IETF Logo Mail Archive

Re: [Tsv-art] [DNSOP] Tsvart telechat review of draft-ietf-dnsop-dns-error-reporting-07

Roy Arends <roy@dnss.ec> Wed, 14 February 2024 00:24 UTC

Return-Path: <roy@dnss.ec>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D5CCC15155F for <tsv-art@ietfa.amsl.com>; Tue, 13 Feb 2024 16:24:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dnss.ec
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YsSZjZ3RTg5F for <tsv-art@ietfa.amsl.com>; Tue, 13 Feb 2024 16:24:13 -0800 (PST)
Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63656C151545 for <tsv-art@ietf.org>; Tue, 13 Feb 2024 16:24:12 -0800 (PST)
Received: by mail-wm1-x333.google.com with SMTP id 5b1f17b1804b1-410e676c6bbso11172475e9.1 for <tsv-art@ietf.org>; Tue, 13 Feb 2024 16:24:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dnss.ec; s=google; t=1707870251; x=1708475051; darn=ietf.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=eM8MfPoT6VSVUVKTAuUMxrt9FQOQEU+fFhcyTz28S8g=; b=LdxRPmhrU+5ctu1e009tUrmbfJJPJLf7jSro4IF8NNHXelPKnKyqBvmqoZxLofaX6u Sd1g7q3ZxvGuQaBORbkVru+CHdTRvgJC2DMSeBCchNyUuo6hWCje1AQrKVzpoWcZpfTz oACdpzPoxJKlQnHEnZ8pgbqifqOJNd3cZnM2o=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707870251; x=1708475051; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eM8MfPoT6VSVUVKTAuUMxrt9FQOQEU+fFhcyTz28S8g=; b=gJu5XiD3zdEhkpKMOBtNMI8e6jvRXG5ANpWssJxHsPvqxmo+OYLAxsALchm+QgMDFs 1pHggWxDal/zA4LG5ICVqsTagatqk6+5uYZt0EwOQD0USM5FcCYjYZ6gr3dow4OvF1k7 bC2lvwWTw1PvAOBxPAC/4oZX/iLTeStlDQ63PP85xI8JneETMKeg9OqoZ4UUGU0tSmhV BghWjDGLUll2OuftRn/Py04kiO9MisnGRffqp/mS9PgtCiRlAbWVZ0Zb64dwkfsUt1cN qyIQqZ6rFb9s77P5h5IfaFFTGC803BaKN5E2Wrp7Z8xCcQeuD5v4YxBkmxlS9xgWRtie J9Zg==
X-Gm-Message-State: AOJu0Yyw+LtO8tB7gG/7dKuAWLCdmbHMTg8WwLEoPP1rnFpoT/q2RaC+ xqTBh3rhLK3ICVzrmjkQs6+hSQtZqf6YSIYKU4/bwkycYXerHxFeUawe4Z2/Wqg=
X-Google-Smtp-Source: AGHT+IHw8RHUToIhK/dy/+Dd7FAG3vCDrmrLd9DHUaFlhLRPwF9dbyQT2Ye7ByHfP10pKoyKiC6dtg==
X-Received: by 2002:a05:600c:4511:b0:40f:db48:a1f5 with SMTP id t17-20020a05600c451100b0040fdb48a1f5mr798826wmo.35.1707870250646; Tue, 13 Feb 2024 16:24:10 -0800 (PST)
Received: from smtpclient.apple ([78.111.198.85]) by smtp.gmail.com with ESMTPSA id l20-20020a7bc454000000b0041061f094a2sm258400wmi.11.2024.02.13.16.24.09 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 13 Feb 2024 16:24:10 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.400.31\))
From: Roy Arends <roy@dnss.ec>
In-Reply-To: <170195243214.35471.15139593366465856989@ietfa.amsl.com>
Date: Wed, 14 Feb 2024 00:24:03 +0000
Cc: tsv-art@ietf.org, dnsop@ietf.org, draft-ietf-dnsop-dns-error-reporting.all@ietf.org, last-call@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <73358628-DFCD-4048-A3D7-FFA2BCF3573D@dnss.ec>
References: <170195243214.35471.15139593366465856989@ietfa.amsl.com>
To: Gorry Fairhurst <gorry@erg.abdn.ac.uk>
X-Mailer: Apple Mail (2.3774.400.31)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/POe2XhRi1J8ckDu7gK1JI5iRrCM>
Subject: Re: [Tsv-art] [DNSOP] Tsvart telechat review of draft-ietf-dnsop-dns-error-reporting-07
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Feb 2024 00:24:18 -0000

> On 7 Dec 2023, at 12:33, Gorry Fairhurst via Datatracker <noreply@ietf.org> wrote:
> 
> Reviewer: Gorry Fairhurst
> Review result: Ready with Issues
> 
> This document has been reviewed as part of the transport area review team's
> ongoing effort to review key IETF documents. These comments were written
> primarily for the transport area directors, but are copied to the document's
> authors and WG to allow them to address any issues raised and also to the IETF
> discussion list for information.
> 
> When done at the time of IETF Last Call, the authors should consider this
> review as part of the last-call comments they receive. Please always CC
> tsv-art@ietf.org if you reply to or forward this review.
> 
> Thank you for a well written document, and it's description of the service to
> be provided.
> 
> This is proposed as a "lightweight" reporting mechanism.
> 
> The method states it can be used over TCP. In this case, TCP provides the
> necessary congestion control, flow control and segmentation. I did not see
> additional transport concerns.
> 
> Thius is an updated review for -07, which addressed some of the previous issues.
> 
> The method also states it can be used over UDP - which is equally recommended.
> However, the specification for use over UDP is incomplete and raises some
> transport concerns:
> 
> 1. There is a recommendation to use DNS COOKIEs [RFC7873] over UDP (PS), but no
> statement about how to mitigate the effects when these are not used. What ought
> someone to do when this is not done?

It is recommended that the client (the resolver) sets the DNS COOKIE. The benefit of using cookies is for the client. It is to make sure that the response is genuine. However, there is little value in the response. The actual value for error-reporting is to the authoritative server that may have an issue.

When cookies are not set, or are not used, there is language that states the following:

The monitoring agent SHOULD respond to queries received over UDP that have no DNS COOKIE set with a response that has the truncation bit (TC bit) set to challenge the resolver to re-query over TCP.

I hope this is sufficient.

> 2. New text was added to note how to handle reports larger than the maximum UDP
> datagram payload. (This is likely resolved in -07.)

yes.

> 3. I think this method could in some uses generate a stream of reports at a
> rate that could be more than a few UDP datagrams per RTT, (e.g., if implementing
> automated responses). In this case, I think method would need to provide some
> basic rate-limiting (or implement a form of congestion control). I understand the rate 
> is usually "damped" by caching to one message/TTL perreport, but I am unsure 
> whether this is sufficient to mitigate any congestion control concerns.
> Additional text may still be needed.

I will add some text to that effect. How about:

The reporting resolver should rate limit the number of error reports send to a monitoring agent. The maximum number of concurrent reporting is 1. This limits the rate to be one UDP datagram per RTT.

Is this sufficient?

Warmly,

Roy

v2.23.0 | Report a Bug | By Email