[dnssd] multi-qtypes - possible updates
Ray Bellis <ray@bellis.me.uk> Tue, 05 December 2023 10:46 UTC
Return-Path: <ray@bellis.me.uk>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4EEFBC151080 for <dnssd@ietfa.amsl.com>; Tue, 5 Dec 2023 02:46:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=portfast.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n9tFf8H3mt5X for <dnssd@ietfa.amsl.com>; Tue, 5 Dec 2023 02:46:30 -0800 (PST)
Received: from mail.portfast.net (mail.portfast.net [IPv6:2a03:9800:20:1::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 338F5C15107C for <dnssd@ietf.org>; Tue, 5 Dec 2023 02:46:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=portfast.net; s=dkim; h=Content-Transfer-Encoding:Content-Type:To:Subject: From:MIME-Version:Date:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=SnuZ554oh2A9nsgCDN5EG6INFlxnNJP1XoZFh9jduiE=; b=fI9ajyPrxKXb7QReEAfN6PnA+l ayeWPHWP3AfycIYmhvZt30Q3M0SHOfDt/kSm1o507233AIprCghhTJNyCINAhXGBG5kL3DG/8x1nP traX7GHAic5O5EgJf2lNxVubiV2SIifncrwEFfJiGaB0znVUh9efxoYDPjmhsWuXxc+s=;
Received: from 213-18-158-12.customer.gigaclear.net ([213.18.158.12]:63393 helo=[10.1.2.72]) by mail.portfast.net ([188.246.200.9]:465) with esmtpsa (fixed_plain:ray@bellis.me.uk) (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_128_GCM:128) id 1rASwb-00DvwX-2t (Exim 4.96) for dnssd@ietf.org (return-path <ray@bellis.me.uk>); Tue, 05 Dec 2023 10:46:25 +0000
Message-ID: <ef423fc0-f79f-41aa-9313-62324ff8a150@bellis.me.uk>
Date: Tue, 05 Dec 2023 10:46:25 +0000
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-GB
From: Ray Bellis <ray@bellis.me.uk>
To: dnssd <dnssd@ietf.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/gF32mDO86WRS6xIshgG2ngaSeXY>
Subject: [dnssd] multi-qtypes - possible updates
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Dec 2023 10:46:34 -0000
Hey folks, Here's a summary of various suggestions made in the last couple of months, some of which were either off-list or in the DNSOP WG. Most of these warrant additional discussion here before any significant changes get made to the text. ## Use of NSEC bitmaps instead of a list Paul Wouters argued strongly for this on DNSOP, but got little support. This also came up in historic discussions of the draft and was argued against on the basis that NSEC bitmaps are inefficient for sparse sets of RRTYPEs. Quoting Vixie - "noone should be using that bitmap as an example of how to do other things". Proposal: no further action ## Meta RRs (Offlist from Stuart): > Can we add some explicit text about how to handle “special” RRtypes > if they appear in a multi-qtypes EDNS option, such as: > > OPT (RR type 41) > TSIG (RR type 250) > ANY (RR type 255) > > E.g., a sender MUST NOT include these special RRtypes; if they are > received then the receiver MUST silently ignore them? Not include > them in the returned multi-qtypes EDNS option? Return FORMERR? > (Don’t particularly care which, but we should say.) The draft already had a requirement to exclude these types. I've added text in my working copy that says to return FORMERR. ## QTD and QTCOUNT fields (also offlist from Stuart) > Having the redundant QTCOUNT field worries me. If QTCOUNT field is > larger than OPTION-LENGTH requires, then we risk buffer overrun bugs. > If QTCOUNT field is smaller than OPTION-LENGTH requires, then there > is hidden data lurking at the end of the option, and such hidden data > can have security problems if different components (e.g., a firewall > and the end system) treat it differently. My personal view is that these classes of bugs are already well known to authors of DNS parsers which routinely have to deal with under-filled or over-filled buffers. If the existing encoding is retained then text requiring a FORMERR in these circumstances would be a good idea. Proposal: more discussion required > Instead of the QTD flag, I would use two OPTION-CODEs. They are not > in short supply. One OPTION-CODE for the outgoing request, a > different one for the returning response. I've used the paired OPTION-CODE method myself in another draft, but this is slightly wrapped up with the QTCOUNT discussion above, since the QTD and QTCOUNT fields share the same octet. Proposal: more discussion required ## QTCOUNT limits If QTCOUNT is removed should the I-D specify an arbitrary limit on the number of QTYPEs beyond which FORMERR is returned? Part of the rationale for QTCOUNT is to mitigate the risk of this specification being used for DNS amplification attacks. If we do want a limit is 7 the correct number? Would e.g. 3 suffice for any envisaged use case? Proposal: more discussion required ## Use specific bits for popular QTYPEs Esko Dijk proposed an alternative scheme with reserved bits for TXT, A, etc. No-one followed this up. Proposal: No further action ## AA bit handling I've known for a while that the I-D needs text to address queries for records that might fall either side of a zone cut and therefore have different AA bits. The text that talks about being "authoritative for the specified QNAME" is incorrect because it also depends on the QTYPE (e.g. in the case of DS records) If I've missed anyone please let me know! Chris - you said you had some ideas but I don't think you've written them down anywhere? Ray
- [dnssd] multi-qtypes - possible updates Ray Bellis
- Re: [dnssd] multi-qtypes - possible updates Chris Box