Re: [dnssd] WGLC for draft-ietf-dnssd-srp

Tom Pusateri <pusateri@bangj.com> Fri, 03 May 2019 04:00 UTC

Return-Path: <pusateri@bangj.com>
X-Original-To: dnssd@ietfa.amsl.com
Delivered-To: dnssd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 277661201D5 for <dnssd@ietfa.amsl.com>; Thu, 2 May 2019 21:00:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EdxMCEf-_L_I for <dnssd@ietfa.amsl.com>; Thu, 2 May 2019 21:00:40 -0700 (PDT)
Received: from oj.bangj.com (69-77-154-174.static.skybest.com [69.77.154.174]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B05812006F for <dnssd@ietf.org>; Thu, 2 May 2019 21:00:40 -0700 (PDT)
Received: from [172.16.25.146] (69-77-155-155.static.skybest.com [69.77.155.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by oj.bangj.com (Postfix) with ESMTPSA id 5A7532EA08; Fri, 3 May 2019 00:00:39 -0400 (EDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
From: Tom Pusateri <pusateri@bangj.com>
In-Reply-To: <CAPDSy+7Yom5EwqG1OS=zpy3fARMRp3ExcfY6md=8YtgS9XiVvQ@mail.gmail.com>
Date: Fri, 3 May 2019 00:00:38 -0400
Cc: DNSSD <dnssd@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <68FEE2FE-00CB-4CA2-8219-62A31394829E@bangj.com>
References: <CAPDSy+7Yom5EwqG1OS=zpy3fARMRp3ExcfY6md=8YtgS9XiVvQ@mail.gmail.com>
To: David Schinazi <dschinazi.ietf@gmail.com>
X-Mailer: Apple Mail (2.3445.104.8)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnssd/w3Q-2mAnadGOq_nOgVm6-hgB9PY>
Subject: Re: [dnssd] WGLC for draft-ietf-dnssd-srp
X-BeenThere: dnssd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of extensions to DNS-based service discovery for routed networks." <dnssd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnssd>, <mailto:dnssd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnssd/>
List-Post: <mailto:dnssd@ietf.org>
List-Help: <mailto:dnssd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnssd>, <mailto:dnssd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 May 2019 04:00:43 -0000

I’m breaking this review for draft-ietf-dnssd-srp into two sections.

  1. overall architecture
  2. latest revision of the document

I like the new distinction between constrained nodes and regular nodes. This helps.


Section 1.
==========
As we’re moving from the local link with mDNS to internet wide service discovery over unicast DNS, I think it is necessary to ensure all DNS messages that exit the local link be encrypted.

	a. This document purports to provide “a reasonably secure mechanism” that mentions no encryption. Encryption is desirable for privacy with both link local and internet wide dns messages. While legacy mDNS does not perform encryption, it is possible to encrypt link-local announcements as well as internet wide area announcements, queries, and responses.

	b. It provides limited authentication through “first come, first serve” semantics for change modifications but not for the the initial registration of any service.

	c. It punts access control to the local administrator based on IP address.

	d. It suggests the use of TCP to ensure client address verification but then also seems to suggest UDP is ok too for RFC 2136 unconstrained nodes.
	e. The use of anycast requires guarantees about network routing operations that cannot be detected by SRP servers or clients. SRP Updates sent to an anycast address can leak outside the domain through a default route and even to another domain’s SRP servers. Accepting these over UDP and requiring access control to be configured by the same administrators that haven’t set up anycast routing correctly seems like a bad idea. Random users can install devices configured to use the anycast address out of the box in a network not anticipating the deployment of SRP.

	f. describing an architecture where the DNS SRP server is not typically on the same link but then requiring it to be so in order for the sleep proxy to function as described suggests maybe the SRP architecture needs to change. (section 2.6.2)



Section 2.
==========
document comments

Section 2, paragraph 2:
	There are restrictions placed on the domain name to use including RFC 2119 terminology requiring it but there is no justification for the imperatives (both in the v4 and v6 case). This leaves the reader wondering why.

Section 2, paragraph 3:
	_dnssd-srp._tcp<zone> is defined (add a period before <zone> as in 2.3.2). Can there also be a _dnssd-srp-tls._tcp.<zone>?

Section 2, paragraph 4:
	The wording makes it seem like “default.services.arpa” is defined in RFC 6761

Section 2.1, paragraph 1:
	The update terminology seems overloaded and a bit confusing in the document overall. In this particular paragraph, the second sentence is confusing with updates in the update that are records.

