From nobody Mon Apr 1 11:29:42 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 423B21204F1 for ; Mon, 1 Apr 2019 11:29:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JHRe-r_7Ycym for ; Mon, 1 Apr 2019 11:29:37 -0700 (PDT) Received: from mx2.cira.ca (mx2.cira.ca [192.228.22.117]) by ietfa.amsl.com (Postfix) with ESMTP id 6E5DF1204F0 for ; Mon, 1 Apr 2019 11:29:37 -0700 (PDT) X-Virus-Scanned: by SpamTitan at cira.ca Received: from CRP-EX16-02.CORP.CIRA.CA (10.2.36.121) by CRP-EX16-02.CORP.CIRA.CA (10.2.36.121) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.1531.3; Mon, 1 Apr 2019 14:29:36 -0400 Received: from CRP-EX16-02.CORP.CIRA.CA ([fe80::15c6:1482:4083:e9f7]) by CRP-EX16-02.CORP.CIRA.CA ([fe80::15c6:1482:4083:e9f7%13]) with mapi id 15.01.1531.010; Mon, 1 Apr 2019 14:29:36 -0400 From: Jacques Latour To: dnsop Thread-Topic: DNS over XMPP - DoX Thread-Index: AdTouDGYTbv6e1OqTj+pxoihRneHiA== Date: Mon, 1 Apr 2019 18:29:36 +0000 Message-ID: <8c222ce06b3e445f86f350d84089948e@cira.ca> Accept-Language: en-CA, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [172.16.4.57] Content-Type: multipart/alternative; boundary="_000_8c222ce06b3e445f86f350d84089948eciraca_" MIME-Version: 1.0 Archived-At: Subject: [DNSOP] DNS over XMPP - DoX X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Apr 2019 18:29:40 -0000 --_000_8c222ce06b3e445f86f350d84089948eciraca_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable https://xmpp.org/extensions/xep-0418.html XEP-0418: DNS Queries over XMPP (DoX) Abstract: This specification defines an XMPP protocol extensio= n for sending DNS queries and getting DNS responses over XML streams. Each = DNS query-response pair is mapped into an IQ exchange. Author: Travis Burtrum Should be added to https://developers.cloudflare.com/1.1.1.1/fun-stuff/ --_000_8c222ce06b3e445f86f350d84089948eciraca_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

https://xmpp.org/extensions/xep-0418.html

 

XEP-0418: DNS Queries o= ver XMPP (DoX)

Abstract:  &n= bsp;           This speci= fication defines an XMPP protocol extension for sending DNS queries and get= ting DNS responses over XML streams. Each DNS query-response pair is mapped= into an IQ exchange.

Author: Travis Burtrum<= o:p>

 

Should be added to https://developers.cloudflare.com/1.1.1.1/fun-stuff/

 

 

