IETF Logo Mail Archive

Re: [dnssd] Please review substantive changes to Update Lease

Tim Wicinski <tjw.ietf@gmail.com> Thu, 02 February 2023 22:40 UTC

Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 288C9C1575CC for <dnssd@ietfa.amsl.com>; Thu, 2 Feb 2023 14:40:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JyFoFKoRzrPk for <dnssd@ietfa.amsl.com>; Thu, 2 Feb 2023 14:40:14 -0800 (PST)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBF7FC1575CB for <dnssd@ietf.org>; Thu, 2 Feb 2023 14:40:14 -0800 (PST)
Received: by mail-ed1-x529.google.com with SMTP id m8so3537462edd.10 for <dnssd@ietf.org>; Thu, 02 Feb 2023 14:40:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=BB49aDN1tpC4L9h9IfIKjz8DLlQGMbuwlkwjZTJgG6s=; b=dDMnRk9BjFNrAjv3HbzwN5wwKtmjXu5jVGEXRAw3S0wv6J4VjPgEor16s0DHL/SXwH d5uEGlU0WqXe53XeshTneqA6no1kwsJTkzQWOPd41q+yHHhzDb9tl9HsO4GNAGqVrULK 0P2nc/rVAFAY3pmaX64ER9M51+1pbcBADysvw1x6mB+yErKJrhCCFYMZeYxHUPbHZQt3 o3eWRn/8/VvRsN+yrMAovJG2BC+Ea8bDzsdNtF7ofhEUVbZemE1/sJ1YyG/xi87J0Ew6 vJVvW15puGCsv9L+d3SaHWbzkIXKgA8+W4LVjG4xtwgWuSPT1wzbvJa5lKV/OersjZRo foGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=BB49aDN1tpC4L9h9IfIKjz8DLlQGMbuwlkwjZTJgG6s=; b=NDYcz/zlhGaMTFmwqW5AhqpC5MGw/vAMrzJ4kGuuKBFnRJP1YHHiebP9z9gOuTvJ/g 6VU8NTNOytdbMY0qkwGxEfBRkGxwhvckTPps56sYgDgf55aybmEF+8It+iHhRkkpaj0A hqj6qkhh+jvqNGxPot+pHoCtG/A9/IYV9hhXM1Wxg/Q3ZJWniXYaVD/NUIZDXdzcLpSG vfoP336EyjNcloG91boFhAPo/JKV4EpJskn9FO+22lBXd7TN2iFeQnUfcrjVfVvCQtTy Kn6QEmpQIdpzx4Osm44PEkjfpKIq1zD0DHRawq2L2xOBM7eOe8aihUhehmZ5u1wNdqz1 81+A==
X-Gm-Message-State: AO0yUKW0l+epr3rsYO5OEKXBErMhKbclEh4j4IntZquoSyInJq35tKPi 130xWX3bciWupSRX+S/zRaa9YjY9zYvdTAPv9Ek=
X-Google-Smtp-Source: AK7set+BpUlcTEt0yHfajmq3z9jJTmpj2A+Wfhl065sC13MZkx5yEpYlVOmFFE4mWp1rMmEyajjzPSvlGr07afAcx8I=
X-Received: by 2002:a05:6402:1ca2:b0:49e:36d1:16e with SMTP id cz2-20020a0564021ca200b0049e36d1016emr2483789edb.42.1675377612505; Thu, 02 Feb 2023 14:40:12 -0800 (PST)
MIME-Version: 1.0
References: <CAPt1N1mZ9+o5vZ3Ut7RH6hdQgQsQqxz36uvyT+7H7GFPyHz1Fg@mail.gmail.com> <CACJ6M179+Rf+Qw-t7P+xKNQeRYcfRma_YRyT3Ayy-Osu8rcgsQ@mail.gmail.com>
In-Reply-To: <CACJ6M179+Rf+Qw-t7P+xKNQeRYcfRma_YRyT3Ayy-Osu8rcgsQ@mail.gmail.com>
From: Tim Wicinski <tjw.ietf@gmail.com>
Date: Thu, 02 Feb 2023 17:40:00 -0500
Message-ID: <CADyWQ+F1-nj5dx7bEAWkUQ9TmNf9pLCQccERi9YzLAiyyQqycw@mail.gmail.com>
To: Chris Box <chris.box.ietf@gmail.com>
Cc: dnssd <dnssd@ietf.org>, Ted Lemon <mellon@fugue.com>
Content-Type: multipart/alternative; boundary="00000000000075480d05f3bf3f9c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/gNvSMfe9YTyB5HMREoHHrwLglhE>
Subject: Re: [dnssd] Please review substantive changes to Update Lease
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Feb 2023 22:40:19 -0000

On Thu, Feb 2, 2023 at 1:26 PM Chris Box <chris.box.ietf@gmail.com> wrote:

