[dnssd] Paul Wouters' Discuss on draft-ietf-dnssd-srp-23: (with DISCUSS and COMMENT)
Paul Wouters via Datatracker <noreply@ietf.org> Wed, 09 August 2023 21:49 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: dnssd@ietf.org
Delivered-To: dnssd@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 63D3DC14F74E; Wed, 9 Aug 2023 14:49:25 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Paul Wouters via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-dnssd-srp@ietf.org, dnssd-chairs@ietf.org, dnssd@ietf.org, dschinazi.ietf@gmail.com, dschinazi.ietf@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 11.6.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Paul Wouters <paul.wouters@aiven.io>
Message-ID: <169161776539.42424.17593491652625092336@ietfa.amsl.com>
Date: Wed, 09 Aug 2023 14:49:25 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/duiWYSs-_hojETOH_fHq5e0zeIM>
Subject: [dnssd] Paul Wouters' Discuss on draft-ietf-dnssd-srp-23: (with DISCUSS and COMMENT)
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.39
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Aug 2023 21:49:25 -0000
Paul Wouters has entered the following ballot position for draft-ietf-dnssd-srp-23: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dnssd-srp/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- 1) Other service record types If we allow SRV records, then we should probably also support this for the newer types of service records, eg SVCB and HTTPS, as long as the same constraints are there (eg only pointing to itself) 2) finding the domain name to use In Section 3.2.2 on where to publish, hosts need to somehow know their domain name. Especially for roaming devices, this seems unlikely and the only choice to participate would be to assume the name given by DHCP for the 'search domain'. I feel that by not stating this explicitly, that is what is going to happen anyway. So why not state it? Or if this is really unwanted, add such a statement to Section 3.2.2. 3) KEY rollovers? How does a SRP requestor do a KEY rollover without running a race condition that might lose its ownership of its name? Can it send a KEY update containing the future KEY signed with the current KEY? Should it be double signed to prove ownership of the future private key? 4) SUDN Section 10.1 attempts to register a Special-Use domain without a template as per RFC 6761 Section 5. Domain Name Reservation Considerations. (I'm aware of the irony of this wrt one of the authors of this document :-) ] 5) Basically Updates: 2782 without saying so Section 3.2.5.4 Compression in SRV records basically updates RFC 2782 without stating so via an Updates: clause. As we are talking about DNS library code reuse, I think this would be unwise to update. I would drop the option of allowing the compressing of SRV target names. 6) DNSSEC on resolvers Section 8.4 point 1 is true for all recursive resolvers and I think it is harmful to call it out here as if it is still acceptable to run resolvers without DNSSEC enabled. I would remove the entire point 1. 7) Too generic a name for in .arpa the special-use domain name (see [RFC6761]) "default.service.arpa" Why aren't underscores used here to ensure the space is not considered a possible valid hostname? eg default._service.arpa or _default._service.arpa I would also think "service" is far too generic. Possibly "_dns-sd" would be better. "service.arpa" seems way to generic to be a reference for dns-sd only. 8) Possible replay security implications A DNS Update for "default.service.arpa" seen in one network could be replayed as a DNS Update in another network (even if one does not have the private key). I'm a bit concerned this could have security implications, eg of impersonating a device. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Why are there two different ways of removing content? One using a DNS Update DELETE command, and one using a DNS Update refresh with lease time of 0 ? Also, the notion of delete being a lease of 0 update should be specified in draft-ietf-dnssd-update-lease and maybe not in this document, especially as that draft currently states "SHOULD NOT" for lease values < 3600 Section 3.3.2: A DNS Update that contains any additional adds or deletes that cannot be identified as Service Discovery, Service Description or Host Description Instructions is not an SRP Update. I think this means to say "So nothing from the entire DNS Update should be processed in the context of dns-sd srp" ? I think that point should be made more explicit. An SRP registrar MAY either process such messages as regular RFC2136 updates, including access control checks and constraint checks, if supported, or MAY reject them with Refused RCODE. I think processing as regular 2136 would fail, based on the fact that there would be no proper TSIG authentication in place. Unless it was not a dnsdsd-srp message at all, which again would be obvious for using TSIG and not SIG(0). But also, I don't know how to parse the construct of "MAY x or MAY y". Does the "or" imply I MUST do one of the MAYs? Or can both MAYs be skipped? If the server fails to renew its service registration before the KEY lease (Section 4 of [I-D.ietf-dnssd-update-lease]) expires, its name is no longer protected. What does "no longer protected" mean? Does it mean the name remains active but anyone can claim it? Or does it mean the name is removed. From a security point of view, I think if KEY_LEASE < LEASE, LEASE should be reduced to KEY_LEASE. ection 3.2.5.1 states: When the device changes ownership, it may be appropriate to erase the old key pair and install a new one. I think it should remove the advise for "install a new one". The new owner couldn't trust the old owner knows the key, and would have to re-refactory-default the unit to get rid of the 'new' old key. The policy described here for managing keys assumes that the keys are only used for SRP. If a key that is used for SRP is also used for other purposes, the policy described here is likely to be insufficient. I think this should be much stronger, eg a "MUST NOT be used for anything else except SRP". Since the public key appears as KEY in DNS, it seems much too dangerous to allow this key to be used for anything else. To prevent such spoofing, TCP is required for such networks. It should say "source validated connections, such as TCP or UDP with COOKIES" (same later on in section 6.1) and normatively reference RFC 7873. Constrained devices could also use UDP with COOKIES. Section 6.3 could also advise adding "www", "mail" etc to the zone so that no SRP requesters can request it. Section 6.6 states: SRP registrars SHOULD implement the algorithms specified in [RFC8624], Section 3.1, in the validation column of the table, that are numbered 13 or higher and have a "MUST", "RECOMMENDED", or "MAY" designation in the validation column of the table. There is a 8624bis that puts this properly into a registry, so hopefully this document could state something about RFC8624 and its successors instead of manually hacking column recommendations into the draft? In other network environments, updates for names ending in "default.service.arpa" may be rewritten by the registrar to names with broader visibility. Can we avoid the use of "registrar" to avoid confusion with Registrar, which in DNS speak usually refers to a domain registrar? How about using "network authority" ? Or consistently use "SRP registrar". (see also the use of "registrar" in section 3.3.6, 5.1, 6.1, 7) In this case, the requestor MUST either abandon the service registration attempt, or else choose a new name. The word "attempt" should be removed here. It is the registration that is aborted entirely, not just this attempt (or else try a new registration with a different name) If the key lease time Should be: if the KEY lease time
- [dnssd] Paul Wouters' Discuss on draft-ietf-dnssd… Paul Wouters via Datatracker
- Re: [dnssd] Paul Wouters' Discuss on draft-ietf-d… Ted Lemon
- Re: [dnssd] Paul Wouters' Discuss on draft-ietf-d… Paul Wouters
- Re: [dnssd] Paul Wouters' Discuss on draft-ietf-d… Ted Lemon
- Re: [dnssd] Paul Wouters' Discuss on draft-ietf-d… Ted Lemon
- Re: [dnssd] Paul Wouters' Discuss on draft-ietf-d… Paul Wouters
- Re: [dnssd] Paul Wouters' Discuss on draft-ietf-d… Ted Lemon
- Re: [dnssd] Paul Wouters' Discuss on draft-ietf-d… Paul Wouters
- Re: [dnssd] Paul Wouters' Discuss on draft-ietf-d… Ted Lemon