our requirement will be ignored, but maybe not. I >>>>> think we would have to ask the working group whether there is consensus to >>>>> require it. I don't want to delete it because I think we're missing an >>>>> opportunity if we don't at least encourage this. >>>>> >>>> >>>> You can change the text to instead reference RFC9364 which states >>>> DNSSEC is BCP. >>>> >>> >>> I've updated the text as follows: >>> >>> <li>Recursive resolvers at sites using 'service.arpa.' MUST >>> transparently support DNSSEC queries: queries for DNSSEC >>> records and queries with the DNSSEC OK (DO) bit set (<xref >>> target="RFC4035" section="3.2.1" sectionFormat="of"/>). >>> While validation is not required, it is strongly encouraged: >>> a caching recursive resolver that does not validate answers >>> that can be validated may cache invalid data. This, in >>> turn, will prevent validating stub resolvers from successfully >>> validating answers. We can't place normative requirements on >>> DNS recursive resolvers, but we remind implementors that >>> DNSSEC validation is a Best Current Practice <xref >>> target="RFC9364"/>.</li> >>> >>> I'm not convinced that this satisfies your request, but it doesn't >>> really make sense to put normative language in here—we're simply >>> documenting the implications of this special-use domain, but it's up to >>> operators to decide whether or not they care. So I don't know what else we >>> should say here. I'm reluctant not to document the issue. I mean, granted, >>> I used MUST in the first sentence, but I'm feeling a bit weird about that >>> now that we're discussing it here. >>> >>> >>>> To prevent such spoofing, TCP is required for such networks. >>>>> >>>>> It should say "source validated connections, such as TCP or UDP with >>>>> COOKIES" >>>>> (same later on in section 6.1) and normatively reference RFC 7873. >>>>> Constrained >>>>> devices could also use UDP with COOKIES. >>>>> >>>> >>>> We didn't consider cookies. I don't think it's particularly useful >>>> since it doesn't validate the first registration. That's why we recommend >>>> explicit source validation for the UDP case. >>>> >>> >>> I don't understand this answer. If you want spoofing protection, TCP is >>>> only one option. My rephrasing makes it more general, and implementers can >>>> decided which option to pick. >>>> You can still keep using TCP. Others could do DNS COOKIES. Currently, >>>> you text "requires" to use TCP, which I believe is wrong. >>> >>> >>> I don't see how DNS cookies help. This is a simple request/response, and >>> cookies only help on the second request. Am I misunderstanding? The reason >>> TCP works is that there's a three-way handshake before we even send the DNS >>> Update. >>> >>> >>> >>>> >>>> >>>>> In other network environments, updates for names ending in >>>>> "default.service.arpa" may be rewritten by the registrar to >>>>> names with broader visibility. >>>>> >>>>> Can we avoid the use of "registrar" to avoid confusion with Registrar, >>>>> which in DNS speak usually refers to a domain registrar? How about >>>>> using >>>>> "network authority" ? Or consistently use "SRP registrar". (see also >>>>> the >>>>> use of "registrar" in section 3.3.6, 5.1, 6.1, 7) >>>>> >>>> >>>> Oh, good point. I think "SRP registrar" makes more sense than "network >>>> authority," plus I'd like to avoid confusing "authority" and "registrar" >>>> for the same reason you want to avoid confusing SRP registrars and domain >>>> registrars. :) >>>> >>> >>> This wasn't done in the latest version yet. >>> >>> >>> There are a lot of cases in the document where we say SRP registrar once >>> in a paragraph, and then just registrar thereafter. I can fix these, but >>> then we wind up with text like this: >>> >>> This means that if an attacker from outside of the administrative >>> domain of the SRP registrar knows the SRP registrar's IP address, it >>> can in principle send updates to the SRP registrar >>> that will be processed successfully. SRP registrars SHOULD therefore >>> be configured to reject updates >>> from source addresses outside of the administrative domain of the SRP >>> registrar.</t> >>> >>> This seems unnecessary. Are you concerned about these cases? I do see a >>> few cases where we just use registrar and not SRP registrar throughout a >>> paragraph, so I could fix those without fixing all the others. I don't mind >>> either way, but the exhaustive approach feels like it makes the document >>> harder to read, not easier. >>> >>> >>>> >>>> >>>>> In this case, the requestor MUST either abandon the service >>>>> registration attempt, or else choose a new name. >>>>> >>>>> The word "attempt" should be removed here. It is the registration that >>>>> is >>>>> aborted entirely, not just this attempt (or else try a new >>>>> registration with >>>>> a different name) >>>>> >>>> >>>> Hm, okay. How about "In this case, the requestor MUST choose a new name >>>> or give up"? >>>> >>> >>> I've made this change. >>> >>> >>>> >>>>> If the key lease time >>>>> >>>>> Should be: if the KEY lease time >>>>> >>>> >>>> Hm, we actually only use "KEY lease" once. Everywhere else we say "Key >>>> lease." I don't see a strong reason to use all caps, but we could if you >>>> think it's important. We should definitely be consistent. >>>> >>> >>> Same here. >>> >>> >>> I went with "KEY lease". Even the capitalization of "lease" was >>> inconsistent. :) >>> >>> >>>> Sorry I took a bit long to respond. Hopefully we can have a few quick >>>> back and forths and move the document onwards. >>> >>> >>> I think the delay is my fault, so no worries. Thanks for getting back to >>> us on this! >>> >>>
- [dnssd] Paul Wouters' Discuss on draft-ietf-dnssd… Paul Wouters via Datatracker
- Re: [dnssd] Paul Wouters' Discuss on draft-ietf-d… Ted Lemon
- Re: [dnssd] Paul Wouters' Discuss on draft-ietf-d… Paul Wouters
- Re: [dnssd] Paul Wouters' Discuss on draft-ietf-d… Ted Lemon
- Re: [dnssd] Paul Wouters' Discuss on draft-ietf-d… Ted Lemon
- Re: [dnssd] Paul Wouters' Discuss on draft-ietf-d… Paul Wouters
- Re: [dnssd] Paul Wouters' Discuss on draft-ietf-d… Ted Lemon
- Re: [dnssd] Paul Wouters' Discuss on draft-ietf-d… Paul Wouters
- Re: [dnssd] Paul Wouters' Discuss on draft-ietf-d… Ted Lemon