--_000_8c222ce06b3e445f86f350d84089948eciraca_-- From nobody Mon Apr 1 14:03:08 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C364120033 for ; Mon, 1 Apr 2019 14:03:06 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=cvoVSbV/; dkim=pass (1536-bit key) header.d=taugh.com header.b=PtfuEG45 Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2HhnzqAE7V_I for ; Mon, 1 Apr 2019 14:03:04 -0700 (PDT) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 569B112000E for ; Mon, 1 Apr 2019 14:03:04 -0700 (PDT) Received: (qmail 68586 invoked from network); 1 Apr 2019 21:03:02 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:mime-version:content-type:user-agent; s=10be8.5ca27c86.k1904; bh=YB39HYrvYPUHd4OeLtXP/qS6NTexCEhvIF/s+6B4gtQ=; b=cvoVSbV/AE5yf+nwuB9JYLrTWFt0s158ZI63SBMkFqFBFHZmDuQFElB6mWlK3zqWc5Gf6hgtw6blaH+USB3VchecHvrX6LHwcTP2955+KgCkjw/GNZYvWWV5wxeFdRZerIANNzdUq38IXgGG+xqB1Rl26gBBIlB4tMIaFO7tPmo+sqRUvZi15nD8DZDLmyHY2TDuzpVmwmYoZRX3hEC58xteRzsz7Z2f5QvBBmiraDN9kBezV3W5tk/WXdU9hSFL DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:subject:mime-version:content-type:user-agent; s=10be8.5ca27c86.k1904; bh=YB39HYrvYPUHd4OeLtXP/qS6NTexCEhvIF/s+6B4gtQ=; b=PtfuEG45/Y+XG83W4WTNUQhYTOJbAx3oKW/5UO+SyNgLC7YuF8LGPbIeyZ0kzLcUFqP4NNheNU4CVKPkMawBDYk7/ropPbxTtJonAXiAYBwsjYMfhHgZEj0nvGNRZF4G/KaVH8ldEmWddEj7DeqoWOhSJNaUOXAvVRKsKOlIQZbzzqaWf5hYy5Kb2DWFMd1lrQfMT1UHtJTB85nRZ56rXu136LUBLPqdnSbHj4NRI/KnPiarYXEH3JNjuL6nCz76 Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 01 Apr 2019 21:03:02 -0000 Date: 1 Apr 2019 17:03:02 -0400 Message-ID: From: "John R Levine" To: dnsop@ietf.org User-Agent: Alpine 2.21 (OSX 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII Archived-At: Subject: [DNSOP] RFC 8567: Customer Management DNS Resource Records X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Apr 2019 21:03:07 -0000 Don't miss this recently published DNS RFC. Abstract Maintaining high Quality of Experience (QoE) increasingly requires end-to-end, holistic network management, including managed Customer Premises Equipment (CPE). Because customer management is a shared global responsibility, the Domain Name System (DNS) provides an ideal existing infrastructure for maintaining authoritative customer information that must be readily, reliably, and publicly accessible. This document describes four new DNS resource record types for encoding customer information in the DNS. These records are intended to better facilitate high customer QoE via inter-provider cooperation and management of customer data. https://tools.ietf.org/html/rfc8567 Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly From nobody Tue Apr 2 03:22:57 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21DB51200EF for ; Tue, 2 Apr 2019 03:22:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.022 X-Spam-Level: X-Spam-Status: No, score=-1.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fcelda.cz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eCWTWuxujG0F for ; Tue, 2 Apr 2019 03:22:53 -0700 (PDT) Received: from mail-vk1-xa30.google.com (mail-vk1-xa30.google.com [IPv6:2607:f8b0:4864:20::a30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97C9D12004E for ; Tue, 2 Apr 2019 03:22:53 -0700 (PDT) Received: by mail-vk1-xa30.google.com with SMTP id h71so2835674vkf.5 for ; Tue, 02 Apr 2019 03:22:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fcelda.cz; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=lso3m1hagAetmqdjDUeUOuxfvnTLYd0hSLVyZ8XzSbI=; b=QkrQaN48SDwYhyJbxvC+0h8gQO04D4A33Hv8BpDlsb/AKbC0bRR4Fc9f1RYX2QNIvg 5l7kWtD3y8avrJr3kNB5Y/PlFEVZS58IClSunbQwiH0PNZD7MlA40FFxedwDUh6BlvAM gapE350m78PUfxhyyZNoIHfNioPUdNDdqPzag= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=lso3m1hagAetmqdjDUeUOuxfvnTLYd0hSLVyZ8XzSbI=; b=Q5zkqwubq5SDtvuVXTZavXR9hgn8tKO0R2a5Dn4a2mfhlFCfPKIzyZqT56lbC5XBkV RkB4A903d0jRRPyriY92Yn5kUjAuoN2rCWJIg58qMxx2BGwR9B7FW7zCCh7JCP9Hy2NQ wpjTbNxLNqxKdqqRov1xjNRpOf1vS6dsIZXnN087r5xGaAx9MNCeEZCmCC5CCfrdhWIh YE+XFjtDa4Wok1jbYzl/R5/N0TANnlbaGiCTcR5WrZQk2J2BY7MlstXnMFpgSd5MTsQD 4+GN9rBlw5kKqlyhFaRj4W3rGeLy0nkr/JKaEydVb0431g2fVKHxE+qfe9BNb6v4xIUa +iBw== X-Gm-Message-State: APjAAAW6mhOw4c5WQcF+UCDlxaJhPqz0yFCKHedNm3pYo4P8xM3PkeVa 6WUUriwsOp4o2S+Yc5yaMrLWb0vbiqkCwbxS/6pXWNHuxPvamQ== X-Google-Smtp-Source: APXvYqxwqM6SpqtvtFB8Xd/SMOSpQ9jMD8uqOXn/O0aYdh35CGtHu+FnVHbecDqsTUOnpJPvyJ/FvqjpK9pY0kGll/k= X-Received: by 2002:a1f:b712:: with SMTP id h18mr39105325vkf.62.1554200572411; Tue, 02 Apr 2019 03:22:52 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: =?UTF-8?B?SmFuIFbEjWVsw6Fr?= Date: Tue, 2 Apr 2019 12:22:41 +0200 Message-ID: To: dnsop@ietf.org Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [DNSOP] ANAME discussion X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Apr 2019 10:22:56 -0000 On Fri, Mar 29, 2019 at 9:58 PM Tony Finch wrote: > There were several useful points at the mic; thanks Paul Hoffman for > noting them in the minutes (especially because I could not remember who > said what). In no particular order... Tim also mentioned that the vendors have their own secret sauce for handling the ANAME-like records. Let me share some details about the NS1's ALIAS record implementation. I hope it will be helpful when thinking about the remaining edge cases and also as an input for new implementers. The most significant difference from the current draft is that sibling A/AAAA records have precedence over the ALIAS record. I think this behavior is closer to how CNAME is usually processed by a DNS server (i.e. first try to match the QTYPE then check if there is a CNAME) however I don't find this reasoning determinant. One advantage is that you can configure static AAAA record and use ALIAS to resolve only the A. The ALIAS records are resolved by our edge servers when needed and the result is cached. Nothing is written into the zone. We always resolve both A and AAAA at the same time and use the minimal TTL of the A and AAAA to determine how long to keep the result in the cache. The current TTL is also used in the answers (i.e. you will see the value drop when querying the same server several times). Also, if A nor AAAA exist at the ALIAS target, our authoritative server responds with SERVFAIL to indicate misconfiguration of the record. The ANAME from the draft would result in NODATA. We prefer SERVFAIL as we don't want the resolver to cache NODATA if there is an interim problem resolving the ALIAS target. Last but not least, we strip ALIAS from zone transfers. I guess that's all about the "secret sauce". We would like to move from ALIAS to ANAME when the draft becomes stable and other implementations start to emerge. The critical change for us is likely the A/AAAA vs ANAME priorities. In case the primary server adds sibling A/AAAA to the ANAME for compatibility with old resolvers, our implementation would always use the fallback records and ignore the ANAME if the zone was ingested over a transfer. We also have existing users that rely on the current behavior and we have to check that we won't break their setup if we change anything about the processing. I believe this aspect of sibling A/AAAA was already discovered in a context of "zombie records" mentioned in https://github.com/each/draft-aname/issues/25. There will be some challenges but I'm really happy that ANAME is happening. Jan From nobody Tue Apr 2 09:00:56 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B04412073E for ; Tue, 2 Apr 2019 09:00:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.199 X-Spam-Level: X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SfdRuwShH3tP for ; Tue, 2 Apr 2019 09:00:44 -0700 (PDT) Received: from ppsw-32.csi.cam.ac.uk (ppsw-32.csi.cam.ac.uk [131.111.8.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6121120306 for ; Tue, 2 Apr 2019 08:54:12 -0700 (PDT) X-Cam-AntiVirus: no malware found X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus Received: from grey.csi.cam.ac.uk ([131.111.57.57]:56602) by ppsw-32.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.138]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1hBLjj-000TXn-0x (Exim 4.91) (return-path ); Tue, 02 Apr 2019 16:54:07 +0100 Date: Tue, 2 Apr 2019 16:54:07 +0100 From: Tony Finch To: =?UTF-8?Q?Jan_V=C4=8Del=C3=A1k?= cc: dnsop@ietf.org In-Reply-To: Message-ID: References: User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: multipart/mixed; BOUNDARY="1870870841-1158137880-1554220447=:18432" Archived-At: Subject: Re: [DNSOP] ANAME discussion X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Apr 2019 16:00:54 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --1870870841-1158137880-1554220447=:18432 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: QUOTED-PRINTABLE Jan V=C4=8Del=C3=A1k submitted a GitHub issue about loop detection which I = think should be discussed by the wg not just the authors. https://github.com/each/draft-aname/issues/45 The -02 draft requires that CNAME+ANAME chains are chased to their ultimate target. There are a few reasons for this: * It is more CNAME-like (though the draft doesn't amend CNAME's behaviour to chase ANAMEs.) * It reduces the amount of TTL stretching that can occur if there is an ANAME chain. If these requirements are relaxed then it makes sense to chase chains less enthusiastically. WRT loop detection, it is much easier if the additional section in the response from the resolver contains the chain(s). The draft doesn't specify that at the moment; maybe it should. Tony. --=20 f.anthony.n.finch http://dotat.at/ Bailey: North 5 to 7, occasionally gale 8 at first. Very rough, becoming ro= ugh later in west. Thundery wintry showers. Good, occasionally poor. --1870870841-1158137880-1554220447=:18432-- From nobody Tue Apr 2 10:31:29 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42D2E12016E for ; Tue, 2 Apr 2019 10:31:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.235 X-Spam-Level: X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=zeit-co.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EPftJ3_E4LbD for ; Tue, 2 Apr 2019 10:31:25 -0700 (PDT) Received: from mail-lf1-x12d.google.com (mail-lf1-x12d.google.com [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A63E120172 for ; Tue, 2 Apr 2019 10:31:25 -0700 (PDT) Received: by mail-lf1-x12d.google.com with SMTP id b7so9612103lfg.9 for ; Tue, 02 Apr 2019 10:31:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zeit-co.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Cr1TkwjKQvrglR/ayPdfFs2EaH/WYpvoIJFF4C9CKG4=; b=XrvuamnGa5GxDE2gp1TEYtyvQN38dsKoaymNjv29HYvfXN9dmhaXpiNbg4ZmgH0J9C yB5QAQnPNyAzXtFlPFfDzw6HuZLxpbQZJKDXc7iW36QMprebXgNRE2Bkn8qmKGsUjQMp 0cF9SHjbylBHBw7gNf98uvl1XheZySnRYPj3IQpe1oAGP/Z4or2D5VATzEXc68FcBCOa 2k2L8NHdDfGhuwp1ijndQx9qildOjj0j6H5+avFarM0nkqFNS5bc9Ldt8/8mhajfEodn X2TWN5tu9/PuPnVk94poktV7Woq2Dyk34/ytfRw+59BgSY25xd69thGo4r2SHlT9+/fR hebQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Cr1TkwjKQvrglR/ayPdfFs2EaH/WYpvoIJFF4C9CKG4=; b=UdDPelxeYW+RoYCMzMN6G8rG3Ix6Xia4cs9Id7FG7SA4FhJ23NXjec84sHHoOQuz0Q 1qYjQrjhJ7taRswRbTQ4NF14jV/Po/WYBOngBcOH65IroojhhLGTH9NGS4o4dD+ZB89d 2ZQbkikU+RMetUE0/S+/d1OEYrZxrrV223DWaHqjKwZ0BEfYq+CsopfPsQHwkuSUiYiy 0pzpaIruvXqftja90IioI8XsfMbTtd/T56lYBfNnQ53W+mhOYbKv31QGWFJSv1EmmIAG nqmCCJG0eV79EjSt1ilN2PzuHVmpNTTBHcr7WI0VrJqTo+vpcVFqqtUZkF35lVSPEO3a 0hKA== X-Gm-Message-State: APjAAAVD6fKlebSRDjwvXfyjKm4nIH4kBz3qeP8YWnhGNC9yY9pTp/3A shhckkveimghHfHkNF7+DaXI82xmGZbICZ/M7Ubzcg== X-Google-Smtp-Source: APXvYqw4EplrFPihuK659A72nAuGAnyI/8eEfjU0/sHEVFnVXDrjpRdcbQlMysZI/Lh9QOCsGBHalxf5/tzVsME+5E0= X-Received: by 2002:ac2:4148:: with SMTP id c8mr9549537lfi.2.1554226283519; Tue, 02 Apr 2019 10:31:23 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Olli Vanhoja Date: Tue, 2 Apr 2019 19:31:12 +0200 Message-ID: To: Tony Finch Cc: =?UTF-8?B?SmFuIFbEjWVsw6Fr?= , dnsop Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [DNSOP] ANAME discussion X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Apr 2019 17:31:27 -0000 On Tue, Apr 2, 2019 at 6:03 PM Tony Finch wrote: > > WRT loop detection, it is much easier if the additional section in the > response from the resolver contains the chain(s). The draft doesn't > specify that at the moment; maybe it should. Why is it easier? I would think some people may even want to hide the chain, even though it doesn't exactly hide the provider behind the final IP. From nobody Tue Apr 2 10:42:55 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE5F1120147 for ; Tue, 2 Apr 2019 10:42:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.199 X-Spam-Level: X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id so0I47uDGrSc for ; Tue, 2 Apr 2019 10:42:51 -0700 (PDT) Received: from ppsw-33.csi.cam.ac.uk (ppsw-33.csi.cam.ac.uk [131.111.8.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D4D5120172 for ; Tue, 2 Apr 2019 10:42:51 -0700 (PDT) X-Cam-AntiVirus: no malware found X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus Received: from grey.csi.cam.ac.uk ([131.111.57.57]:36398) by ppsw-33.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.139]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1hBNQu-000yW2-iM (Exim 4.91) (return-path ); Tue, 02 Apr 2019 18:42:48 +0100 Date: Tue, 2 Apr 2019 18:42:48 +0100 From: Tony Finch To: Olli Vanhoja cc: dnsop , =?UTF-8?Q?Jan_V=C4=8Del=C3=A1k?= In-Reply-To: Message-ID: References: User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Archived-At: Subject: Re: [DNSOP] ANAME discussion X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Apr 2019 17:42:54 -0000 Olli Vanhoja wrote: > On Tue, Apr 2, 2019 at 6:03 PM Tony Finch wrote: > > > > WRT loop detection, it is much easier if the additional section in the > > response from the resolver contains the chain(s). The draft doesn't > > specify that at the moment; maybe it should. > > Why is it easier? Maybe it isn't and I wasn't thinking carefully :-) Tony. -- f.anthony.n.finch http://dotat.at/ Southeast Iceland: Northerly 7 to severe gale 9, veering northeasterly 5 or 6, then becoming variable 4 later in west. Very rough or high, becoming moderate or rough later. Mainly fair. Good, occasionally poor at first. From nobody Tue Apr 2 13:00:27 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3A5D120158 for ; Tue, 2 Apr 2019 13:00:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.019 X-Spam-Level: X-Spam-Status: No, score=-6.019 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sLc18a2mjV5n for ; Tue, 2 Apr 2019 13:00:24 -0700 (PDT) Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0608A12027B for ; Tue, 2 Apr 2019 13:00:24 -0700 (PDT) Received: from [IPv6:2a02:768:2208:ed02:7285:c2ff:fe3a:c784] (unknown [IPv6:2a02:768:2208:ed02:7285:c2ff:fe3a:c784]) by mail.nic.cz (Postfix) with ESMTPSA id EF91A605B9; Tue, 2 Apr 2019 22:00:20 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1554235221; bh=XWdlrAFXztq/Sx2k7EG5uRdktz1WXAKGgdaCQfVMSIs=; h=To:From:Date; b=G9zZuAxL7UGg4ucafS4BF/azOcCuEW4Ney/U+3CEQ7qpItd7SWDkQrVYuVdZ5v2cB PKq/sZcDqZ5WVEALrcL6TrK5n+fNNT64GEPdsFW9BpEyke/K8A/2MkO/0RhZrJXmcv 9t2bIc+miQN6ZbbcrsNKILLRZOeU1Gf5Muo++CL0= To: dnsop@ietf.org, Olli Vanhoja References: From: =?UTF-8?B?VmxhZGltw61yIMSMdW7DoXQ=?= Openpgp: preference=signencrypt Autocrypt: addr=vladimir.cunat+ietf@nic.cz; prefer-encrypt=mutual; keydata= mQINBFgDknYBEADHEQwLBlfqbVCzq7qYcBFFTc1WCAFtqiKehOrsITnKusZw4nhYwlKQxcum gj01xJOhbfHBCBeGlDydYqemKg4IfY2nwSyPwZZYMJn7L7AGrCeytr4VMvDJ7o7qDZjjim4i fv+GUwdk3plXx6oMF4nctesI8aAOuLUHAn0PfrGfNhWoaglOKgdOI6DGjhI/aGkvy+jrI/+X sdMV+3f1RuEOfI+Yu4SXFjJyhAmqEOBRxxdHqKreIIpz3Lg38yWwiVGfwgQT+nFIz9BpHH3l Wg1uS8xM3ezceBmRYV8zT9PvbeZ57BlaTR6rLae5RYwV397PSLBqqLkB5H0TDRUFBnwBsUob LebYHmJCOydvyNv5AFkLmLZ7O4j2jFo1WPSMt3ThM6wRwqrnB4Gi+6onyrZfE1DnVZMqbxZ3 VXa+E4S5YwrfCLUErGEn+d40OtoRZmQXhRPVAsdjimMj9oFM9RoxSgUrDg6Ia3n0IrKFb++z HAFbqkR5g4qzXiOMEG621GYEex2sDEKz/PD4CVKlNI9eld4ToH592kAwzJmd+sAi+Rfos0NE zxuFd0ekAOeWoURo0zoYTSWPlMOmFMvcpH6LP3leJmY7x4z/b1ng/+7UnKonVALVPFbRbElO kIfAtLKcUEofwV1jr7DyYGPalJtiDJPomB041ZHCj2RxyXY/oQARAQABtDBWbGFkaW3DrXIg xIx1bsOhdCAod29yaykgPHZsYWRpbWlyLmN1bmF0QG5pYy5jej6JAlQEEwEIAD4CGyMFCQlm AYAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AWIQS2AGRgtgqA54IGJEnnR98flXWjqgUCWg3w 3gAKCRDnR98flXWjqmD6D/96U4cDZBrHQ5LhqybocZr/N2IS5Wr2SLLB4k2F5/W/wbL05gq6 Ha9/2TMqXoxRkhug+EAHFHxylPR43yN9rz0pjBXHrra87FAPHMqq/qqrOEUdhkytEqa6WIho aoEkdhaMhUyctjVjL2WZ0+MWeRjqedLQX+VCrOVPcVbLreRRhA9N3KPgNwbp9zCg6hEPi4l2 zZKedHkTNjKIAwJ0xZoMwFa1Y+vL8Em8Or+IBZuGBMP/ZMtasPOIQaT/Gvsyx1DDorwsoCdX 6zaTZy5DOWP3FIrMzus/YDbzwAYxSpWk/jF44ySbnJzdjU67EfG3UrsK+RRGw8aJqs3/4qHK ZMZZnNL+4wJpEdnZyFic/MXcw6FBszQEwrIOaM1WEfwzn2ExUYk2pM5zaBwq76OgrmGMzMEi cfMDyqLodwEQqR70PvRbkrh+R02LphwQ9c5AFXcrLjKMmeQlbQVarTUsrELcTK6rElC1ojS7 M37j0XzFE+kgNWn2fyBRgtnGDWEa7r+oDaueXJnEf0/4Ww28IwxakNc7r0N41GIBekwSxKdk epKFZgtVGGSDlFei5hb5LLWFljA1OS7CRVJKpbHafQjdPdb1vNqZAj4y2SJXvVVpI1KO5kq+ dFdYipORv0N2Iho6MNYbQUT1EBeU46G5N0viCoLS15/PxLhIAo+PzKpW97kCDQRYA5J2ARAA yHww3huLEtsdyqgjiGMhtEKOLmp7yFl450HY9oPcHS02U5BC1370ssNShrdOCi2ACDbe41Zx x85WcuaO1OVqung2umX047mj2xQsiTAFRDLZsQu8cQFoEy/DBL2bk7ThfK1Lh+NyZAs0UaPp DkGodS0De9osA+4T6Nf4POYaeavbYVFSdDKS4lUboBqApKnD/TzKFxFcpuFx6FN92lteTbOo jGMiLoZvELY86Kn9KuFZ8FM2ZSNHx1Z75KouufGrdkeCoZYVYiuzT+fnt2it4dIpIlnF+yxM t5LB/MSrmECB5CAFJtxzuMccm6yDUZQSWWi9vUgxIJwvt5w0CIBT353DGeP4WnH0r5YoBKoR bh7i4fT0lWvMXTG/V2lqyzBdClMebyHffMgba26Kj6oeDygDfC5aGsVaqw1Ue/qQ5QRqTJcJ V7xVLTtS1EamVqkfKwPS0zTfnrF1jQtnO/P4qkfgBRRG9BXGGrykHpXOyqmX6Z0wbV2P4j+p 02oSecDl5yVXplJfsXfbS/xXnaSkaN/7mCU29ul26cAVNxDkDPunztSFi9K9LM2T/XWYJQGX M71OpmONQJGF24lx7Wp/kobnHtbjGDzjDPC4eSL7MA56qtrWaLM+4ePKANct2q0q6c0uSLs0 Q2zochS64Mcg0YzL1sinWPN1rXLDk3lwpIsAEQEAAYkCJQQYAQgADwUCWAOSdgIbDAUJCWYB gAAKCRDnR98flXWjqn4yEACA0f1XBAg+WMaNPtIt0k15yFPfhdbOg9GhDcYGgvFIOxRuaFWw 9SLUt7OGuUnIpKxKRXtQJss98fHkijo70ONYWPuLhfRGK/wg9Ao6MuFw5G8m431CBS/awrie b6iPjvAARXJCPTTBZk/NC988jiKdCh8PbTCHDsl+gSDytP15QUrdqSfS2Wf4653ej7+jtuTj xZzmGgvNSi6JDlb9KNtmBQKQAgpnOQM46ItESmzHDnmdcvhPLUDsjwkpIJ6clasOzaObwxJi ba7iFPcGwcClCSwYjMNXFtneCGUnEAa5RBIx+i+LV1iqB3VRvTC6tMIUueoQ7cdTy6afNkhw QYXm4/pDmNT8UMdnzwnlTpFQ0CegDQRDWc+dIDDBHGEEEYBh2vTOE04KrmYUp1bQsNegPfvL woHib0jEvohPMJ2fJtZAd1SJElgwPbM8H7emKBiTsHwF8gL7G2jo7AoGpqYjqXkCRS0tSLTN r+qHh+7Ltrkbu/ZVTTfh4Q/qw3VaLYQh4C0tBma/YevQy1O2c3TZXXFz1QF8b9/Hj/3sq2Kg T1AcZ51E+xG+cb6cUqgkihmgm39xx24GPlNAdCRuq01+iILol+Wox6OwF6hmqx1EMSmxcmGo UREr0rkMnFVsWeAYeVoE4q689qxCPu9iCMJMJnkRe1o9oQYSN7my+S98gA== Message-ID: Date: Tue, 2 Apr 2019 22:00:20 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.2 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------76E5E7C9B8CE90047CB23D7E" Content-Language: en-US X-Virus-Scanned: clamav-milter 0.99.2 at mail X-Virus-Status: Clean Archived-At: Subject: Re: [DNSOP] ANAME discussion X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Apr 2019 20:00:27 -0000 This is a multi-part message in MIME format. --------------76E5E7C9B8CE90047CB23D7E Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit On 4/2/19 7:31 PM, Olli Vanhoja wrote: > On Tue, Apr 2, 2019 at 6:03 PM Tony Finch wrote: >> WRT loop detection, it is much easier if the additional section in the >> response from the resolver contains the chain(s). The draft doesn't >> specify that at the moment; maybe it should. > Why is it easier? I would think some people may even want to hide the > chain, even though it doesn't exactly hide the provider behind the > final IP. If you return an empty SERVFAIL, your client (resolver) can't know it shouldn't retry and can't know how long not to retry.  I posted more details on the GitHub ticket. --Vladimir (Knot Resolver) --------------76E5E7C9B8CE90047CB23D7E Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit
On 4/2/19 7:31 PM, Olli Vanhoja wrote:
On Tue, Apr 2, 2019 at 6:03 PM Tony Finch <dot@dotat.at> wrote:

WRT loop detection, it is much easier if the additional section in the
response from the resolver contains the chain(s). The draft doesn't
specify that at the moment; maybe it should.

