IETF Logo Mail Archive

Re: [Last-Call] [homenet] Dnsdir telechat review of draft-ietf-homenet-front-end-naming-delegation-18

Matt Brown <ietf@mattb.net.nz> Thu, 20 October 2022 20:49 UTC

Return-Path: <ietf@mattb.net.nz>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A4BBC1522BB; Thu, 20 Oct 2022 13:49:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mattb.net.nz
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VlGPnh5QOQqm; Thu, 20 Oct 2022 13:49:09 -0700 (PDT)
Received: from muslin.katalinabrown.co.nz (muslin.katalinabrown.co.nz [IPv6:2600:3c03::f03c:91ff:fe93:7ef4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A61A8C1522B9; Thu, 20 Oct 2022 13:49:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mattb.net.nz; s=20190916; h=Content-Transfer-Encoding:Content-Type:Cc:To: Subject:Message-ID:Date:From:In-Reply-To:References:MIME-Version:Sender: Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender :Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=2JZ+Pc9c3lfCE3mNGr9mnhEbCzJKnXuQBMv4xEtGQUk=; b=V9jYazgn23Xluo56FvD6Nnu7wR GZFsVPXH2nYS8et6k9huXZybdgbnws1xEqdrWRDjec0xdlkAyf+kEvH+SIhm5GWGq6ltu/9n3pYFA wAvj5/RNRb9twtxou16kKvKCsYpU1LUGGoYiCOPhurt30MDjRXSvCDwtSKZUvGRazzH4=;
X-Gm-Message-State: ACrzQf0ay3nxWE9tWnA3qzFjdyAUWxuep48Zjdb9lsgch9gx9h7dQFNy F2DYJ3d8kD0DBcQMtAcrsBgODYrwhhwR6TNqbYk=
X-Google-Smtp-Source: AMsMyM4S02Axlt1ql0U4U8TsRZEg6txkv9OTnnVPZdI3tZrjq8+HyINkgCNrQAFpT6xfdIuUBTLpqcrAvanksUH1S88=
X-Received: by 2002:a17:907:b17:b0:78b:b909:e91a with SMTP id h23-20020a1709070b1700b0078bb909e91amr12122729ejl.687.1666298946407; Thu, 20 Oct 2022 13:49:06 -0700 (PDT)
MIME-Version: 1.0
References: <166601224491.24452.9575096761631204136@ietfa.amsl.com> <CADZyTkkaHshFr3S+ECZhaHa9N_7E2XsW4VufNYtmg62Ludw8YQ@mail.gmail.com>
In-Reply-To: <CADZyTkkaHshFr3S+ECZhaHa9N_7E2XsW4VufNYtmg62Ludw8YQ@mail.gmail.com>
From: Matt Brown <ietf@mattb.net.nz>
Date: Fri, 21 Oct 2022 09:49:16 +1300
X-Gmail-Original-Message-ID: <CAMgEDbQn4A081ZaWCt5bHPzY_9kKO4L7X3tGKra3riQzOCuO6w@mail.gmail.com>
Message-ID: <CAMgEDbQn4A081ZaWCt5bHPzY_9kKO4L7X3tGKra3riQzOCuO6w@mail.gmail.com>
To: Daniel Migault <mglt.ietf@gmail.com>
Cc: dnsdir@ietf.org, draft-ietf-homenet-front-end-naming-delegation.all@ietf.org, homenet@ietf.org, last-call@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/p4yi1VG-45O4hVMJAtikR58UNz8>
Subject: Re: [Last-Call] [homenet] Dnsdir telechat review of draft-ietf-homenet-front-end-naming-delegation-18
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2022 20:49:13 -0000

On Thu, Oct 20, 2022 at 6:26 AM Daniel Migault <mglt.ietf@gmail.com> wrote:
>
> Hi Matt,
>
> Following up with other minor concerns. You can see the changes below:
> https://github.com/ietf-homenet-wg/ietf-homenet-hna/commit/88a1700865f80862301f96937ac07071efd58660

Mostly LGTM thanks, just following-up on a few minor points below.

