Re: [secdir] Secdir review of draft-ietf-dnsop-dns-tcp-requirements-12
"Wessels, Duane" <dwessels@verisign.com> Fri, 27 August 2021 23:05 UTC
Return-Path: <dwessels@verisign.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D184C3A1D87; Fri, 27 Aug 2021 16:05:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BnJ3ImM4tHgK; Fri, 27 Aug 2021 16:05:13 -0700 (PDT)
Received: from mail3.verisign.com (mail3.verisign.com [72.13.63.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0340A3A1D85; Fri, 27 Aug 2021 16:05:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=9063; q=dns/txt; s=VRSN; t=1630105513; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=Auhokxn15UNg7SBhF0JaNUZBZhWcd5IkgwN0codDHJo=; b=dyJXDT6yhrqaBlEuQnz+33GgcE2prRUrEqWiQZnb9gdSJ7pE5LHnVC40 in5K/DhyNtfhrINEhXw7k2qmFZARIpWfUYEQH2kep/1uQKAH4+PHBRF2q 56VtoFVjQJT3b5OeSdk+38cAaasG6WSFCyFOEFHYGM0dgyi2TnaKUp+Zo JKkBDHnPgsqorpRLLrHY4XvnhdGHbL8HNO/l7Q3Vf2nC44CME/MXt8Ed5 C6/hsDC1amwNYUyH6kTorcvyarKtxVbWoUIvi2LW36rD3HNp+TCT/tPgJ VOex5C63uPjxxj7JrzXM+nEKASue8FfBiK4H+hl3fOlnKDHvuRzHjUV82 Q==;
IronPort-SDR: fP9KxizFDah8pnvNixyW0g+Ko9MShsB2oiEQPzBqRLcW4Pi14VwJuP2HguUzjOx/lJI7jpz7ko y1XU0iPQaD77za9C6916V+HQ2zMXQuRhiwa/ES8TkQ50r+taRZkki1DlLtn3q63tbwdG5plaEN w/tDnwiypFBMO8dVOP/I+oxQfn36aCWxIacWjoauvIC1hMTU3cflPn7x7/crYoTX/9e6pMCDMZ VS8SH+3idBn41MLjX7MEUg5DXMrNxDiqCcs3kZoD1DLwt3SidCQrYIJS+wDAiV2WfrRLRckA/5 qP4=
IronPort-HdrOrdr: A9a23:C3QY76PlzFHjXsBcThyjsMiBIKoaSvp037BN7TEVdfU1SL37qy nAppQmPHPP5gr5O0tOpTnoAsDpfZq2z+8X3WB+B9afdTijlmeuIJpr8IfuhxbxcheTysdtkY NtabJ3BtG1L1Rr5PyR3CCIV/It2sOO/qztv/rZ1HsFd2xXQrtt9Bh0ETyWFUBKRA1LbKBTKK ah
X-IronPort-AV: E=Sophos; i="5.84,357,1620691200"; d="p7s'?scan'208"; a="9768751"
Received: from BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.8; Fri, 27 Aug 2021 19:05:11 -0400
Received: from BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d]) by BRN1WNEX01.vcorp.ad.vrsn.com ([fe80::a89b:32d6:b967:337d%4]) with mapi id 15.01.2308.008; Fri, 27 Aug 2021 19:05:11 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: Alan DeKok <aland@freeradius.org>
CC: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-dnsop-dns-tcp-requirements.all@ietf.org" <draft-ietf-dnsop-dns-tcp-requirements.all@ietf.org>
Thread-Topic: [EXTERNAL] Secdir review of draft-ietf-dnsop-dns-tcp-requirements-12
Thread-Index: AQHXm4IW1D9iX4Pn7k6ITpXUHmZR5auIPACA
Date: Fri, 27 Aug 2021 23:05:10 +0000
Message-ID: <D5A13824-F8A1-4EB7-A701-19345552B75A@verisign.com>
References: <0DA9ABEC-E5F0-4479-B3D7-F03E6BEB7DF9@freeradius.org>
In-Reply-To: <0DA9ABEC-E5F0-4479-B3D7-F03E6BEB7DF9@freeradius.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.120.23.2.7)
x-originating-ip: [10.170.148.18]
Content-Type: multipart/signed; boundary="Apple-Mail=_0ADE64AA-32DA-4700-88A9-476508B1D605"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/20jebJCOet6tBWcEVWgotpbgViY>
Subject: Re: [secdir] Secdir review of draft-ietf-dnsop-dns-tcp-requirements-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Aug 2021 23:05:20 -0000
> On Aug 27, 2021, at 1:28 PM, Alan DeKok <aland@freeradius.org> wrote: > > Caution: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. > > Reviewer: Alan DeKok > Review result: Has nits Thanks for the review Alan. > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > Over all, I think this document is clear, useful and well written. > > Section 1 says: > > ... Section 6.1.3.2 to clarify that all DNS resolvers and recursive MUST > support and service both TCP and UDP queries. > > NIT: bare "recursive" should perhaps be "recursive servers", to match similar text elsewhere in the document. Yep, I'll make that change. > > > It may be good to update Section 3 with notes on "head of line blocking". This text could arguably be in RFC 7766, but having it here is a reasonable alternative: > > When using UDP as a transport for DNS, there is no ordering of > packets. If a packet is lost, that loss has no > effect on subsequent packets sent by that client or server. > > Unlike UDP, TCP is subject to issues related to Head of Line (HoL) > blocking. This occurs when a TCP segment is lost and a subsequent > TCP segment arrives out of order. While the DNS implementation can > process DNS packets out of order, the semantics of TCP makes this > impossible. This limitation can lower the maximum packet processing > rate of DNS over TCP. Can you clarify by what you mean with "While the DNS implementation can process DNS packets out of order, the semantics of TCP makes this impossible." Do you mean in the case of a lost TCP segment, or in general? I wonder if this might fit equally well under a new 2.x subsection. > > > Section 6 says: > > Developers SHOULD also keep in mind connection reuse, query > pipelining, and out-of-order responses when building and testing DNS > monitoring applications. > > It would also be good to note that if the monitoring software tracks requests and responses, then clients could potentially attack the monitoring software, too. i.e. by sending large volumes of requests to "black hole" IPs, which will never get a response. So the monitoring software should have both timeouts for request/response tracking, and also limit the total number of request/responses which are monitored. Yes, thats a good point. I will come up with some text for that. DW
- [secdir] Secdir review of draft-ietf-dnsop-dns-tc… Alan DeKok
- Re: [secdir] Secdir review of draft-ietf-dnsop-dn… Wessels, Duane
- Re: [secdir] Secdir review of draft-ietf-dnsop-dn… Alan DeKok
- Re: [secdir] Secdir review of draft-ietf-dnsop-dn… Wessels, Duane