Why is it easier? I would think some people may even want to hide the
chain, even though it doesn't exactly hide the provider behind the
final IP.

If you return an empty SERVFAIL, your client (resolver) can't know it shouldn't retry and can't know how long not to retry.  I posted more details on the GitHub ticket.

--Vladimir (Knot Resolver)

--------------76E5E7C9B8CE90047CB23D7E-- From nobody Wed Apr 3 03:51:34 2019 Return-Path: X-Original-To: dnsop@ietf.org Delivered-To: dnsop@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C6CE1200B5; Wed, 3 Apr 2019 03:51:33 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: =?utf-8?q?Mirja_K=C3=BChlewind_via_Datatracker?= To: "The IESG" Cc: draft-ietf-dnsop-algorithm-update@ietf.org, Tim Wicinski , dnsop-chairs@ietf.org, tjw.ietf@gmail.com, dnsop@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.94.1 Auto-Submitted: auto-generated Precedence: bulk Reply-To: =?utf-8?q?Mirja_K=C3=BChlewind?= Message-ID: <155428869343.23036.15550811213285285456.idtracker@ietfa.amsl.com> Date: Wed, 03 Apr 2019 03:51:33 -0700 Archived-At: Subject: [DNSOP] =?utf-8?q?Mirja_K=C3=BChlewind=27s_No_Objection_on_draft?= =?utf-8?q?-ietf-dnsop-algorithm-update-07=3A_=28with_COMMENT=29?= X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Apr 2019 10:51:33 -0000 Mirja Kühlewind has entered the following ballot position for draft-ietf-dnsop-algorithm-update-07: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dnsop-algorithm-update/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- I wonder if it makes sense to keep section "4.1. DNSKEY Algorithms" with the table in the document. Of course this is only a current snapshot but probably gives readers also in future a good indication with tools to look at. From nobody Wed Apr 3 07:00:00 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28AF11200F9 for ; Wed, 3 Apr 2019 06:59:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.001 X-Spam-Level: X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sCr0HU-EqUXS for ; Wed, 3 Apr 2019 06:59:56 -0700 (PDT) Received: from ppsw-43.csi.cam.ac.uk (ppsw-43.csi.cam.ac.uk [131.111.8.143]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0F2B120003 for ; Wed, 3 Apr 2019 06:59:56 -0700 (PDT) X-Cam-AntiVirus: no malware found X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus Received: from grey.csi.cam.ac.uk ([131.111.57.57]:59462) by ppsw-43.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1hBgQj-0004AL-oh (Exim 4.91) for dnsop@ietf.org (return-path ); Wed, 03 Apr 2019 14:59:53 +0100 Date: Wed, 3 Apr 2019 14:59:53 +0100 From: Tony Finch To: dnsop@ietf.org In-Reply-To: Message-ID: References: User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Archived-At: Subject: Re: [DNSOP] ANAME discussion X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Apr 2019 13:59:59 -0000 One thing I have been pondering is multi-target aliases. (But I haven't posted about it here because I don't think the suggestion will get very far!) Multi-aliases would be useful in some situations when I would like to be able to model systems at a higher level, for things like mx.cam.ac.uk which is a round-robin alias for addresses hosted on several servers. See also: https://blog.mythic-beasts.com/2019/03/22/round-robin-dns-another-use-for-anames/ https://github.com/each/draft-aname/issues/11 As Evan Hunt says in that issue, this is a huge can of worms. There are fun problems like a billion laughs attack on resolvers that try to chase down ANAME/CNAME chains to the ultimate target addresses... Tony. -- f.anthony.n.finch http://dotat.at/ Great Orme Head to the Mull of Galloway: Northwest 5 to 7, veering east or northeast 4 or 5, increasing 6 at times. Slight or moderate, occasionally rough far at first in far west. Rain or showers, occasionally thundery at first. Good, occasionally poor at first. From nobody Wed Apr 3 12:07:08 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34AFB12016D for ; Wed, 3 Apr 2019 12:07:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dcrocker.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kjyE47kv11u2 for ; Wed, 3 Apr 2019 12:07:06 -0700 (PDT) Received: from simon.songbird.com (simon.songbird.com [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED2EE120167 for ; Wed, 3 Apr 2019 12:07:05 -0700 (PDT) Received: from [192.168.1.85] (108-226-162-63.lightspeed.sntcca.sbcglobal.net [108.226.162.63]) (authenticated bits=0) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1.1) with ESMTP id x33J8mbI006237 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT) for ; Wed, 3 Apr 2019 12:08:49 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dcrocker.net; s=default; t=1554318529; bh=p0wD7g6sXmROcjl9PRnTu6fSQhjyC6XRfzi/6NaT2TU=; h=To:Reply-To:From:Subject:Date:From; b=De6Qx5GsPuvwGOzihJme5Ek8I8IwmfJANtR0i6n/dbj/tAFE7fLhHRYEfbafNFz2F NZnYUI6496d+g4ou1z0R8ULp0KPUD5Sh40XEXoEq/GEE17wS94vWUPMEMYy/Hwjyi6 PPNq46iZVnErFcsdzuia6jLs3xaYDFNlJP+InXHI= To: dnsop Reply-To: dcrocker@bbiw.net From: Dave Crocker Organization: Brandenburg InternetWorking Message-ID: <03202426-5fa7-de6a-688d-491bde7402a8@dcrocker.net> Date: Wed, 3 Apr 2019 12:06:57 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: [DNSOP] Over on the dbound list: draft-dcrocker-dns-perimeter-00 X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Apr 2019 19:07:07 -0000 Howdy. I've posted a draft that might be of interest to folk in this group. It's best venue is almost certainly the dbound mailing list, where it is already starting to get discussion (and cross-posted to the dmarc list.) Discussing it here, on a third list, doesn't seem advisable, but it's already been noted on the dbound discussion that the draft raises issues that might be of concern to the dnsop community. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net From nobody Wed Apr 3 12:26:18 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 467CA12013F for ; Wed, 3 Apr 2019 12:26:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5hMO3rHLFT3t for ; Wed, 3 Apr 2019 12:26:14 -0700 (PDT) Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91B021200B6 for ; Wed, 3 Apr 2019 12:26:14 -0700 (PDT) Received: from [172.17.2.164] (unknown [46.35.19.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 13810892C6; Wed, 3 Apr 2019 19:26:12 +0000 (UTC) To: Christian Huitema Cc: Vittorio Bertola , dnsop@ietf.org References: <1700920918.12557.1552229700654@appsuite.open-xchange.com> <76386691-c1aa-c48a-9b0d-67eb36a08a4f@redbarn.org> <4935758.NkxX2Kjbm0@linux-9daj> <807193999.19916.1552445819087@appsuite.open-xchange.com> <9e40ac38-fa10-bbdc-1bfc-302e0ca170df@huitema.net> From: Paul Vixie Message-ID: Date: Wed, 3 Apr 2019 12:26:10 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.13 MIME-Version: 1.0 In-Reply-To: <9e40ac38-fa10-bbdc-1bfc-302e0ca170df@huitema.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [DNSOP] [dns-privacy] [Doh] New: draft-bertola-bcp-doh-clients X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Apr 2019 19:26:16 -0000 i had to think about this for quite a long time. i've trimmed the cc headers. Christian Huitema wrote on 2019-03-12 20:39: > > On 3/12/2019 7:56 PM, Vittorio Bertola wrote: >> ... > > The mirror image of that statement is, "when did intermediaries get > a mandate to filter content?" it was rarely a mandate, though various governments have made it one for various intermediaries. let me answer a different question, when did intermediaries gain the right or responsibility or both for filtering content? because that answer is simple: when they started building and operating it, investing in it, and either profiting or losing from it. their networks, their rules. which is only potentially unfair when they are also monopolies, in which case their end systems and edge networks have no alternatives. the law may want to recognize when a monopoly exists and set some minimums and maximums on intermediary operator rights and responsibilities. but that's not an architecture question. > ... The internet architecture assumes full connectivity. At some > point, people deployed middle-boxes and filtered content because > they could. as seems natural, since the internet architecture is neither viral nor communist, and anyone who connects a network to that network-of-networks called "the internet" has always treated all policy as local, since all responsibility for its emissions and uptime was theirs and only theirs. > They did not exactly try to get a mandate, or obtain consensus that > this was proper. no consensus was needed. if someone broke your rules, you stopped them or disconnected them. that was true for the NSFnet AUP, and it's true of every network's AUP today, and every corporate or family network's policy. > Technologies like DoH force the discussion in the open. Why do you > think you can filter content? Who made you king? i think that's hyperbole. i am at best a prince, and only of the territory i personally pay to build and connect, and only in the eyes of people who use my network. anyone who dislikes my rules can search for some other internet-connected network whose rules they like better. this is not a dictatorship, but certainly is a coalition of the willing. -- P Vixie From nobody Wed Apr 3 15:34:39 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCA171200B3 for ; Wed, 3 Apr 2019 15:34:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id frRldlKpZn4Q for ; Wed, 3 Apr 2019 15:34:36 -0700 (PDT) Received: from mail-qt1-x82e.google.com (mail-qt1-x82e.google.com [IPv6:2607:f8b0:4864:20::82e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3E151200CC for ; Wed, 3 Apr 2019 15:34:35 -0700 (PDT) Received: by mail-qt1-x82e.google.com with SMTP id x12so998634qts.7 for ; Wed, 03 Apr 2019 15:34:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1TaShme7v2L4u13PJyl0HdgOygxFuWYEI8cdoFv4IO0=; b=U+cjY8sX2Dv+WRBNx/wt5ZQUAi/rgJ7kRSWX9Bz7QFdif5OXK4d0eB0Q2p2o4pOe4j 613HF3x+xnwgRcbM1iXp44YIajS/gbAHDAFqARHFb0nPeLC0LArjio52H+Njn/529tdq nvGNlQ/skt7QoNkqjP1ahrtMLM0AMlbF4kWVjTvbi2MLM20ksAhrmDtlRTc4zeuAVDQn ICpKs7t5vpZJlDa5SNyefHDj1Cq80VzWFr6Y+m7JejNDJnsqAZkjPetk5tUWzjIDZYA3 w/FnoXMjX1yRzDJ1nGU/EikVJKUGYJ5Jqce5aBjETzrFc+AjHHg4xuiF2+FRns4KK3Yj S7QQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1TaShme7v2L4u13PJyl0HdgOygxFuWYEI8cdoFv4IO0=; b=GkriY5kZzJ5jkkQIVTl8shNZAnwloC4Vv//eQFSaLoVdoWYE4DXRuCBA5IoNktWneO e1xUSrazXzTUtX78KAF0t8NI1UqbSoBD3pYidpd+mDWZzIaUdwvqcDVV7G5mrWqvu0fc IwQfdmlbQJFd+lp4p0ufiwTbL7KEXAVQr033CoPpNMVB8CJ2v3NE3KLhJvj/XF4FGZrN Kab+0UFUWQuHWiTa54d7N7b+X4QOFs+YL223M/1DxmU20FFSmJbiWz6VyA4m2owDP4v1 iYzzfnzqmpt9qHncQ/Q2uyfBkZofpnrvZMPIzTPY1FEig/CH6nRrLfnaCSqQdza9CB/q wXIw== X-Gm-Message-State: APjAAAVaYAbrV7Vk/6BCZnx0ahgtGjDXcnKkHoFHgpopq1/4eimJFFSc EsIvp7O+3ZBJzzEpnTYgbcnj4ZkqUOp8aElsGS+uuN9x X-Google-Smtp-Source: APXvYqwaVtmlZAvk53QhSJX86eZBqlkV24DXRH7k51M4Jat9u3eiD8i+brS6leUeD5vVWypYixxnx1sd1xrbMUJvC8E= X-Received: by 2002:ac8:367d:: with SMTP id n58mr2432694qtb.260.1554330874945; Wed, 03 Apr 2019 15:34:34 -0700 (PDT) MIME-Version: 1.0 References: <1700920918.12557.1552229700654@appsuite.open-xchange.com> <76386691-c1aa-c48a-9b0d-67eb36a08a4f@redbarn.org> <4935758.NkxX2Kjbm0@linux-9daj> <807193999.19916.1552445819087@appsuite.open-xchange.com> <9e40ac38-fa10-bbdc-1bfc-302e0ca170df@huitema.net> In-Reply-To: From: Ted Lemon Date: Wed, 3 Apr 2019 18:34:21 -0400 Message-ID: To: Paul Vixie Cc: Christian Huitema , Vittorio Bertola , dnsop@ietf.org Content-Type: multipart/alternative; boundary="000000000000aa4b760585a7dbd1" Archived-At: Subject: Re: [DNSOP] [dns-privacy] [Doh] New: draft-bertola-bcp-doh-clients X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 Apr 2019 22:34:39 -0000 --000000000000aa4b760585a7dbd1 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Paul, it might be worth asking whether you believe that isps should be selling eyeballs. If you think they should, then your argument makes sense. It=E2=80=99s the same argument isps give for charging me for service and th= en charging Netflix for access to me. If you don=E2=80=99t agree with this model, then your argument that whoever= built the network has the right to dictate terms is inconsistent. On Wed, Apr 3, 2019 at 15:26 Paul Vixie wrote: > i had to think about this for quite a long time. i've trimmed the cc > headers. > > Christian Huitema wrote on 2019-03-12 20:39: > > > > On 3/12/2019 7:56 PM, Vittorio Bertola wrote: > >> ... > > > > The mirror image of that statement is, "when did intermediaries get > > a mandate to filter content?" > > it was rarely a mandate, though various governments have made it one for > various intermediaries. let me answer a different question, when did > intermediaries gain the right or responsibility or both for filtering > content? because that answer is simple: when they started building and > operating it, investing in it, and either profiting or losing from it. > > their networks, their rules. which is only potentially unfair when they > are also monopolies, in which case their end systems and edge networks > have no alternatives. the law may want to recognize when a monopoly > exists and set some minimums and maximums on intermediary operator > rights and responsibilities. but that's not an architecture question. > > > ... The internet architecture assumes full connectivity. At some > > point, people deployed middle-boxes and filtered content because > > they could. > > as seems natural, since the internet architecture is neither viral nor > communist, and anyone who connects a network to that network-of-networks > called "the internet" has always treated all policy as local, since all > responsibility for its emissions and uptime was theirs and only theirs. > > > They did not exactly try to get a mandate, or obtain consensus that > > this was proper. > > no consensus was needed. if someone broke your rules, you stopped them > or disconnected them. that was true for the NSFnet AUP, and it's true of > every network's AUP today, and every corporate or family network's policy= . > > > Technologies like DoH force the discussion in the open. Why do you > > think you can filter content? Who made you king? > > i think that's hyperbole. i am at best a prince, and only of the > territory i personally pay to build and connect, and only in the eyes of > people who use my network. anyone who dislikes my rules can search for > some other internet-connected network whose rules they like better. this > is not a dictatorship, but certainly is a coalition of the willing. > > -- > P Vixie > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > --000000000000aa4b760585a7dbd1 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Paul, it might be worth asking whether you believe t= hat isps should be selling eyeballs. If you think they should, then your ar= gument makes sense. It=E2=80=99s the same argument isps give for charging m= e for service and then charging Netflix for access to me.