> On Mon, Oct 17, 2022 at 9:11 AM Matt Brown via Datatracker <noreply@ietf.org> wrote:
>>
>> Minor Issues (aka Ready with Issues):
>>
>> 2 and 3.1: DNSSEC Resolver - is the exclusion of unsigned/non-DNSSEC resolvers
>> in the terminology and architecture overview intentional? Section 9 confirms
>> that DNSSEC is not required (only RECOMMENDED), so it is possible that both the
>> public and internal resolvers being used are not DNSSEC capable - therefore it
>> seems strange for the architecture overview and terminology to imply that
>> DNSSEC is required.
>>
> We considered DNSSEC on how the architecture can fit DNSSEC requirements. DNSSEC might me disabled. DNSSEC impacted our design in many aspects, so the baseline we took is to have DNSSEC enabled.

I think this is fine (to assume DNSSEC as a baseline), but unless the
public homenet zone is explicitly required to be a Signed zone, then I
think the terminology should encompass all potential use-cases, not
just the assumed default - e.g. in this architecture description the
resolvers should not be described as DNSSEC specific. Perhaps adopting
RFC8499 terminology in this section would both address this concern
and add further clarity by sticking to known terminology, it was the
unusual term "DNSSEC Resolver" that caught my eye here initially.

>> 3.2: The 4th paragraph begins describing "the main issue", the solution to
>> which is not explained in the paragraph, or in the referenced Section 4.2
>> (which is DNSSEC/DS specific vs the NS, A, AAAA context of the paragraph). In
>> either case, the semantics of how the DM treats the information it receives
>> from the HNA seems out of place in a section describing and primarily focused
>> on the mechanics of the communication channel itself. I suggest removing or
>> rewriting this 4th paragraph to improve the clarity.
>>
> The purpose of this paragraph is to highlight that HNA needs some information from the DM and vice versa. I suggest the following changes:
>
> OLD:
> The main issue is that the Dynamic DNS update would also update the parent zone's (NS, DS and associated A or AAAA records) while the goal is to update the DM configuration fil
> es. The visible NS records SHOULD remain pointing at the cloud provider's server IP address -- which in many cases will be an anycast addresses. Revealing the address of the HNA in the DNS is not desirable. Refer to {{sec-chain-of-trust}} for more details.
>
> NEW:
> It is worth noticing that both DM and HNA need to agree on a common configuration to set up the synchronization channel as well as to build and server a coherent Public Homenet Zone.
> Typically,  the visible NS records of the Public Homenet Zone (built by the HNA) SHOULD remain pointing at the cloud provider's server IP address -- which in many cases will be an anycast address. Revealing the address of the HNA in the DNS is not desirable. In addition and depending on the configuration of the DOI, the DM also needs to update the  parent zone's (NS, DS and associated A or AAAA records). Refer to {{sec-chain-of-trust}} for more details.

I find the new wording much clearer thanks. I still find it a little
out of place (discussing zone record semantics in a section on the
transport channel) - would moving the new text down to the subsequent
sec-pbl-homenet-zone section be better? Given what the new text is
describing is the contents of the public homenet zone, that seems like
a more natural location to find this note.

>> 4: I find the format of this section confusing and hard to understand with
>> sections 4.1-4.4 describing the information to be conveyed, but not how it is
>> conveyed, and then the message formats being described in 4.5. I suggest it
>> would be much clearer and more understandable to combine the details in 4.5.x
>> with the earlier sections (e.g. put the AXFR details from 4.5.1 into 4.1, and
>> the DNS update details from 4.5.2/4.5.3 into 4.2 and 4.3.
>>
>  We put the message format description in one section to avoid repeating many information. I prefer to have it in one place.

Noted. I disagree, but accept your decision and preference :)

>> Given the HNA is already opening a control connection to the DM, was
>> consideration given to re-using that connection (or a 2nd HNA initiated
>> connection to a different address if there is the need for different servers in
>> the DM implementation between control/sync channesl) to prevent the need for
>> opening any listening port on the HNA WAN addresses at all?
>
> We did not consider a self organisation between HNAs. We focused on the minimal setting.

I was not meaning 2 HNA devices in this comment, I meant a single HNA
could open 2 outbound connections (1 for control channel, 1 for
synchronization channel) - the difference to what is currently written
simply being that both are initiated by the HNA (rather than the DM
initiating the synchronization channel connection) in order to avoid
having to open a listening port externally.

Cheers

-- 
Matt Brown
DNS Directorate Member

v2.23.0 | Report a Bug | By Email