[dnssd] Some comments on draft-sctl-service-registration-00

Toke Høiland-Jørgensen <toke@toke.dk> Sat, 28 October 2017 16:10 UTC

Return-Path: <toke@toke.dk>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10DD613FB69 for <dnssd@ietfa.amsl.com>; Sat, 28 Oct 2017 09:10:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=toke.dk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r_EqoH2zU9L5 for <dnssd@ietfa.amsl.com>; Sat, 28 Oct 2017 09:10:53 -0700 (PDT)
Received: from mail.toke.dk (mail.toke.dk [52.28.52.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C32D713FB45 for <dnssd@ietf.org>; Sat, 28 Oct 2017 09:10:51 -0700 (PDT)
From: Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=toke.dk; s=20161023; t=1509207043; bh=rsXOTC+Eh5RelKTcsTf9YnL3v4f4EjaHOflYOYHrru4=; h=From:To:Subject:Date:From; b=HUa082CnmMCtqGO4ifaYYCmdXk5WBzx8G4Mb2p/0c/GlbIYeTsDaNEuyPieiD2Ul5 LtjgAhWE7d5qW7kzIfc416RnU2rvPgLV8ZUZ0ORQJrS/KHUChQLrwxriQMLQIf//px M88LJjBfoMK1RBK+8fOFl8rLys8bAz7HvhuupRSvU4TENv1b/iYq1HJxq/RxVEM0B9 0x3d3nfFD16o7tifLtUXnJCVtWq3yLcabKsKxnJZMoOlRLpXmcAWK8klm9Zi/X0Y5j 3jGHZ1lfxLtQrYjucqemT1Bel99hSBD6wbpxLFjF0yX+cDctUSMhXcU3s1p51maV/u JsFZ12MxjGgbg==
To: dnssd@ietf.org
Date: Sat, 28 Oct 2017 18:10:12 +0200
X-Clacks-Overhead: GNU Terry Pratchett
Message-ID: <87bmkr1cez.fsf@toke.dk>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/n1H-OGDx8BioVqjTuDTz6jmUmoo>
Subject: [dnssd] Some comments on draft-sctl-service-registration-00
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Oct 2017 16:10:56 -0000

Hi everyone

I've been meaning to post some comments on
draft-sctl-service-registration-00 for a while; finally got around to
writing this down. These are partly based on differences between what
the draft specifies and my implementation[1].

Since the draft is in somewhat of an early stage, I did not think it
made sense to do detailed section-by-section commenting. So instead,
here follows some general comments for discussion, in no particular
order:


- It is not clear how to find the server to register with: Section 2
  refers to RFC2136 and RFC3007 for the DNS Update mechanism, and to
  RFC6763 Section 11 for information on how to discover the zones to
  attempt registration in. So from my best reading of this, the client
  should discover the relevant zones, then just send its signed updates
  to any authoritative server for those zones. However, this prevents
  implementing the registration logic as a proxy (as I'm currently
  doing). So I feel like there should be a SRV lookup in there
  somewhere? I seem to recall Stuart telling me that this is indeed
  specified somewhere, but my google fu is failing me right now, and in
  any case it's not clear from the draft how this process is supposed to
  work.
  

- Different expiry times for different records: Section 5 mentions that
  the server should keep the SIG(0) public key for much longer than the
  other records, but does not specify how that is to be accomplished.
  If the server just picks a cache time for the key, that effectively
  prevents the client from specifying how long it has this key
  available; think a client with no permanent storage which generates a
  key at startup and keeps it in memory, but wants to make sure it is
  not cached for longer than the other records so it can reclaim it if
  it needs to reboot.

  I currently implement a per-record lease time by overloading the TTL
  of the DNS Update packet coming from the client: The TTL in the update
  packet has the same meaning as the lease time in the current version
  of the draft (except it's per-record), and the server will install the
  actual records into DNS with a different TTL. I'm not sure that is a
  better way to do it, though.
  

- Address-based ACLs: Obviously, in most cases a client should only be
  able to perform registration if it is actually on the right network.
  Firewalling off the ports from outside the relevant networks is a way
  to ensure this, but it is somewhat of a crude tool. For one, it
  prevents a single registration server / proxy from serving multiple
  networks. For another, it prevents a use case where a client is only
  allowed *initial* registration (when the key is first cached) from
  inside the network, but is allowed to subsequently update the same
  record from anywhere. This is useful to, for instance, have my laptop
  maintain my-laptop.myhome.example.org even when visiting another
  network.

  So another way to ensure this source verification is needed, I think.
  The way I implemented it is to have the registration server only speak
  TCP; that way, source address spoofing is not possible (as that would
  make the handshake fail), and the server can simply implement a
  straight-forward ACL policy.
  

- It is not quite clear to me whether the sleep proxy described in
  section 4 is an optional feature or if its meant to be mandatory.
  Stuart explained its usefulness for devices that power off when not in
  use, requiring this function will mean that registration servers will
  need to be on the local link, which is somewhat limiting. Also, the
  implementation complexity goes way up (I certainly don't plan to
  implement this feature :)). So I think having a way for the server to
  signal "no, I can't perform sleep proxying" to the client would be
  good to allow things to fail in a graceful way.


-Toke


[1] https://github.com/tohojo/nsregd