If you don=E2=80=99t agree with thi= s model, then your argument that whoever built the network has the right to= dictate terms is inconsistent.=C2=A0

On Wed, Apr 3, 2019 at 15:26 Paul= Vixie <paul@redbarn.org> wro= te:
i had to think about this for q= uite a long time. i've trimmed the cc
headers.

Christian Huitema wrote on 2019-03-12 20:39:
>
> On 3/12/2019 7:56 PM, Vittorio Bertola wrote:
>> ...
>
> The mirror image of that statement is, "when did intermediaries g= et
> a mandate to filter content?"

it was rarely a mandate, though various governments have made it one for various intermediaries. let me answer a different question, when did
intermediaries gain the right or responsibility or both for filtering
content? because that answer is simple: when they started building and
operating it, investing in it, and either profiting or losing from it.

their networks, their rules. which is only potentially unfair when they
are also monopolies, in which case their end systems and edge networks
have no alternatives. the law may want to recognize when a monopoly
exists and set some minimums and maximums on intermediary operator
rights and responsibilities. but that's not an architecture question.
> ... The internet architecture assumes full connectivity. At some
> point, people deployed middle-boxes and filtered content because
> they could.

as seems natural, since the internet architecture is neither viral nor
communist, and anyone who connects a network to that network-of-networks called "the internet" has always treated all policy as local, sin= ce all
responsibility for its emissions and uptime was theirs and only theirs.

> They did not exactly try to get a mandate, or obtain consensus that > this was proper.

no consensus was needed. if someone broke your rules, you stopped them
or disconnected them. that was true for the NSFnet AUP, and it's true o= f
every network's AUP today, and every corporate or family network's = policy.

> Technologies like DoH force the discussion in the open. Why do you
> think you can filter content? Who made you king?

i think that's hyperbole. i am at best a prince, and only of the
territory i personally pay to build and connect, and only in the eyes of people who use my network. anyone who dislikes my rules can search for
some other internet-connected network whose rules they like better. this is not a dictatorship, but certainly is a coalition of the willing.

--
P Vixie

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
--000000000000aa4b760585a7dbd1-- From nobody Wed Apr 3 18:20:15 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F41E71201B1 for ; Wed, 3 Apr 2019 18:20:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=kXbRlTrG; dkim=pass (1536-bit key) header.d=taugh.com header.b=Olo2dlla Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y-qa4MVCBltW for ; Wed, 3 Apr 2019 18:20:12 -0700 (PDT) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53EAA1201A6 for ; Wed, 3 Apr 2019 18:20:12 -0700 (PDT) Received: (qmail 6443 invoked from network); 4 Apr 2019 01:20:10 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=1929.5ca55bca.k1904; bh=EwmyAnGhZBvCrxYn9xdATJhkNazs1Fg5dpdf5zY/p+k=; b=kXbRlTrGFSVl9fCmlhPXT/qbBxvGpq1WUIy1gPBGsT9iSCe1OSIBfcCRR1fgF6yWeQFuISBsMh1rNwB5VjLWzQyzEI/LlVl6/XMnHtmU5VB0PqlwxpsWrZaF7KXVTXT11n0DL6ScF+AbBWmXAYJ6X2TVBXEPMkDPiXGE1Du+0o57e9enu8XK7mk78ASF6y1SbXndedfLS4mYEwBfOU5KuPHyI0NrU22vW1qgWs4lI7qDT/Jcb6zW5K7wGiuQaWRY DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=1929.5ca55bca.k1904; bh=EwmyAnGhZBvCrxYn9xdATJhkNazs1Fg5dpdf5zY/p+k=; b=Olo2dllaBBV4n7GbxnKKzVWaZfkOtV1FdvRBECEctiR4/WK0h4mXCggiiBAMJpmgvsJ8VqoOzjrckSWVBrYedXpNLg+5ayY15cSejD0GA9C2omP6ekRMwk4ag9lVx5Nndm7KTzHuNZN2lRDURBE0FcjFx7KJAJHEp8PkradNdmHmkzknXAKYA2xGtzfsAf2Pu/yl+hlWJUu6ofJZ5LXfkACoSZ9i/HwrBRpPNiHJeGATE4D08e041QT0Q6QTE7Zj Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 04 Apr 2019 01:20:10 -0000 Received: by ary.qy (Postfix, from userid 501) id 64DB6201162C3F; Wed, 3 Apr 2019 21:20:09 -0400 (EDT) Date: 3 Apr 2019 21:20:09 -0400 Message-Id: <20190404012010.64DB6201162C3F@ary.qy> From: "John Levine" To: dnsop@ietf.org Cc: dcrocker@bbiw.net In-Reply-To: <03202426-5fa7-de6a-688d-491bde7402a8@dcrocker.net> Organization: Taughannock Networks X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [DNSOP] Over on the dbound list: draft-dcrocker-dns-perimeter-00 X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Apr 2019 01:20:14 -0000 In article <03202426-5fa7-de6a-688d-491bde7402a8@dcrocker.net> you write: >Howdy. I've posted a draft that might be of interest to folk in this >group. > >It's best venue is almost certainly the dbound mailing list, where it is >already starting to get discussion (and cross-posted to the dmarc list.) > >Discussing it here, on a third list, doesn't seem advisable, but it's >already been noted on the dbound discussion that the draft raises issues >that might be of concern to the dnsop community. The part of interest to DNSOP would be section 7 on pages 12 and 13 where it discusses tree walks and potential new additional section processing to find the closest perimeter record above a name being checked. Other than that it's just another TXT record with a _prefix name. R's, John From nobody Thu Apr 4 07:01:40 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 597E212069D for ; Thu, 4 Apr 2019 07:01:39 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PqWJdDkaSfmG for ; Thu, 4 Apr 2019 07:01:36 -0700 (PDT) Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCB9112069A for ; Thu, 4 Apr 2019 07:01:35 -0700 (PDT) Received: by mail-lj1-x22e.google.com with SMTP id t4so2222897ljc.2 for ; Thu, 04 Apr 2019 07:01:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zHMIxj/sP3LP2cheyZD0HQoJaQwhEnq/mKt5pz2WD7A=; b=KdJPeHm0V+Saumm4b3BISftOHxBUcg2f9zUzvu4uCzJaE0AQsAUJYtNhr2I0/DEKpf 3imSWipffaC1qRyxQIkiNYQXHmag4CMCaP/g511K/2HEGEQPYya1yn+EaGJaghFdmZPN jPOs3pk7X2UyDmQlU9Nz3rHrRUT9mrCYIVTcO9Pac1PUWU+NBrcpllZjOwzLqYhnghjs HzkPd+SV305hOrjWa57q5HLaXHbP2AZbt7ksh6G2fz53hX0J072Pdc0OBrI5tdftSVGk Ud0W5tnnjqaFM6nOtO5eCBL/gKdcxrJgNIrauG8kV0mkY1ADptgWYD03EE73YY5T3uTl jHaQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zHMIxj/sP3LP2cheyZD0HQoJaQwhEnq/mKt5pz2WD7A=; b=PH9xOkl/y3dLOwjDh09H1P4nttv0srtUbX7oQw+U5dvvf7WWEdhITJf6Ukk4kw2zab fkc5R/2b0CcaA1nKkNT0bG+mBexYOqPuZyTjgwV4pN42AFWqhgAFUxiG1tOLkTyfTAbb W0Z5SLa1xmU/g+NC/IKaT6OWVhDM5rEKsjvEVMbtT0BkOrVLoW4UEl05d9Av25wfPaAt iWMLaAqOwBzR9/3MRiGlOxmZG0hml0LfeZr02UdEP//5uKeupJPPzXNeTEV3XKllpfrp RLF3pyUSdKyAhApjFyGo8xfgbBZI00V+L5oCtvm3O1KSI+xH6nkkdrWDia/0Xy7Vj67Q ey9w== X-Gm-Message-State: APjAAAW980ooBAO4uuRI+zU455JlMEtSYNjEENdqhzFjhmt0EnYzDYkq oFFzhyqrnBNtNKI1WmP67QAHc66YTN0RW3VdY18AXA== X-Google-Smtp-Source: APXvYqxfpHG4QO+7vKFGcH7oQMBvIoobRgoFsgoTEUAj+kF+6dpR4FUb0lmDkZlM2J3qDIy2GwHGDv6xmLE1xwiKRA4= X-Received: by 2002:a2e:81da:: with SMTP id s26mr3838602ljg.86.1554386493622; Thu, 04 Apr 2019 07:01:33 -0700 (PDT) MIME-Version: 1.0 References: <1700920918.12557.1552229700654@appsuite.open-xchange.com> <76386691-c1aa-c48a-9b0d-67eb36a08a4f@redbarn.org> <4935758.NkxX2Kjbm0@linux-9daj> <807193999.19916.1552445819087@appsuite.open-xchange.com> <9e40ac38-fa10-bbdc-1bfc-302e0ca170df@huitema.net> In-Reply-To: From: Bob Harold Date: Thu, 4 Apr 2019 10:01:21 -0400 Message-ID: To: Ted Lemon Cc: Paul Vixie , Vittorio Bertola , Christian Huitema , IETF DNSOP WG Content-Type: multipart/alternative; boundary="000000000000cbd7030585b4ceac" Archived-At: Subject: Re: [DNSOP] [dns-privacy] [Doh] New: draft-bertola-bcp-doh-clients X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Apr 2019 14:01:39 -0000 --000000000000cbd7030585b4ceac Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Apr 3, 2019 at 6:34 PM Ted Lemon wrote: > Paul, it might be worth asking whether you believe that isps should be > selling eyeballs. If you think they should, then your argument makes sens= e. > It=E2=80=99s the same argument isps give for charging me for service and = then > charging Netflix for access to me. > > If you don=E2=80=99t agree with this model, then your argument that whoev= er built > the network has the right to dictate terms is inconsistent. > If you buy service from a network that subsidizes the price of your connection by selling your data, that is your choice. You could use a VPN or buy a network service (even a dedicated line) for a higher price that does not sell your data. Their network, their rules, but you choose the network. --=20 Bob Harold > On Wed, Apr 3, 2019 at 15:26 Paul Vixie wrote: > >> i had to think about this for quite a long time. i've trimmed the cc >> headers. >> >> Christian Huitema wrote on 2019-03-12 20:39: >> > >> > On 3/12/2019 7:56 PM, Vittorio Bertola wrote: >> >> ... >> > >> > The mirror image of that statement is, "when did intermediaries get >> > a mandate to filter content?" >> >> it was rarely a mandate, though various governments have made it one for >> various intermediaries. let me answer a different question, when did >> intermediaries gain the right or responsibility or both for filtering >> content? because that answer is simple: when they started building and >> operating it, investing in it, and either profiting or losing from it. >> >> their networks, their rules. which is only potentially unfair when they >> are also monopolies, in which case their end systems and edge networks >> have no alternatives. the law may want to recognize when a monopoly >> exists and set some minimums and maximums on intermediary operator >> rights and responsibilities. but that's not an architecture question. >> >> > ... The internet architecture assumes full connectivity. At some >> > point, people deployed middle-boxes and filtered content because >> > they could. >> >> as seems natural, since the internet architecture is neither viral nor >> communist, and anyone who connects a network to that network-of-networks >> called "the internet" has always treated all policy as local, since all >> responsibility for its emissions and uptime was theirs and only theirs. >> >> > They did not exactly try to get a mandate, or obtain consensus that >> > this was proper. >> >> no consensus was needed. if someone broke your rules, you stopped them >> or disconnected them. that was true for the NSFnet AUP, and it's true of >> every network's AUP today, and every corporate or family network's polic= y. >> >> > Technologies like DoH force the discussion in the open. Why do you >> > think you can filter content? Who made you king? >> >> i think that's hyperbole. i am at best a prince, and only of the >> territory i personally pay to build and connect, and only in the eyes of >> people who use my network. anyone who dislikes my rules can search for >> some other internet-connected network whose rules they like better. this >> is not a dictatorship, but certainly is a coalition of the willing. >> >> -- >> P Vixie >> > --000000000000cbd7030585b4ceac Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

On Wed, Apr 3, 2019 = at 6:34 PM Ted Lemon <mellon@fugue.c= om> wrote:
Paul, it might be worth asking whether you believe= that isps should be selling eyeballs. If you think they should, then your = argument makes sense. It=E2=80=99s the same argument isps give for charging= me for service and then charging Netflix for access to me.

If you don=E2=80=99t agree with t= his model, then your argument that whoever built the network has the right = to dictate terms is inconsistent.=C2=A0

If you buy service from a network that subsidizes the price of your conn= ection by selling your data, that is your=C2=A0choice.=C2=A0=C2=A0=C2=A0You= could use a VPN or buy a network service (even a dedicated line) for a hig= her price that does not sell your data.=C2=A0 Their network, their rules, b= ut you choose the network.

--=C2=A0
Bob = Harold

=C2=A0
On Wed, Apr 3, 2019 at 15:26 Paul Vixie <paul@redbarn.org> wrote:
<= /div>
i had to think about= this for quite a long time. i've trimmed the cc
headers.

