[Mud] iot-dns-considerations: tailored response vs geofence
Michael Richardson <mcr+ietf@sandelman.ca> Wed, 06 March 2024 16:54 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: mud@ietfa.amsl.com
Delivered-To: mud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE115C14F5F6 for <mud@ietfa.amsl.com>; Wed, 6 Mar 2024 08:54:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hm_oc1ghE7xE for <mud@ietfa.amsl.com>; Wed, 6 Mar 2024 08:54:31 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7543DC14F5FC for <mud@ietf.org>; Wed, 6 Mar 2024 08:54:26 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 2BF0338988 for <mud@ietf.org>; Wed, 6 Mar 2024 11:54:25 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id hYJZalBrUqvl for <mud@ietf.org>; Wed, 6 Mar 2024 11:54:21 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id C88EC3898B for <mud@ietf.org>; Wed, 6 Mar 2024 11:54:21 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1709744061; bh=7e+guYU+2Ybp4bw/Ku0Q8VbUQ6xCvnM74auyczhjito=; h=From:To:Subject:Date:From; b=SVjbkDvJ7fukgJbCNYeuGPLGkpj1hI1kwrvbITqnp8IKvwOSRL6dP1lr13S+cIleO YPLx2IHVQjJtZjdfkGszg3HqHg1Cqca0IXpz2uIVumzl+wqkCmbKdmPl1vzNuPm7VH 1OoO4btBZaCSlk6I5YIje82Z74mK1cAVG6AGvNSRbA8DWIuvM0YToajywEnEQbWSBS +t38MPOq6lyWZWsO6x66ahWrZVlNF9z8hWOogEAqLE34v64U9f6xuwukVSlV82Omiu CsmzJSvrmPPn2wtoD2RXGlqV09ImfGvz156G7uFyuO4oDJRmLQ4ejO4VkLWrqFRcVD 2qPgl76Md1gOQ==
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id C4B792BE for <mud@ietf.org>; Wed, 6 Mar 2024 11:54:21 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: mud@ietf.org
X-Mailer: MH-E 8.6+git; nmh 1.8+dev; GNU Emacs 28.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="==-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 06 Mar 2024 11:54:21 -0500
Message-ID: <19938.1709744061@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mud/-ZGRey-zUaRI2Yqpo423a94yZ-g>
Subject: [Mud] iot-dns-considerations: tailored response vs geofence
X-BeenThere: mud@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of Manufacturer Ussage Descriptions <mud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mud>, <mailto:mud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mud/>
List-Post: <mailto:mud@ietf.org>
List-Help: <mailto:mud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mud>, <mailto:mud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2024 16:54:35 -0000
I'm reposting this in case this thread on opsawg got lost for MUD enthuasists.
--- Begin Message ---On Tue, Mar 5, 2024 at 3:26 PM Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > > Erik Kline <ek.ietf@gmail.com> wrote: > > I asked on a DNS directorate + wg chairs sync earlier today and nobody > > seemed to have in mind either (a) a single good reference nor (b) a > > single good definition for a "geofenced name". > > > Perhaps we can begin by clarifying what it means to you? In mind there > > were two alternatives; roughly: > > > [a] a name for which a DNS authoritative will hand out different > > RRs depending on the client src IP (conceptual proxy for geolocation), > > or > > > [b] a name for which a DNS authoritative will either hand out some > > RRs **or** return NODATA or some kind of error to others, as a function > > of client IP. > > > Are either of those close to what you mean? > > Both are intended. > Is my term "geofenced" wrong perhaps? Is this just a geolocation DNS? > > Looking around at some documents, I found: > https://datatracker.ietf.org/doc/draft-pauly-httpbis-geoip-hint/ > and: https://www.rfc-editor.org/rfc/rfc7871.html > > RFC7871 speaks alot about the behaviour of the authoritative server without > ever calling it geolocation :-) > "Tailored response" is the closest I can gleam from that document, which I > agree is a more general term. > > I could use that term and reference 7871. > > here is how I would use it: > https://github.com/IETF-OPSAWG-WG/draft-ietf-opsawg-mud-iot-dns-considerations/pull/15 > > I found the discussion in RFC7871 concerning DNSSEC a bit concerning. > It seems that the entire RRset needs to always be returned (so that DNSSEC > can verify), but if that is done, how is the reply tailored, since A/AAAA > records are not intended to be ordered (and bind9 is about to remove that option). > > Here is my proposed text, in case you haven't used the link above yet: > > -Due to the problems with different answers from different DNS servers, described above, a strong recommendation is to avoid using geofenced names. > +## Do Not Use Tailored Responses to answer DNS Names > + > +{{?RFC7871}} defines the edns-client-subnet (ECS) EDNS0 option, and explains > +how authoritative servers sometimes answer queries differently based upon the > +IP address of the end system making the request. > +Ultimately, the decision is based upon some topological notion of closeness. > +This is often used to provide tailored responses to clients, providing them > +with a geographically advantageous answer. > + > +When the MUD controller makes it's DNS query, it is critical that it receive > +an answer which is based upon the same topological decision as when the IoT > +device makes its query. > + > +There are probably ways in which the MUD controller could use the > +edns-client-subnet option to make a query that would get the same treatment > +as when the IoT device makes its query. If this worked then it would receive > +the same answer as the IoT device. > + > +In practice it could be quite difficult if the IoT device uses a different > +Internet connection, a different firewall, or a different recursive DNS > +server. > +The edns-client-server might be ignored or overridden by any of the DNS infrastructure. > + > +Some tailored responses might only re-order the replies so that the most > +preferred address is first. > +Such a system would be acceptable if the MUD controller had a way to know > +that the list was complete. > + > +But, due to the above problems, a strong recommendation is to avoid using > +tailored responses as part of the names in the MUD file. If this is the recommendation that has consensus then I think this definitely explains the intention more clearly, thank you. That said, it seems to me to be akin to saying "don't use a CDN", or at least don't use them the way most CDN services are configured. I'm not sure how this will be received by folks who should be reading and considering these things. Still, including it as RECOMMENDED seems fine to me. It tells the reader "here be dragons" and sets out the rationale. Thanks.--- End Message ---
-- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [Mud] iot-dns-considerations: tailored response v… Michael Richardson