Section 2.1, paragraph 3:
	the use of “both” follows a list of items making it hard to discern what both refers to. It could be:
		1. the three items in the list (but then both implies 2 items not 3)
		2. one or more TXT RRs (but more than 2 also isn’t usually referred to as both)

Section 2.1, last paragraph:
	KEY records are mentioned above but the details of these aren’t explained in RFC 6763

Section 2.3, first paragraph:
	“it’s possible to do all the work of adding a PTR resource record to the PTR RRset on the Service Name if it already exists, or creating one if it doesn’t”. This is confusing because each service instance adds a PTR Service Name record identically whether the RRset exists or not.

Section 2.3, first and second paragraph:
	First it says “it is possible” and then it says “An SRP update is therefore implemented”. But the logic between these end caps is not explicit and so it reads awkwardly and reader is left wondering what the “therefore” is there for.

Section 2.3, last paragraph:
	The document uses “update constraints” but should in this case use "update pre-requisites" since it’s referring to the way 2136 does things. The second use of constraints referring to section 2.4.2 seems correct.

Section 2.3.2:
	This section seems out of place because it is only for testing (manual client key installation etc.) and so should be moved to an appendix.

Section 2.3.3, paragraph 2:
	“as described earlier using _dns-update._udp” - I don’t see any other references to _dns-update._udp. Also, RFC 2136-compliant servers shouldn’t be restricted to UDP. They can support TLS, TCP, or UDP. (_dns-update-tls._tcp, _dns-update._tcp, and _dns-update._udp).

	But earlier in 2.0, second to last paragraph, you require TCP to prevent off-network spoofing so UDP should not be suggested here.

Section 2.4, last paragraph:
	“what we describe here improves upon the security of mDNS. The goal is not to provide the level of security of a network managed by a skilled operator.”
	In fact, we want to design protocols that provide security, privacy, and protect users regardless of the skill of the operators. mDNS has a level of protection afforded to it by it’s link local nature. Once SRP leaves the link, it is open to a whole new host of vulnerabilities and it has to address each of these in a way mDNS never had to.

Section 2.4.1.1, third paragraph:
	“service description updates” - it’s not clear here what “updates” means. This is part of the overloading of update in the document.

Section 2.4.1.1, fifth paragraph:
	“it makes a claim” - the paragraph discusses the option to use different lease life times and then ends with a declarative that it makes a claim that lasts much longer when it fact it doesn’t have to. I suggest “it could make a claim”.

Section 2.4.2:
	This section contains the meat of the “update” confusion. Service Discovery update, Service Description update, and Host Description update need different terminology to distinguish an update message, and SRP update, and these combination of records, that combined in a specific way, comprise an SRP update. Maybe Service Discovery group or bloc? And we already have resource records and RRsets so maybe that terminology could be used in places?

	“An update is a Service Discovery update if” - When all of the records required must be in an SRP update, what does “update” mean here?

	“one of more TXT RRset updates” - can this “updates” be “resource records”?

	“there is a Service Instance Name update in the SRP update that updates an SRV RR so that it points to the hostname being updated by this update” - ETOOMANYUPDATES in this sentence

	“Note that if the definitions of each of these update types are followed carefully, this means that many things that look very much like SRP updates nevertheless are not” - It seems that if the definitions of each of these updates are followed carefully, you would end up with a valid update. Stating that you don’t seems to imply that the definitions are not descriptive enough.

	“is the same as the KEY record in the update” - again, it’s not clear what update you are referring to. And can there be multiple KEY records in the same SRP update? Again, the Service Description update vs the Host Description update make this confusing.


	“The server MAY add a Reverse Mapping” - (why is Reverse Mapping capitalized?) - Can the client add this? Would this be a standard RFC 2136 update since the zone is different?

	“maintenance functionality” - provide a reference in the document to what you mean here

	How do you delete an SRP announced service before the lease lifetime of the service name PTR record expires? The rules don’t seem to allow that.

Section 2.5:

	If one service is announced via SRP and another service from the same host is announced over SRP, how do you make A and AAAA record TTLs consistent with both service records?

	“when adding RRs to an RRset, … MUST use the same TTL” - Seems like it would be impossible to achieve this with Service PTR records in an RRset. I’m probably not understanding it so it may need clarification.


Section 2.6.1, second to last paragraph:
	How does a dual-use server decide an update is an SRP update or an RFC 2136 update?


Section 3.2:
	Do you need to specify which key to use for server signature validation? Isn’t this already specified outside of SRP?

Section 6.1:
	Throughout the document you reference default.services.arpa and then in the IANA you request the services.arpa domain. Where is default.services.arpa defined and/or managed? Is it a subdomain or a leaf?


Thanks,
Tom