Christian Huitema wrote on 2019-03-12 20:39:
>
> On 3/12/2019 7:56 PM, Vittorio Bertola wrote:
>> ...
>
> The mirror image of that statement is, "when did intermediaries g= et
> a mandate to filter content?"

it was rarely a mandate, though various governments have made it one for various intermediaries. let me answer a different question, when did
intermediaries gain the right or responsibility or both for filtering
content? because that answer is simple: when they started building and
operating it, investing in it, and either profiting or losing from it.

their networks, their rules. which is only potentially unfair when they
are also monopolies, in which case their end systems and edge networks
have no alternatives. the law may want to recognize when a monopoly
exists and set some minimums and maximums on intermediary operator
rights and responsibilities. but that's not an architecture question.
> ... The internet architecture assumes full connectivity. At some
> point, people deployed middle-boxes and filtered content because
> they could.

as seems natural, since the internet architecture is neither viral nor
communist, and anyone who connects a network to that network-of-networks called "the internet" has always treated all policy as local, sin= ce all
responsibility for its emissions and uptime was theirs and only theirs.

> They did not exactly try to get a mandate, or obtain consensus that > this was proper.

no consensus was needed. if someone broke your rules, you stopped them
or disconnected them. that was true for the NSFnet AUP, and it's true o= f
every network's AUP today, and every corporate or family network's = policy.

> Technologies like DoH force the discussion in the open. Why do you
> think you can filter content? Who made you king?

i think that's hyperbole. i am at best a prince, and only of the
territory i personally pay to build and connect, and only in the eyes of people who use my network. anyone who dislikes my rules can search for
some other internet-connected network whose rules they like better. this is not a dictatorship, but certainly is a coalition of the willing.

--
P Vixie

=C2=A0=
--000000000000cbd7030585b4ceac-- From nobody Thu Apr 4 13:23:09 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA91D12016C for ; Thu, 4 Apr 2019 13:23:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 637K1RW3nLRw for ; Thu, 4 Apr 2019 13:23:05 -0700 (PDT) Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01C901202E3 for ; Thu, 4 Apr 2019 13:23:02 -0700 (PDT) Received: from [192.168.44.165] (unknown [5.33.15.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 0A5C3892C6; Thu, 4 Apr 2019 20:23:00 +0000 (UTC) To: Ted Lemon Cc: dnsop@ietf.org References: <1700920918.12557.1552229700654@appsuite.open-xchange.com> <76386691-c1aa-c48a-9b0d-67eb36a08a4f@redbarn.org> <4935758.NkxX2Kjbm0@linux-9daj> <807193999.19916.1552445819087@appsuite.open-xchange.com> <9e40ac38-fa10-bbdc-1bfc-302e0ca170df@huitema.net> From: Paul Vixie Message-ID: <5923dc94-6118-4070-0e3d-ffe376cee395@redbarn.org> Date: Thu, 4 Apr 2019 13:22:53 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.13 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [DNSOP] [dns-privacy] [Doh] New: draft-bertola-bcp-doh-clients X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Apr 2019 20:23:08 -0000 Ted Lemon wrote on 2019-04-03 15:34: > Paul, it might be worth asking whether you believe that isps should be > selling eyeballs. If you think they should, then your argument makes > sense. It’s the same argument isps give for charging me for service and > then charging Netflix for access to me. > > If you don’t agree with this model, then your argument that whoever > built the network has the right to dictate terms is inconsistent. my answer is that's a false dichotomy; "none of the above". the internet relies on cooperation for its functionality. interoperability in protocols is an example -- if you speak gibberish you won't be heard, if you don't know the language you won't understand. respecting the uniqueness of code point allocations is another example: you are counting on everybody respecting the allocations of network numbers, autsys numbers, top level domains, protocol identifiers -- and if they don't, they and you will both suffer. the example your nondichotomous question brings up is policy. if the user or app or LAN or WAN or far-end does not want a transaction to occur, they can block it. if you don't like that policy (see bob's excellent response down thread), you need to swap out that component of the path. so, it's none of my business whether any ISP other than my own sells eyeballs. for me, i won't do business with an ISP who does that. but, i have choices. that's why i mentioned "if your ISP has a monopoly" up-thread, because their regulator may have views on what they can and cannot do if their customers have no other ISP serving them. (network neutrality turns on that point, as well.) i literally do not, and should not, have a belief one way or another as to whether some figurative ISP sells eyeballs or doesn't. if yours does, and you don't feel fairly compensated for the resulting loss of your privacy, than vote with your feet/dollars. i am not going to prescribe policy, other than indirectly, by refusing to accept traffic from networks whose policies freely permit abusive traffic (spam, ddos, etc) to flow toward me. but even in that case, my belief will be that _i_ should not accept their traffic. i will not try to tell _you_ whether to accept their traffic. their network, their rules. i have feet, and they vote. -- P Vixie From nobody Fri Apr 5 09:21:12 2019 Return-Path: X-Original-To: dnsop@ietf.org Delivered-To: dnsop@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D5C3120603; Fri, 5 Apr 2019 09:21:04 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Benjamin Kaduk via Datatracker To: "The IESG" Cc: draft-ietf-dnsop-algorithm-update@ietf.org, Tim Wicinski , dnsop-chairs@ietf.org, tjw.ietf@gmail.com, dnsop@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.94.1 Auto-Submitted: auto-generated Precedence: bulk Reply-To: Benjamin Kaduk Message-ID: <155448126450.10133.15933575757540602207.idtracker@ietfa.amsl.com> Date: Fri, 05 Apr 2019 09:21:04 -0700 Archived-At: Subject: [DNSOP] Benjamin Kaduk's No Objection on draft-ietf-dnsop-algorithm-update-07: (with COMMENT) X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Apr 2019 16:21:05 -0000 Benjamin Kaduk has entered the following ballot position for draft-ietf-dnsop-algorithm-update-07: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dnsop-algorithm-update/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- I'm a little surprised that this is going for PS rather than BCP, which seems like it would reflect the recognized need for recurring updates to the guidance given. In a similar vein, if we stay at PS, a lot of the references seem like they would need to move from Informative to Normative, since to implement the various MUST-level algorithms you have to follow those references. Section 1.1 The field of cryptography evolves continuously. New stronger algorithms appear and existing algorithms are found to be less secure then originally thought. [...] I'd suggest also noting that attacks previously thought to be computationally infeasible become more accessible as the available computational resources increase. Section 1.2 For clarification and consistency, an algorithm will be specified as MAY in this document only when it has been downgraded. Does "downgraded" mean that it was formerly mandatory but has been rotated out of the mandatory role? Perhaps explicitly saying "downgraded from " would aid clarity. Section 3.3 SHA-384 shares the same properties as SHA-256, but offers a modest security advantage over SHA-384 (384-bits of strength versus nit: SHA-384 has an advantage over ... SHA-384? recommended for DS and CDS records. While it is unlikely for a DNSSEC use case requiring 384-bit security strength to arise, SHA-384 is provided for such applications and it MAY be used for generating DS and CDS records in these cases. My understanding is that generally we refer to SHA-384 as providing 192-bit security, though of course that's a vague/generic statement and more specific ones are possible. Section 8 We wish to thank Michael Sinatra, Roland van Rijswijk-Deij, Olafur Gudmundsson, Paul Hoffman and Evan Hunt for their imminent feedback. IIRC a directorate reviewer noted that "imminent" means "expected to arrive in the near future but not yet present"; such text does not seem appropriate for final publication since review after that point would not be helpful. From nobody Fri Apr 5 09:37:57 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B526120637 for ; Fri, 5 Apr 2019 09:37:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FcLl2-wYCUMx for ; Fri, 5 Apr 2019 09:37:46 -0700 (PDT) Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E61E1205FE for ; Fri, 5 Apr 2019 09:37:43 -0700 (PDT) Received: by mail-lf1-x130.google.com with SMTP id a28so4828630lfo.7 for ; Fri, 05 Apr 2019 09:37:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Zo9rz5B/H6oc9FFrnIVzmwaoiIDeY5sqykXtI4qp4QY=; b=Q5ZNuoEKm4sX26sCfgAW4bI8JzVtm68VrffkhRZK0fOwELZn4mGj4xaT6vJNCp/jX3 enlwBJYcdPCxXBN+gW5phSVHbPct5TjsXOD0InVjh8zE+o7P65OMUM58PJgTwB5iPpbR +n6jipIBcYlPVcbwe1gyEW/FRrXeEW/V5wT9ZVE/VRkwelcGN3x+YPzB/bqhK8RT5Wnc iR5CuM59vqMgM6Lme0Bgn7u1NgyGvY571fnBoXLw9QA1CkWiMqvylwPEuJLDwG+5bMVQ 3EUCEq9JvaldpBmh3pejUcRyeNvxIqP5BRqsWTGl9rQE1joGPdL7Xcn8BmOpc1UVQ84B r3nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Zo9rz5B/H6oc9FFrnIVzmwaoiIDeY5sqykXtI4qp4QY=; b=H04dC6oW7YA5vftdA7+VAeM1YzQVYFv4pNiU0pjWP7kL+zUEKeTYcLqFAYeXljcRpn Z71ppcrVMglG70nrJJPB7z3o9tvLiBmJpLskKgl28zOGwHUf3liWugTx2LPBejzpYED4 6ctjIely+KhRpHFfD5rXn37BZTsX0I/0EN7tNXdx1m2ZSgPKH/2UiNFd26+FN0SJ3khe V4ivn+eY6hn+araDxdo9z0ethWxlgGcJsSrmqC86aprBvqOXAn2+VQh9g4L3o6ACXETP 7fCAu/NJBs5X/j2H4e0SphQRlzPTvfO/kupDOTmEn0q47mAm5BMyfyvm4VF7Hm6YPJlW 4iVA== X-Gm-Message-State: APjAAAUN+6TJbA8srriunNY57qJ8lTr3rN6b+YIKC7rHC35BUXNP6TSY t2D6uEIUZXloMQB9ImVjgyqONcLbnSj0QwVEsNn9YQ== X-Google-Smtp-Source: APXvYqz5pHDSQa+niq3lWcLDVgqR5FjYtzNO2hE433+LHvSFUGknTZovyaBWdLkpK4b6/aRWJ4HvnCmbwwlSiW8pz0M= X-Received: by 2002:ac2:5581:: with SMTP id v1mr7012698lfg.92.1554482261306; Fri, 05 Apr 2019 09:37:41 -0700 (PDT) MIME-Version: 1.0 References: <155448126450.10133.15933575757540602207.idtracker@ietfa.amsl.com> In-Reply-To: <155448126450.10133.15933575757540602207.idtracker@ietfa.amsl.com> From: Bob Harold Date: Fri, 5 Apr 2019 12:37:30 -0400 Message-ID: To: Benjamin Kaduk Cc: The IESG , Tim Wicinski , draft-ietf-dnsop-algorithm-update@ietf.org, IETF DNSOP WG , dnsop-chairs@ietf.org Content-Type: multipart/alternative; boundary="000000000000fec9970585cb1ae0" Archived-At: Subject: Re: [DNSOP] Benjamin Kaduk's No Objection on draft-ietf-dnsop-algorithm-update-07: (with COMMENT) X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Apr 2019 16:37:49 -0000 --000000000000fec9970585cb1ae0 Content-Type: text/plain; charset="UTF-8" On Fri, Apr 5, 2019 at 12:21 PM Benjamin Kaduk via Datatracker < noreply@ietf.org> wrote: > Benjamin Kaduk has entered the following ballot position for > draft-ietf-dnsop-algorithm-update-07: No Objection > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-algorithm-update/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > I'm a little surprised that this is going for PS rather than BCP, > which seems like it would reflect the recognized need for recurring > updates to the guidance given. > > In a similar vein, if we stay at PS, a lot of the references seem like > they would need to move from Informative to Normative, since to > implement the various MUST-level algorithms you have to follow those > references. > > Section 1.1 > > > The field of cryptography evolves continuously. New stronger > algorithms appear and existing algorithms are found to be less secure > then originally thought. [...] > > I'd suggest also noting that attacks previously thought to be > computationally infeasible become more accessible as the available > computational resources increase. > > Section 1.2 > > For clarification and consistency, an > algorithm will be specified as MAY in this document only when it has > been downgraded. > > Does "downgraded" mean that it was formerly mandatory but has been > rotated out of the mandatory role? Perhaps explicitly saying > "downgraded from " would aid clarity. > > Section 3.3 > > > SHA-384 shares the same properties as SHA-256, but offers a modest > security advantage over SHA-384 (384-bits of strength versus > > nit: SHA-384 has an advantage over ... SHA-384? > > recommended for DS and CDS records. While it is unlikely for a > DNSSEC use case requiring 384-bit security strength to arise, SHA-384 > is provided for such applications and it MAY be used for generating > DS and CDS records in these cases. > > My understanding is that generally we refer to SHA-384 as providing > 192-bit security, though of course that's a vague/generic statement and > more specific ones are possible. > > Section 8 > > We wish to thank Michael Sinatra, Roland van Rijswijk-Deij, Olafur > Gudmundsson, Paul Hoffman and Evan Hunt for their imminent feedback. > > IIRC a directorate reviewer noted that "imminent" means "expected to > arrive in the near future but not yet present"; such text does not seem > appropriate for final publication since review after that point would > not be helpful. > I think the word they wanted is "eminent". -- Bob Harold --000000000000fec9970585cb1ae0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

On Fri, Apr 5, 2019 at 1= 2:21 PM Benjamin Kaduk via Datatracker <noreply@ietf.org> wrote:
Benjamin Kaduk has entered the following ballot positio= n for
draft-ietf-dnsop-algorithm-update-07: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/s= tatement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/= draft-ietf-dnsop-algorithm-update/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

I'm a little surprised that this is going for PS rather than BCP,
which seems like it would reflect the recognized need for recurring
updates to the guidance given.

In a similar vein, if we stay at PS, a lot of the references seem like
they would need to move from Informative to Normative, since to
implement the various MUST-level algorithms you have to follow those
references.

Section 1.1


=C2=A0 =C2=A0The field of cryptography evolves continuously.=C2=A0 New stro= nger
=C2=A0 =C2=A0algorithms appear and existing algorithms are found to be less= secure
=C2=A0 =C2=A0then originally thought.=C2=A0 [...]

I'd suggest also noting that attacks previously thought to be
computationally infeasible become more accessible as the available
computational resources increase.

Section 1.2

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 For clarification and consist= ency, an
=C2=A0 =C2=A0algorithm will be specified as MAY in this document only when = it has
=C2=A0 =C2=A0been downgraded.

