Re: [dnssd] Benjamin Kaduk's No Objection on draft-ietf-dnssd-push-24: (with COMMENT)
Tom Pusateri <pusateri@bangj.com> Mon, 12 August 2019 23:32 UTC
Return-Path: <pusateri@bangj.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 909E3120018; Mon, 12 Aug 2019 16:32:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bangj.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pitdALb4ulZb; Mon, 12 Aug 2019 16:32:43 -0700 (PDT)
Received: from oj.bangj.com (69-77-154-174.static.skybest.com [69.77.154.174]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EAFA12000E; Mon, 12 Aug 2019 16:32:43 -0700 (PDT)
Received: from [172.16.10.104] (mta-107-13-246-59.nc.rr.com [107.13.246.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by oj.bangj.com (Postfix) with ESMTPSA id 41F3F32206; Mon, 12 Aug 2019 19:32:42 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bangj.com; s=201907; t=1565652762; bh=RVGoTPCmQX97I1Q64dog1TpphfzGID/k66IqcR1JOKQ=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=UM5TBaTHZgOY1EO7SQSPsQ3kZSbo5sWQKd0/A/JbqBUlY3Zo/SG7YQP9y/oNVIyCt GbOJu95OE3FxtQyPlkEYuiDjbOUwz4oY8b5ckFUP9mZqG5EHbzx8mh5aYEL7wHiYp7 3WJz2sAaca74pNe9zJcCB9PBgTk+Ych7wHptGsqc6B6j9tAzHXoIXK5LQ92HrHcMO/ fAUgojIRV4ReK3bApxYuPcYr958PMpkD0DHibOHvW1JO3TkvYxEZuIOmI4s7tddSVD NG2QLRjXyDgImWYtsqznUoBymVh2p4bcvlp+XitBQdbzNuWMdOMXMM9uhi3LVAPDfK ElTiL/L2eY//g==
From: Tom Pusateri <pusateri@bangj.com>
Message-Id: <A80DDB1B-44A1-492A-9D51-4843706EB49B@bangj.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_EEBE48C4-33D7-44B1-9DC1-679897161490"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3570.1\))
Date: Mon, 12 Aug 2019 19:32:41 -0400
In-Reply-To: <156527413058.7542.141771034158195549.idtracker@ietfa.amsl.com>
Cc: The IESG <iesg@ietf.org>, tjw.ietf@gmail.com, dnssd-chairs@ietf.org, dnssd@ietf.org, draft-ietf-dnssd-push@ietf.org
To: Benjamin Kaduk <kaduk@mit.edu>
References: <156527413058.7542.141771034158195549.idtracker@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3570.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/iwo5VgG9oSgwigHl9XAP7ympMsY>
Subject: Re: [dnssd] Benjamin Kaduk's No Objection on draft-ietf-dnssd-push-24: (with COMMENT)
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Aug 2019 23:32:46 -0000
Comments below. > On Aug 8, 2019, at 10:22 AM, Benjamin Kaduk via Datatracker <noreply@ietf.org> wrote: > > Benjamin Kaduk has entered the following ballot position for > draft-ietf-dnssd-push-24: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-dnssd-push/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thanks for this well-written document! > > What are the privacy considerations to zone content owners (e.g., > machine owners listed in a zone) about the availability of near-realtime > information tracking their changes? With the primary case of service discovery, this information is already available today as link-local multicast announcements. And many unicast DNS servers already have policy controls that would apply to subscriptions as well. We’re not really creating any new exposure. > > Can we have a discussion of padding policy to attempt to preserve the > privacy of push transactions? Analysis of message size is a component of traffic analysis. I can add a paragraph about this and reference the Padding TLV as discussed in RFC 8490. > > Section 1.2 > > Do we need to give a reference for the BSD Sockets API? (I honestly > forget what we did for other documents referencing it.) RFCs 8547, 8490, 8095, 7663, 7640, & 7242 are the most recent to reference the BSD socket api. Of these, only RFC 8095 reference the POSIX Base Specifications which probably isn’t useful since no one is going to go read the POSIX docs but instead read operating system docs. None of the other RFCs in this list provide a reference. I would like to skip this. > > Section 3 > > Perhaps we should put quotation marks around statements taken from RFC > 8490 (so as to avoid the appearance that we are duplicating normative > requirements made in that document). Need more specifics. If referring to: Generally, as described in the DNS Stateful Operations specification [RFC8490], a client must not keep a DSO session to a server open indefinitely if it has no subscriptions (or other operations) active on that session. A client MAY close a DSO session immediately it becomes idle, and then if needed in the future, open a new session when required. Alternatively, a client MAY speculatively keep an idle DSO session open for some time, subject to the constraint that it must not keep a session open that has been idle for more than the session's idle timeout (15 seconds by default) [RFC8490]. then changing “MAY" to “may" could resolve this issue. > > Section 5 > > server in this protocol specification. Additional security measures > such as client authentication during TLS negotiation MAY also be > employed to increase the trust relationship between client and > server. > > Do we want to say anything about the validation procedures for that > client authentication, maybe RFC 6125 with a DNS-ID check, or would that > be too restrictive? This does not include client certificates, DANE, or out of band mechanisms. 