> Everyone,
>
> In this latest draft, several things have changed in the text that will
> impact implementations. So PLEASE take a look and decide whether you are
> happy with them. We need your input to confirm if this gets your seal of
> approval, or if you'd like to see some changes. Either option is fine, but
> I'd like to get a version of this draft shipped before we meet in 116.
>
> To make it easier, I'll identify them below. The full draft-04 text is at
> https://www.ietf.org/archive/id/draft-ietf-dnssd-update-lease-04.html.
>
> Section 4.1 now has this, committed in
> https://github.com/dnssd-wg/draft-ietf-dnssd-update-lease/commit/0e0da091040b56d6abc6223277819ab770f31591
> <https://github.com/dnssd-wg/draft-ietf-dnssd-update-lease/pull/18/files>
>
> When sending an initial update, the requestor MUST delay the initial
>> transmission by a random amount of time across the range of 0-3000
>> milliseconds, with a granularity of no more than 10 milliseconds. This
>> prevents synchronization of multiple devices of the same type at a site
>> upon recovery from a power failure. This requirement applies only to the
>> initial update on startup: since renews include a random factor as well,
>> any synchronization that occurs after such an event should quickly
>> normalize.
>
>
> My personal thought on this, wearing no hats, is to wonder how realistic
> is 10ms accuracy for a low-power device? I understand the rationale, which
> is to permit 300 different slots in which the transmission could occur.
> However I wonder if the granularity ought to be a softer requirement. Views
> from implementers needed.
>

I figure folks are also considering the more and more movement to PTP on
devices in general.


> Section 5.2 has this, committed in
> https://github.com/dnssd-wg/draft-ietf-dnssd-update-lease/pull/18/files
>
> In order to prevent records expiring, requestors MUST Refresh resource
>> records after approximately 75% of the original lease has elapsed. This
>> interval MUST be adjusted randomly by +/-10% so that after a network
>> restart, subsequent Renews do not remain synchronized across devices
>> affected by the power failure.
>
>
> Personal thought again: does this mean the client code should aim for a
> range of 65% to 85% of the original lease? Or does it mean 67.5% to 82.5%?
> I don't think it really matters either way, but it would be good to be
> clear about our intention. We should also ask ourselves if there are valid
> reasons why refresh should occur later than 85%.
>
>
I saw Ted mention 65%-85% and that gives a broader range.

>
> There now follow some changes that avoid using SHOULD on its own (i.e.
> without discussion of why you might need to deviate from it). These are all
> committed in
> https://github.com/dnssd-wg/draft-ietf-dnssd-update-lease/pull/20/files
>
>
> Section 5.2.1
>
>> In doing so, the requestor includes in the Refresh message all existing
>> updates to the server, including those not yet close to expiration, so long
>> as at least one resource record in the message has elapsed at least 75% of
>> its original lease. If the requestor uses UDP, the requestor MUST NOT
>> coalesce Refresh messages if doing so would cause truncation of the
>> message; in this case, the requestor should either send multiple messages
>> should use TCP to send the entire update at once.
>
>
>
This sentence seems wonky:

 If the requestor uses UDP, the requestor MUST NOT coalesce Refresh
messages if doing so would cause truncation of the message;
in this case, the requestor should either send multiple messages should use
TCP to send the entire update at once.

Maybe "or should use TCP to send the entire update"?


Finally, section 8's security considerations are rewritten and greatly
> expanded. The commit was
> https://github.com/dnssd-wg/draft-ietf-dnssd-update-lease/pull/19/files.
>
> Section 8 <https://rfc-editor.org/rfc/rfc2136#section-8> of [RFC2136
>> <https://www.ietf.org/archive/id/draft-ietf-dnssd-update-lease-04.html#RFC2136>]
>> describes problems that can occur around DNS updates. Servers implementing
>> this specification should follow these recommendations.
>> Several additional issues can arise when relying on Update Lease. First,
>> a too-long lease time is not much different than no lease time: the records
>> associated with this lease time will effectively never be cleaned
>
>
"Several additional issues can arise when relying on Update Lease."

could this be "when relying on an Update Lease"?



> up. Servers implementing Update Lease should have a default upper bound on
>> the maximum acceptable value both for the LEASE and KEY-LEASE values sent
>> by the client. Servers MAY provide a way for the operator to change this
>> upper limit. We recommend that the default values for these limits should
>> be 24 hours and 7 days, respectively.
>> The second issue is that a too-short lease can result in increased server
>> load and a failure to persist data subject to such a short lease. Servers
>> implementing Update Lease MUST have a default minimum lease
>
>
This sentence reads odd to me (but this could be me).

The second issue is that a lease which is too short can result in increased
server load and a failure to persist data for such a lease.



> interval that is acceptable. We recommend a minimum of 30 seconds for both
>> the LEASE and KEY-LEASE intervals.
>> There may be some cost associated with renewing leases. A malicious (or
>> buggy) client could renew at a high rate in order to overload the server
>> more than it would be overloaded by query traffic. This risk is present for
>> regular DNS update as well. Servers MUST have a minimum interval before
>> which they will not accept a Refresh for a recently updated record. Such
>> messages MUST be silently ignored.
>> Some authentication strategy should be used when accepting DNS updates.
>> Shared secret [RFC8945
>> <https://www.ietf.org/archive/id/draft-ietf-dnssd-update-lease-04.html#RFC8945>]
>> or public key signing should be required. Keys should have limited
>> authority: compromise of a key should not result in compromise of the
>> entire contents of one or more zones managed by the server. Key management
>> strategy is out of scope for this document, however. An example of a key
>> management strategy can be found in [I-D.ietf-dnssd-srp
>> <https://www.ietf.org/archive/id/draft-ietf-dnssd-update-lease-04.html#I-D.ietf-dnssd-srp>],
>> which uses "first come, first-served naming" rather than an explicit trust
>> establishment process to conver update permission to a set of records.
>
>
>
Key management strategy is out of scope for this document, however.

Can we drop the "however"?  It just is.


thanks for grinding this out Ted


tim



>

v2.23.0 | Report a Bug | By Email