Does "downgraded" mean that it was formerly mandatory but has bee= n
rotated out of the mandatory role?=C2=A0 Perhaps explicitly saying
"downgraded from <blah>" would aid clarity.

Section 3.3


=C2=A0 =C2=A0SHA-384 shares the same properties as SHA-256, but offers a mo= dest
=C2=A0 =C2=A0security advantage over SHA-384 (384-bits of strength versus
nit: SHA-384 has an advantage over ... SHA-384?

=C2=A0 =C2=A0recommended for DS and CDS records.=C2=A0 While it is unlikely= for a
=C2=A0 =C2=A0DNSSEC use case requiring 384-bit security strength to arise, = SHA-384
=C2=A0 =C2=A0is provided for such applications and it MAY be used for gener= ating
=C2=A0 =C2=A0DS and CDS records in these cases.

My understanding is that generally we refer to SHA-384 as providing
192-bit security, though of course that's a vague/generic statement and=
more specific ones are possible.

Section 8

=C2=A0 =C2=A0We wish to thank Michael Sinatra, Roland van Rijswijk-Deij, Ol= afur
=C2=A0 =C2=A0Gudmundsson, Paul Hoffman and Evan Hunt for their imminent fee= dback.

IIRC a directorate reviewer noted that "imminent" means "exp= ected to
arrive in the near future but not yet present"; such text does not see= m
appropriate for final publication since review after that point would
not be helpful.

I think the word they w= anted is "eminent".

--=C2=A0
B= ob Harold=C2=A0

--000000000000fec9970585cb1ae0-- From nobody Fri Apr 5 09:43:40 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDD531205CC; Fri, 5 Apr 2019 09:43:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hsuOi67sZ6a4; Fri, 5 Apr 2019 09:43:25 -0700 (PDT) Received: from mail-yw1-xc32.google.com (mail-yw1-xc32.google.com [IPv6:2607:f8b0:4864:20::c32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7BBA312051F; Fri, 5 Apr 2019 09:43:24 -0700 (PDT) Received: by mail-yw1-xc32.google.com with SMTP id c4so2523208ywa.11; Fri, 05 Apr 2019 09:43:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=S0ws1wmYsF4vt5xH9Iu4yvbM90SU6cSfDGjXi0YKhDg=; b=ZwTOPFroPbgoa6fO3+oltD2VTqs0br8n2L1Sk+pHqZhN47mbLg0DuawnWZ6MoMpXFT i42vpmc2YEqt72bxnEsvRPQowzbQ1xyIonpJnzExvvW2a0EPpgx1qtz6o/5IekFU7uCq id2ucuSAQp+Z+NVx++ZKhwuM+FcAumI9l7fvlM6NC74ePMoQSznF4EGvJFZj6U7z84LS 9FyErJgdB8/NH4wN0kJ9BEK0q1xoASyxyAPA0xR6Qs7sQchJTycrn1dqCRl8i/TqXVlg 1MvDME9h5/RAtt/QqkYNVLSiLbBARXBUSJtONdv+b3BgsL6cNsiuQo+Om1YNWql6c4B2 tagg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=S0ws1wmYsF4vt5xH9Iu4yvbM90SU6cSfDGjXi0YKhDg=; b=IFn9wb2Zahb3n5j0NZQM8lWHfojd8ZtJdMZMxhOoUQmbaPEfnNHDkGzDcp7IR4iK7h BHbPcZ9enkTH6UspJXqJd+L2yHuzh+feMU6izoB68EpHhMYI489Ad0oK6Vb6KiKFMGqe hgMEw5VTaxKnPa0BiWX6sOIqLsK1JqgcVWHF2l0dDwrQBpDIa4JHY+ZvP88upZofj4Ce 1nrlKnH3IcmVLoTIahSbju70M47cKaUSu1h+zwgzhYp71mRZhpJePH1dLzrJibA/gT2f vEAq3DBrDXxT87zrIhAa4uhZ1uTFv+Kw2+ASlisxdykmp73igCw7j7VDv5cMxtjtpqdF lDtg== X-Gm-Message-State: APjAAAU6ImZuhOiaJOCGuwZrwAJZqgBh04m/NrfSPvXOSiJ+JyZKDFqX LjQFnnS8y8xMeS9bc07osYDlkDW3PG9M3IRf3fk= X-Google-Smtp-Source: APXvYqxLwiEuWLHxCGIYSjJBcTFpL33jIVGBe9nC2LuVr6ayR6m2XC1o6vB7LA6k5yo3wa3PzIbpBddWuTWXPxkPamM= X-Received: by 2002:a81:3d17:: with SMTP id k23mr11405457ywa.266.1554482603382; Fri, 05 Apr 2019 09:43:23 -0700 (PDT) MIME-Version: 1.0 References: <1700920918.12557.1552229700654@appsuite.open-xchange.com> <7667c4d7-2e78-0a27-84af-cf1c00fd4897@cs.tcd.ie> <1991054337.12802.1552259263075@appsuite.open-xchange.com> In-Reply-To: From: william manning Date: Fri, 5 Apr 2019 09:43:12 -0700 Message-ID: To: nalini elkins Cc: Christian Huitema , doh@ietf.org, Vittorio Bertola , dnsop , dns-privacy@ietf.org, "Ackermann, Michael" , Stephen Farrell Content-Type: multipart/alternative; boundary="000000000000625c190585cb2f8e" Archived-At: Subject: Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-doh-clients X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Apr 2019 16:43:29 -0000 --000000000000625c190585cb2f8e Content-Type: text/plain; charset="UTF-8" Every now and then, Paul Vixie and I are in complete harmony. In my current slot, we are one of thousands of entities that are being held accountable to a series of regulatory requirements that have significant fiscal impacts on the exfiltration of private/patient data. We are starting to focus on three distinct areas to reduce the impact that DOH presents to our security posture. 1) In contractual/proccurement language. We have some "Must have" items and now we will have "Must not" items. 2) There are at least two technical options for tracking/blocking DOH which are being turned into turnkey options to "swat" this covert C&C channel. 3) Aggressive Browser Hygiene. This genie has not signed BAA or supplier agreement with us and we will not allow it to dictate our business processes or affect our liability without the DOH enabler shouldering fiscal and legal exposure when DOH is shown to be the culprit in exposure of private data. I can't see how DOH is going to pass GDRP muster inside the EU either, but that is for others to debate. I have told my GDRP affected counterparts about the privacy risks with DOH deployment. as usual, YMMV. /William Manning On Sun, Mar 10, 2019 at 8:26 PM nalini elkins wrote: > > Similarly, putting DNS in user space allows for immediate adoption of > DNSSEC and privacy enhancements, even when the operating system or the > local network does not support them > > At enterprises (banks, insurance, etc) on their internal networks, people > run their own DNS servers which may resolve for both internal and external > sites. > > We were recently talking to a Fortune 50 company in the United States > about what might happen you install a version of the browser which uses > DNS-over-HTTPS automatically. (Clearly, this applies to any variant.) > > The questions that the Fortune 50 company architect asked were something > like this: > > 1. You mean that DNS could be resolved outside my enterprise? > > 2. So whoever that is that resolves my DNS sees the pattern and frequency > of what sites my company goes to? > > 3. How do I change this? > > I look forward to a discussion on this issue.. There will be at least > one enterprise present in Prague to speak for themselves. I will see if I > can get others to participate remotely. > > It would be good to also discuss how to warn enterprises that this is > about to happen. I wonder if an announcement via CERT or another group > may be appropriate. > > Thanks, > Nalini > > On Mon, Mar 11, 2019 at 6:36 AM Christian Huitema > wrote: > >> >> On 3/10/2019 4:07 PM, Vittorio Bertola wrote: >> > Honestly, I understood it differently - at this point in time they are >> > doing tests on whether their resolver performs better or worse than >> > the system's one, but their announced model is that Firefox will adopt >> > a DoH resolver (though it's unclear how it will be chosen) and it will >> > just use that one. But if people from Mozilla could make a clearer >> > announcement on what their plans currently are, that would be good. >> > Still, most of the issues arise whenever an application, for whatever >> > reason and under any mechanism, starts to use one or more resolvers >> > different than the one set up in the operating system: even if it used >> > more than one, you would still get many of the issues listed in the >> > document (though, if it used more than one at the same time, I think >> > you'd actually also get some new specific issues, so we'd need to add >> > a discussion of this possibility). >> >> >> Your view of operating systems and applications is firmly rooted in >> history, which is another way to say in the past. The evolution in the >> past years points to a systematic deconstruction of that relation, with >> for example virtual machine, containers, or the trend to move network >> stacks out of the operating system and into the application. This is >> pretty obvious for security stacks, but it is also becoming very clear >> with QUIC and transport stacks. There are two big drivers: portability, >> and rapid adoption of innovation. These two drivers apply to DNS just >> like they apply to transport. >> >> Putting QUIC in application space allows for immediate provision of >> innovations like 0-RTT, head-of-queue blocking mitigation, or the better >> crypto of TLS 1.3. Similarly, putting DNS in user space allows for >> immediate adoption of DNSSEC and privacy enhancements, even when the >> operating system or the local network does not support them. That genie >> is not going back in the bottle any time soon. >> >> -- Christian Huitema >> >> >> _______________________________________________ >> dns-privacy mailing list >> dns-privacy@ietf.org >> https://www.ietf.org/mailman/listinfo/dns-privacy >> > > > -- > Thanks, > Nalini Elkins > President > Enterprise Data Center Operators > www.e-dco.com > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > --000000000000625c190585cb2f8e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Every now and then, Paul Vixie and I are in complete harmo= ny.=C2=A0 In my current slot, we are one of thousands of entities that are = being held accountable to a series of regulatory requirements that have sig= nificant fiscal impacts on the exfiltration of private/patient data.=C2=A0 = We are starting to focus on three distinct areas to reduce the impact that = DOH presents to our security posture.=C2=A0 1) In contractual/proccurement = language.=C2=A0 We have some "Must have" items and now we will ha= ve "Must not" items.=C2=A0 2) There are at least two technical op= tions for tracking/blocking DOH which are being turned into turnkey options= to "swat" this covert C&C channel.=C2=A0 3) Aggressive Brows= er Hygiene.=C2=A0

This genie has not signed BAA or suppl= ier agreement with us and we will not allow it to dictate our business proc= esses or affect our liability without the DOH enabler shouldering fiscal an= d legal exposure when DOH is shown to be the culprit in exposure of private= data.=C2=A0 I can't see how DOH is going to pass GDRP muster inside th= e EU either, but that is for others to debate.=C2=A0 I have told my GDRP af= fected counterparts about the privacy risks with DOH deployment.=C2=A0

as usual, YMMV.=C2=A0=C2=A0

/= William Manning=C2=A0

On Sun, Mar 10, 2019 at 8:26 PM nalini elkins &l= t;nalini.elkins@e-dco.com>= ; wrote:
=C2=A0> Similarly, putting DNS in user space = allows for=C2=A0immediate adoption of DNSSEC and privacy enhancements, even= when the=C2=A0operating system or the local network does not support them= =C2=A0=C2=A0

At enterprises (banks, insurance, etc) = on their internal networks, people run their own DNS servers which may reso= lve for both internal and external sites.

We = were recently talking to a Fortune 50 company in the United States about wh= at might happen you install a version of the browser which uses DNS-over-HT= TPS automatically.=C2=A0 (Clearly, this applies to any variant.)
=
The questions that the Fortune 50 company architect asked we= re something like this:

1. You mean that DNS could= be resolved outside my enterprise?

2. So whoever = that is that resolves my DNS sees the pattern and frequency of what sites m= y company goes to?

3. How do I change this?
<= /div>

I look forward to a discussion on this issue..=C2= =A0 =C2=A0 There will be at least one enterprise present in Prague to speak= for themselves.=C2=A0 I will see if I can get others to participate remote= ly.

It would be good to also discuss how to warn e= nterprises that this is about to happen.=C2=A0 =C2=A0I wonder if an announc= ement via CERT or another group may be appropriate.=C2=A0 =C2=A0
=
Thanks,
Nalini

On Mon, Mar 11, 2019 at = 6:36 AM Christian Huitema <huitema@huitema.net> wrote:

On 3/10/2019 4:07 PM, Vittorio Bertola wrote:
> Honestly, I understood it differently - at this point in time they are=
> doing tests on whether their resolver performs better or worse than > the system's one, but their announced model is that Firefox will a= dopt
> a DoH resolver (though it's unclear how it will be chosen) and it = will
> just use that one. But if people from Mozilla could make a clearer
> announcement on what their plans currently are, that would be good. > Still, most of the issues arise whenever an application, for whatever<= br> > reason and under any mechanism, starts to use one or more resolvers > different than the one set up in the operating system: even if it used=
> more than one, you would still get many of the issues listed in the > document (though, if it used more than one at the same time, I think > you'd actually also get some new specific issues, so we'd need= to add
> a discussion of this possibility).


Your view of operating systems and applications is firmly rooted in
history, which is another way to say in the past. The evolution in the
past years points to a systematic deconstruction of that relation, with
for example virtual machine, containers, or the trend to move network
stacks out of the operating system and into the application. This is
pretty obvious for security stacks, but it is also becoming very clear
with QUIC and transport stacks. There are two big drivers: portability,
and rapid adoption of innovation. These two drivers apply to DNS just
like they apply to transport.

Putting QUIC in application space allows for immediate provision of
innovations like 0-RTT, head-of-queue blocking mitigation, or the better crypto of TLS 1.3. Similarly, putting DNS in user space allows for
immediate adoption of DNSSEC and privacy enhancements, even when the
operating system or the local network does not support them. That genie
is not going back in the bottle any time soon.