6125 is helpful but only describes one approach. > > Section 6.1 > > In many contexts, the recursive resolver will be able to handle Push > Notifications for all names that the client may need to follow. Use > of VPN tunnels and split-view DNS can create some additional > complexity in the client software here; the techniques to handle VPN > tunnels and split-view DNS for DNS Push Notifications are the same as > those already used to handle this for normal DNS queries. > > Is there a good reference discussing these techniques? I can reference RFC 8499 which defines split DNS. > Section 6.2.1 > > The MESSAGE ID field MUST be set to a unique value, that the client > is not using for any other active operation on this DSO session. For > > Isn't this already mandated by 8490? Are you asking us to change “MUST” to “must”? I haven’t heard it suggested before that you can only use 2119 terms once. > > (Hmm, the interaction of TLS early data's replayability and MESSAGE ID > uniqueness might require some thought. But the MESSAGE ID uniqueness is > within a DSO session, not global, so that may not make a difference.) Yes, early data isn’t a concern because a new DSO session means all new subscriptions and new MESSAGE ID space. > > Section 6.3.1 > > The other header fields MUST be set as described in the DSO spec- > ification [RFC8490]. The DNS OPCODE field contains the OPCODE value > for DNS Stateful Operations (6). The four count fields MUST be zero, > and the corresponding four sections MUST be empty (i.e., absent). > > We may not need the 2119 terms for the requirements duplicated from > 8490. Are you asking us to change “MUST” to “must” here too? > > For collective remove notifications, if CLASS is not 255 (ANY) and > TYPE is not 255 (ANY) then for the given name this deletes all > records of the specified type in the specified class. > > (et seq) What does it mean to "delete a record", from the recipient's > point of view? (How does the server communicate that the RRset's > contents have changed to a completely disjoint value -- delete plus add?) To “delete a record” means the record is being removed from the zone. That could be because the service is no longer offered or the host has been decommissioned. In mDNS (RFC 6762), an announcement with TTL 0 is used to signal a delete. This could trigger a PUSH notification deleting the record. A received DNS UPDATE message could also trigger a PUSH notification deleting a record. If the name of a DNS service changes then, yes, the old service is deleted and the new service is added (although the delete doesn’t have to come before the add). > > a SUBSCRIBE request, subject to the usual established DNS case- > insensitivity for US-ASCII letters. If the TYPE in the SUBSCRIBE > request was not ANY (255) then the TYPE of the record must match the > TYPE given in the SUBSCRIBE request. If the CLASS in the SUBSCRIBE > > nit: we switch from using the indefinite article to the definite article > with "SUBSCRIBE request", which is a bit jarring since we don't give a > great indication of what distinguishes the definite case. I will change “a SUBSCRIBE request,” to “the SUBSCRIBE request,” > > Section 6.5 > > It's not entirely clear to me that we need quite this much detail about > discovery proxy operations, in order to motivate RECONFIRM. > > If we're going to talka bout Apple's dns_sd.h API (which I have somewhat > mixed feelings about to begin with), we should have a reference for it. Do you prefer something like https://opensource.apple.com/source/mDNSResponder/mDNSResponder-878.70.2/mDNSShared/dns_sd.h.auto.html <https://opensource.apple.com/source/mDNSResponder/mDNSResponder-878.70.2/mDNSShared/dns_sd.h.auto.html> or https://github.com/IETF-Hackathon/mDNSResponder/blob/master/mDNSResponder/mDNSShared/dns_sd.h <https://github.com/IETF-Hackathon/mDNSResponder/blob/master/mDNSResponder/mDNSShared/dns_sd.h> > > Section 7.1 > > Deployment recommendations on the appropriate key lengths and cypher > suites are beyond the scope of this document. Please refer to TLS > Recommendations [RFC7525] for the best current practices. Keep in > > Please cite this as BCP 195. Ok. > > Section 7.4 > > servers. The server may keep TLS state with Session IDs [RFC8446] or > operate in stateless mode by sending a Session Ticket [RFC5077] to > > 5077 was made obsolete by 8446; from the practical side of tings there > is no wire-visible distinction between stateful session IDs and > stateless session tickets. Ok. I can change this to: TLS Session Resumption [RFC8446] is permissible on DNS Push Notification servers. However, closing the TLS connection terminates the DSO session. > > Section 10.2 > > I think RFC 7858 needs to be normative. > > Likewise, RFC 8310. Ok. Thanks for the detailed review! Tom
- [dnssd] Benjamin Kaduk's No Objection on draft-ie… Benjamin Kaduk via Datatracker
- Re: [dnssd] Benjamin Kaduk's No Objection on draf… Tom Pusateri
- Re: [dnssd] Benjamin Kaduk's No Objection on draf… Benjamin Kaduk