-- Christian Huitema


_______________________________________________
dns-privacy mailing list
dns-privacy@ietf.= org
https://www.ietf.org/mailman/listinfo/dns-privacy


--
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
--000000000000625c190585cb2f8e-- From nobody Sat Apr 6 02:16:28 2019 Return-Path: X-Original-To: dnsop@ietf.org Delivered-To: dnsop@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 8727E120314; Sat, 6 Apr 2019 02:16:26 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Peter Yee via Datatracker To: Cc: draft-ietf-dnsop-algorithm-update.all@ietf.org, dnsop@ietf.org, ietf@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.94.1 Auto-Submitted: auto-generated Precedence: bulk Reply-To: Peter Yee Message-ID: <155454218650.21891.1515975582177931040@ietfa.amsl.com> Date: Sat, 06 Apr 2019 02:16:26 -0700 Archived-At: Subject: [DNSOP] Genart telechat review of draft-ietf-dnsop-algorithm-update-07 X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Apr 2019 09:16:26 -0000 Reviewer: Peter Yee Review result: Ready with Nits I am the assigned Gen-ART reviewer for this draft. The General Area Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair. Please wait for direction from your document shepherd or AD before posting a new version of the draft. For more information, please see the FAQ at . Document: draft-ietf-dnsop-algorithm-update-07 Reviewer: Peter Yee Review Date: 2019-04-06 IETF LC End Date: 2019-02-27 IESG Telechat date: 2019-04-11 Summary: This document updates the DNSKEY, DS, and CDS algorithm recommendations for use in DNSSEC based on current thinking in cryptography. This document is Ready with Nits as a Standards Track publication. Major issues: None Minor issues: None Nits/editorial comments: Page 2, Section 1.1, 2nd sentence: append a comma after "New". Page 3, Section 1.2, 2nd paragraph, 1st sentence: change "recommendation cannot be recommended" to "they cannot be recommended". Page 3, Section 1.2, 4th paragraph, 2nd sentence: change "recommendation" to "intent". Page 3, Section 1.2, 6th paragraph, 1st sentence: change "DNSKEY's" to "DNSKEYs". Page 3, Section 1.2, 6th paragraph, 3rd sentence: indicate for clarity where this marking will be done (essentially in a new version of this RFC). Page 4, Section 1.3: In general, it would be nice if there were references in the paragraphs following the table that point to the research that led to the statements of strength or lack of strength of the algorithms. Then again, this isn't an academic paper, so references aren't strictly required either. While I mostly (but not completely) agree with the notes on the individual algorithms, the average reader is left to take the statements as gospel rather than being able to make an informed decision on the current state of cryptography. Page 4, Section 1.3, 3rd sentence: delete a redundant "from". Page 5, 4th paragraph, 2nd sentence: change "cryptographics" to "cryptographic". Page 5, 4th paragraph, 3rd sentence: change "that" to "who". Page 5, 5th paragraph, 2nd sentence: delete "The" before "GOST". I'm generally in favor of dropping the definite article of algorithm abbreviations. If you prefer not to do so, then use the definitive article consistently throughout the document. Page 5, 6th paragraph, 3rd sentence: insert "the" before "deterministic". Page 5, 8th paragraph, 1st sentence: change "ED25519" to "Ed25519". Change "ED448" to "Ed448". Only make these two changes if you are referring to these algorithms by the names given to them by their authors as opposed to the mnemonics used within DNSSEC. (This statement also applies to the Ed25519 comment below.) Insert "the" before "Edwards". Page 5, 8th paragraph, 2nd sentence: delete "the" before "EdDSA". Delete "algorithm" after "EdDSA". Page 5, 8th paragraph, 4th sentence: change "ED25519" to "Ed25519". Page 6, Section 3.2, 2nd paragraph: insert "the" before "industry". Change "to move to" to "toward". Delete "the" before "ECDSAP256SHA256 ". Insert "the" before "RECOMMENDED". Change "RSA based" to "RSA-based". Page 6, Section 3.3, 3rd paragraph, 1st fragment: change "for" to "regarding". Append "are summarized in the table below." to the fragment. Page 6, Section 3.3, 3rd paragraph, 2nd sentence: append "recommendations" after "These". Page 6, 1st paragraph after table: append a period to the end of the sentence. Page 6, 2nd paragraph after the table: append a period to the end of the sentence. Page 6, 4th paragraph after the table, 2nd sentence: delete "The" before "GOST". Page 6, 5th paragraph, 1st sentence: change second "SHA-384" to "SHA-256". Page 7, Section 3.4, 1st sentence: change the period at the end of a sentence to a colon. Join the following sentence to the first sentence after deleting "The" before "SHA-256" and insert "the" before "RECOMMENDED". Page 7, Section 4: this section has not been reviewed since it is to be deleted by the RFC Editor prior to publication. Page 8, Section 5, 2nd paragraph, 2nd sentence: consider appending "(in the cryptographic sense)" after "broken". Page 9, Section 8, 1st paragraph, 1st sentence: delete an extraneous space after "I.". Append a comma after "Wouters". Page 9, Section 8, 2nd paragraph: append a comma after "Hoffman". "Imminent" in this sentence is probably not the word you want in document at time of publication, although it's fine to prod the named individuals into submitted input prior to publication. Page 9, Section 8, 3rd paragraph: change "the daylight" to "light". From nobody Sat Apr 6 11:04:20 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D827B120343; Sat, 6 Apr 2019 11:04:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jkB8Fx75oGST; Sat, 6 Apr 2019 11:04:15 -0700 (PDT) Received: from mail-lj1-x242.google.com (mail-lj1-x242.google.com [IPv6:2a00:1450:4864:20::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AB9D120088; Sat, 6 Apr 2019 11:04:15 -0700 (PDT) Received: by mail-lj1-x242.google.com with SMTP id p14so7844208ljg.5; Sat, 06 Apr 2019 11:04:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=b6Euf47XWEtl5GAq60AgnEDxFTNZPhVd490lCln0jUk=; b=LN+T1zbNQuAl0GqjuPEWx/NQaEO/PBPSp0VbT7NddHlYaAZ++gR9P4Dt34IuVwvDQm ufKuE7zwXtVHOm5jcuN9i88rLLIgY1yvoFmgFV4nx4IWyJZmlX/y4V0MLetXneTcU5LT JxFqOuhAKSWNT1UQ8Cv0ote4MdeUUuzxyvb4YLYhhb88wQNuRxcjzRTmyZcB/22CYsap yfgdY0u5hHUCWSwfo9DWl5xTmsIfnbnZfOkDcRvNni6xF+/zRPc7iefMl/dprQTD8riE CT/IVOtn4pWmyszmIdIMvYRndiY26KwIRZBgwr3QsYFSJ05zMTAfmVGnO40cfbtS34Or YBRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=b6Euf47XWEtl5GAq60AgnEDxFTNZPhVd490lCln0jUk=; b=bJ+ovIvSRSbJvIQ3b8TFnd+EMVjCvCPvuKyP+pCKtPuHfF7DsuFXayXoaKMmJ5f0xZ mw3mkXcpkVIzK/lPU+nGarePwyzAJUOJKSOYRiS12ZTdO2WUOi7oUbIRxcWgypipfypV fEunB0BnY0AzhnmE2ThNVGROlarc7wLK4sgyAw4nUe4K/gTdJ/R/4Y9fNn0TDljl9hOU FRgjVwI/CFE/+ts1gnuhPSo7XkuLKDI1Ov32ZcdQkN8p1hCDqA8Gp8FGtlgYcLebxmCM 7S9UQnlngXHkJ7XWWWVI528zntUy7ecxGkkailaCKRmm/h0JWb+JAOcVvW4LJAqkYwa7 vmdA== X-Gm-Message-State: APjAAAUa4B0jlu8fjr1YNnl0gidydSS3dgRF1xrNQgADE4ei5YDr1xfk 2Eb8w9OpntZ4ToeUPO6zORxa0wENMvleo7wHIgj3jQ== X-Google-Smtp-Source: APXvYqz5TA+Qyj1nTKlFR+ZikOUV6gnbg2vpP8wbaIG+2T4ep0esVRAPO9h+6r5tKNP4REcvQhBaDnOF+iBEG0hltks= X-Received: by 2002:a2e:b016:: with SMTP id y22mr11162525ljk.133.1554573853392; Sat, 06 Apr 2019 11:04:13 -0700 (PDT) MIME-Version: 1.0 References: <1700920918.12557.1552229700654@appsuite.open-xchange.com> <7667c4d7-2e78-0a27-84af-cf1c00fd4897@cs.tcd.ie> <1991054337.12802.1552259263075@appsuite.open-xchange.com> In-Reply-To: From: Watson Ladd Date: Sat, 6 Apr 2019 11:04:01 -0700 Message-ID: To: william manning Cc: nalini elkins , Stephen Farrell , doh@ietf.org, dnsop , Christian Huitema , dns-privacy@ietf.org, Vittorio Bertola , "Ackermann, Michael" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-doh-clients X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Apr 2019 18:04:19 -0000 On Fri, Apr 5, 2019 at 9:45 AM william manning wrote: > > Every now and then, Paul Vixie and I are in complete harmony. In my curr= ent slot, we are one of thousands of entities that are being held accountab= le to a series of regulatory requirements that have significant fiscal impa= cts on the exfiltration of private/patient data. We are starting to focus = on three distinct areas to reduce the impact that DOH presents to our secur= ity posture. 1) In contractual/proccurement language. We have some "Must = have" items and now we will have "Must not" items. 2) There are at least t= wo technical options for tracking/blocking DOH which are being turned into = turnkey options to "swat" this covert C&C channel. 3) Aggressive Browser H= ygiene. > > This genie has not signed BAA or supplier agreement with us and we will n= ot allow it to dictate our business processes or affect our liability witho= ut the DOH enabler shouldering fiscal and legal exposure when DOH is shown = to be the culprit in exposure of private data. I can't see how DOH is goin= g to pass GDRP muster inside the EU either, but that is for others to debat= e. I have told my GDRP affected counterparts about the privacy risks with = DOH deployment. You know you can just turn it off the same way you configure your devices on your network. I also don't understand the GDRP issue you raise: surely all DNS services have the same problems. I'm more than happy to show you how to click the checkbox to turn it off in Firefox. In fact there is a checkbox you need to click to turn it on, and you can customize it at will. (I literally just checked) > as usual, YMMV. > > /William Manning > > On Sun, Mar 10, 2019 at 8:26 PM nalini elkins w= rote: >> >> > Similarly, putting DNS in user space allows for immediate adoption of= DNSSEC and privacy enhancements, even when the operating system or the loc= al network does not support them >> >> At enterprises (banks, insurance, etc) on their internal networks, peopl= e run their own DNS servers which may resolve for both internal and externa= l sites. >> >> We were recently talking to a Fortune 50 company in the United States ab= out what might happen you install a version of the browser which uses DNS-o= ver-HTTPS automatically. (Clearly, this applies to any variant.) >> >> The questions that the Fortune 50 company architect asked were something= like this: >> >> 1. You mean that DNS could be resolved outside my enterprise? >> >> 2. So whoever that is that resolves my DNS sees the pattern and frequenc= y of what sites my company goes to? >> >> 3. How do I change this? >> >> I look forward to a discussion on this issue.. There will be at least= one enterprise present in Prague to speak for themselves. I will see if I= can get others to participate remotely. >> >> It would be good to also discuss how to warn enterprises that this is ab= out to happen. I wonder if an announcement via CERT or another group may = be appropriate. >> >> Thanks, >> Nalini >> >> On Mon, Mar 11, 2019 at 6:36 AM Christian Huitema = wrote: >>> >>> >>> On 3/10/2019 4:07 PM, Vittorio Bertola wrote: >>> > Honestly, I understood it differently - at this point in time they ar= e >>> > doing tests on whether their resolver performs better or worse than >>> > the system's one, but their announced model is that Firefox will adop= t >>> > a DoH resolver (though it's unclear how it will be chosen) and it wil= l >>> > just use that one. But if people from Mozilla could make a clearer >>> > announcement on what their plans currently are, that would be good. >>> > Still, most of the issues arise whenever an application, for whatever >>> > reason and under any mechanism, starts to use one or more resolvers >>> > different than the one set up in the operating system: even if it use= d >>> > more than one, you would still get many of the issues listed in the >>> > document (though, if it used more than one at the same time, I think >>> > you'd actually also get some new specific issues, so we'd need to add >>> > a discussion of this possibility). >>> >>> >>> Your view of operating systems and applications is firmly rooted in >>> history, which is another way to say in the past. The evolution in the >>> past years points to a systematic deconstruction of that relation, with >>> for example virtual machine, containers, or the trend to move network >>> stacks out of the operating system and into the application. This is >>> pretty obvious for security stacks, but it is also becoming very clear >>> with QUIC and transport stacks. There are two big drivers: portability, >>> and rapid adoption of innovation. These two drivers apply to DNS just >>> like they apply to transport. >>> >>> Putting QUIC in application space allows for immediate provision of >>> innovations like 0-RTT, head-of-queue blocking mitigation, or the bette= r >>> crypto of TLS 1.3. Similarly, putting DNS in user space allows for >>> immediate adoption of DNSSEC and privacy enhancements, even when the >>> operating system or the local network does not support them. That genie >>> is not going back in the bottle any time soon. >>> >>> -- Christian Huitema >>> >>> >>> _______________________________________________ >>> dns-privacy mailing list >>> dns-privacy@ietf.org >>> https://www.ietf.org/mailman/listinfo/dns-privacy >> >> >> >> -- >> Thanks, >> Nalini Elkins >> President >> Enterprise Data Center Operators >> www.e-dco.com >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy --=20 "Man is born free, but everywhere he is in chains". --Rousseau. From nobody Sun Apr 7 12:16:33 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF20812036F; Sun, 7 Apr 2019 12:16:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uDdlJWSzNE0y; Sun, 7 Apr 2019 12:16:21 -0700 (PDT) Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AFB7120340; Sun, 7 Apr 2019 12:16:21 -0700 (PDT) Received: from [10.226.185.109] (80-254-69-45.dynamic.monzoon.net [80.254.69.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 1053E892C6; Sun, 7 Apr 2019 19:16:17 +0000 (UTC) To: william manning Cc: nalini elkins , Stephen Farrell , doh@ietf.org, dnsop , Christian Huitema , dns-privacy@ietf.org, Vittorio Bertola , "Ackermann, Michael" References: <1700920918.12557.1552229700654@appsuite.open-xchange.com> <7667c4d7-2e78-0a27-84af-cf1c00fd4897@cs.tcd.ie> <1991054337.12802.1552259263075@appsuite.open-xchange.com> From: Paul Vixie Message-ID: <77cbdb35-aa06-a918-96c3-d25a4f5391d2@redbarn.org> Date: Sun, 7 Apr 2019 12:16:17 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.13 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [DNSOP] [dns-privacy] New: draft-bertola-bcp-doh-clients X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Apr 2019 19:16:23 -0000 william manning wrote on 2019-04-05 09:43: > Every now and then, Paul Vixie and I are in complete harmony. i am in no way concerned about that. > In my > current slot, we are one of thousands of entities that are being held > accountable to a series of regulatory requirements that have significant > fiscal impacts on the exfiltration of private/patient data.  We are > starting to focus on three distinct areas to reduce the impact that DOH > presents to our security posture.  ... sadly, there are some here, and many elsewhere, who consider that you already had that burden, because the opacity of HTTPS especially with TLS 1.3 and encrypted SNI, means that the exfiltration risk preexisted, and was not made worse by DOH. those considerations are naive and incorrect. however, it's necessary to explicitly re-dismiss them every time you mention the imposed costs of DOH. it is the _standardization_ aspect of DOH, and the possibility of encountering it inside HTTPS TCP IP DST addresses that did not offer it pre-standardization, that imposes the _new_ exfiltration and other risks. > This genie has not signed BAA or supplier agreement with us and we will > not allow it to dictate our business processes or affect our liability > without the DOH enabler shouldering fiscal and legal exposure when DOH > is shown to be the culprit in exposure of private data.  I can't see how > DOH is going to pass GDRP muster inside the EU either, but that is for > others to debate.  I have told my GDRP affected counterparts about the > privacy risks with DOH deployment. i hear your pain. -- P Vixie From nobody Sun Apr 7 20:54:17 2019 Return-Path: X-Original-To: dnsop@ietf.org Delivered-To: dnsop@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1300B12017D; Sun, 7 Apr 2019 20:54:15 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: Barry Leiba via Datatracker To: "The IESG" Cc: draft-ietf-dnsop-algorithm-update@ietf.org, Tim Wicinski , dnsop@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.94.1 Auto-Submitted: auto-generated Precedence: bulk Reply-To: Barry Leiba Message-ID: <155469565506.18178.2731835407101430236.idtracker@ietfa.amsl.com> Date: Sun, 07 Apr 2019 20:54:15 -0700 Archived-At: Subject: [DNSOP] Barry Leiba's Yes on draft-ietf-dnsop-algorithm-update-07: (with COMMENT) X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Apr 2019 03:54:15 -0000 Barry Leiba has entered the following ballot position for draft-ietf-dnsop-algorithm-update-07: Yes When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dnsop-algorithm-update/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- — Section 1.2 — This document only provides recommendations with respect to mandatory-to-implement algorithms or algorithms so weak that recommendation cannot be recommended. “...so weak that their use cannot [or perhaps can no longer] be recommended.” From nobody Mon Apr 8 07:57:32 2019 Return-Path: X-Original-To: dnsop@ietf.org Delivered-To: dnsop@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 55D4E120026; Mon, 8 Apr 2019 07:57:29 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: Alissa Cooper via Datatracker To: "The IESG" Cc: draft-ietf-dnsop-algorithm-update@ietf.org, Tim Wicinski , dnsop-chairs@ietf.org, tjw.ietf@gmail.com, dnsop@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.94.1 Auto-Submitted: auto-generated Precedence: bulk Reply-To: Alissa Cooper Message-ID: <155473544934.29164.8897437117477775185.idtracker@ietfa.amsl.com> Date: Mon, 08 Apr 2019 07:57:29 -0700 Archived-At: Subject: [DNSOP] Alissa Cooper's Yes on draft-ietf-dnsop-algorithm-update-07: (with COMMENT) X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Apr 2019 14:57:29 -0000 Alissa Cooper has entered the following ballot position for draft-ietf-dnsop-algorithm-update-07: Yes When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dnsop-algorithm-update/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Please respond to the Gen-ART review. In line with Mirja's comment, if the WG or someone in it were planning on maintaining the 4.1 comparison table somewhere less stable than an RFC, that seems like it could be useful and could be linked to from the WG datatracker page. From nobody Mon Apr 8 07:59:57 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2911120144; Mon, 8 Apr 2019 07:59:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.701 X-Spam-Level: X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cooperw.in header.b=jyDuPpik; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=wAehnhQG Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O84eAnCccOSp; Mon, 8 Apr 2019 07:59:54 -0700 (PDT) Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23C0B120026; Mon, 8 Apr 2019 07:59:54 -0700 (PDT) Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.west.internal (Postfix) with ESMTP id 31988CF4; Mon, 8 Apr 2019 10:59:53 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute7.internal (MEProxy); Mon, 08 Apr 2019 10:59:53 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cooperw.in; h= content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s=fm2; bh=E waSqot/S3J/OIJkvGDrcOs+7aAqIWQCJ26b0hzaIDc=; b=jyDuPpik47QnCiiwc AjlFoLZAC5tmKb8w4dr5RbGFGdZRFWLzHKvrzupCZkEwOQu/LzWTXKfaL12oLIQx fZ24SfONazgtIUOoE6Llce8QCdNcf5P5sYvv1ViVR7++PEhIOkg+napcKiwPkSTz 0bbDuPozhM5cOVwZy7czqMWWK6Mpqz71RWIB4MxnCrTc51UEmnI0/Vwh6uPDN08O JnozB/wXPlPcGcfsxf3m+sbpdzXvPOSZ5I4OiMPlRXVeU4fK/1g10tY9yK4lGMsc lnyspOUVwYIekC/XeaTvQeWqkE3yv+Ay5A76yfVYPCGi2jlWNt96NAEkt6K/iVi6 3kFzA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=EwaSqot/S3J/OIJkvGDrcOs+7aAqIWQCJ26b0hzaI Dc=; b=wAehnhQGetogSNSUbzmgSm7nxCJRhXYvRIrNd7+zND18/pgs5arYzDDC4 cO8Xb7wviccRPSJfWsXCx9OozPxKylIlFE84fAT+UABIwmS2DQ+gSo/hIYWeOUDB tZYRYTHvr7as738KFpe23vqzNRKEB4CxKKRjKOC6hyKirQJ+6Sj3R4/lzA9PKPqU g61xhloj2VAN+LaKi9hHXH4QQotsxezSpln3tDQPswsQDetskrX78YyeUeIEuT8L 3VoRPl6RG2LzyhGikQoN1XfhXvbE+K/g34pwwB3Uq2TI25fblpWCZA+5PSS/KARd K/lBxWXGirA/ZDhgfL7jAKh+tU6wA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddrudefgdekgecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpegtggfuhfgjfffgkfhfvffosehtqhhmtdhhtddvnecuhfhrohhmpeetlhhishhs rgcuvehoohhpvghruceorghlihhsshgrsegtohhophgvrhifrdhinheqnecuffhomhgrih hnpehivghtfhdrohhrghenucfkphepudejfedrfeekrdduudejrdelfeenucfrrghrrghm pehmrghilhhfrhhomheprghlihhsshgrsegtohhophgvrhifrdhinhenucevlhhushhtvg hrufhiiigvpedt X-ME-Proxy: Received: from rtp-alcoop-nitro5.cisco.com (unknown [173.38.117.93]) by mail.messagingengine.com (Postfix) with ESMTPA id C76E3E40FF; Mon, 8 Apr 2019 10:59:51 -0400 (EDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) From: Alissa Cooper In-Reply-To: <155454218650.21891.1515975582177931040@ietfa.amsl.com> Date: Mon, 8 Apr 2019 10:59:50 -0400 Cc: General Area Review Team , draft-ietf-dnsop-algorithm-update.all@ietf.org, dnsop@ietf.org, ietf@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <155454218650.21891.1515975582177931040@ietfa.amsl.com> To: Peter Yee X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [DNSOP] [Gen-art] Genart telechat review of draft-ietf-dnsop-algorithm-update-07 X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Apr 2019 14:59:56 -0000 Peter, thanks for your review. I entered a Yes ballot and pointed to = your review. Alissa > On Apr 6, 2019, at 5:16 AM, Peter Yee via Datatracker = wrote: >=20 > Reviewer: Peter Yee > Review result: Ready with Nits >=20 > I am the assigned Gen-ART reviewer for this draft. The General Area > Review Team (Gen-ART) reviews all IETF documents being processed > by the IESG for the IETF Chair. Please wait for direction from your > document shepherd or AD before posting a new version of the draft. >=20 > For more information, please see the FAQ at >=20 > . >=20 > Document: draft-ietf-dnsop-algorithm-update-07 > Reviewer: Peter Yee > Review Date: 2019-04-06 > IETF LC End Date: 2019-02-27 > IESG Telechat date: 2019-04-11 >=20 > Summary: This document updates the DNSKEY, DS, and CDS algorithm > recommendations for use in DNSSEC based on current thinking in = cryptography.=20 > This document is Ready with Nits as a Standards Track publication. >=20 > Major issues: None >=20 > Minor issues: None >=20 > Nits/editorial comments: >=20 > Page 2, Section 1.1, 2nd sentence: append a comma after "New". >=20 > Page 3, Section 1.2, 2nd paragraph, 1st sentence: change = "recommendation cannot > be recommended" to "they cannot be recommended". >=20 > Page 3, Section 1.2, 4th paragraph, 2nd sentence: change = "recommendation" to > "intent". >=20 > Page 3, Section 1.2, 6th paragraph, 1st sentence: change "DNSKEY's" to > "DNSKEYs". >=20 > Page 3, Section 1.2, 6th paragraph, 3rd sentence: indicate for clarity = where > this marking will be done (essentially in a new version of this RFC). >=20 > Page 4, Section 1.3: In general, it would be nice if there were = references in > the paragraphs following the table that point to the research that led = to the > statements of strength or lack of strength of the algorithms. Then = again, this > isn't an academic paper, so references aren't strictly required = either. While > I mostly (but not completely) agree with the notes on the individual > algorithms, the average reader is left to take the statements as = gospel rather > than being able to make an informed decision on the current state of > cryptography. >=20 > Page 4, Section 1.3, 3rd sentence: delete a redundant "from". >=20 > Page 5, 4th paragraph, 2nd sentence: change "cryptographics" to = "cryptographic". >=20 > Page 5, 4th paragraph, 3rd sentence: change "that" to "who". >=20 > Page 5, 5th paragraph, 2nd sentence: delete "The" before "GOST". I'm = generally > in favor of dropping the definite article of algorithm abbreviations. = If you > prefer not to do so, then use the definitive article consistently = throughout > the document. >=20 > Page 5, 6th paragraph, 3rd sentence: insert "the" before = "deterministic". >=20 > Page 5, 8th paragraph, 1st sentence: change "ED25519" to "Ed25519". = Change > "ED448" to "Ed448". Only make these two changes if you are referring = to these > algorithms by the names given to them by their authors as opposed to = the > mnemonics used within DNSSEC. (This statement also applies to the = Ed25519 > comment below.) Insert "the" before "Edwards". >=20 > Page 5, 8th paragraph, 2nd sentence: delete "the" before "EdDSA". = Delete > "algorithm" after "EdDSA". >=20 > Page 5, 8th paragraph, 4th sentence: change "ED25519" to "Ed25519". >=20 > Page 6, Section 3.2, 2nd paragraph: insert "the" before "industry". = Change "to > move to" to "toward". Delete "the" before "ECDSAP256SHA256 ". Insert = "the" > before "RECOMMENDED". Change "RSA based" to "RSA-based". >=20 > Page 6, Section 3.3, 3rd paragraph, 1st fragment: change "for" to = "regarding".=20 > Append "are summarized in the table below." to the fragment. >=20 > Page 6, Section 3.3, 3rd paragraph, 2nd sentence: append = "recommendations" > after "These". >=20 > Page 6, 1st paragraph after table: append a period to the end of the = sentence. >=20 > Page 6, 2nd paragraph after the table: append a period to the end of = the > sentence. >=20 > Page 6, 4th paragraph after the table, 2nd sentence: delete "The" = before "GOST". >=20 > Page 6, 5th paragraph, 1st sentence: change second "SHA-384" to = "SHA-256". >=20 > Page 7, Section 3.4, 1st sentence: change the period at the end of a = sentence > to a colon. Join the following sentence to the first sentence after = deleting > "The" before "SHA-256" and insert "the" before "RECOMMENDED". >=20 > Page 7, Section 4: this section has not been reviewed since it is to = be deleted > by the RFC Editor prior to publication. >=20 > Page 8, Section 5, 2nd paragraph, 2nd sentence: consider appending = "(in the > cryptographic sense)" after "broken". >=20 > Page 9, Section 8, 1st paragraph, 1st sentence: delete an extraneous = space > after "I.". Append a comma after "Wouters". >=20 > Page 9, Section 8, 2nd paragraph: append a comma after "Hoffman". = "Imminent" > in this sentence is probably not the word you want in document at time = of > publication, although it's fine to prod the named individuals into = submitted > input prior to publication. >=20 > Page 9, Section 8, 3rd paragraph: change "the daylight" to "light". >=20 > _______________________________________________ > Gen-art mailing list > Gen-art@ietf.org > https://www.ietf.org/mailman/listinfo/gen-art From nobody Mon Apr 8 11:20:05 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D9881201E6; Mon, 8 Apr 2019 11:20:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.649 X-Spam-Level: X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fYItcDuzXSCS; Mon, 8 Apr 2019 11:20:02 -0700 (PDT) Received: from mail-io1-f43.google.com (mail-io1-f43.google.com [209.85.166.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6A541200A1; Mon, 8 Apr 2019 11:19:58 -0700 (PDT) Received: by mail-io1-f43.google.com with SMTP id p16so11923625iod.2; Mon, 08 Apr 2019 11:19:58 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc :content-transfer-encoding; bh=n7PXX5w8k50J/E8Pymhjie+q5xHUwUi7o5Ex45cxw58=; b=BiyFo23NO9Dnmmsg4dBn2cmhO9sFirx6Kpz1zkiJisNw+lE/ykaCMNengypS2/XTrE 7nuDzeyb26xTBjOQVCpAQkf8TSgFUykl7V/1l1AibriNisZfhUv90WKCuc4qq1r5Iqsp qMW62UsJ3z+/ZN7OY280z1u/uLuHJXeGpAzUyIMo9a6qgRU4tF8p0fKe9ijbYbJRtNiP hJ71MQWYH5sp/OphVxzZG1zy/R9HdevCEJhozZkCH1vuagKTh1TQDmbFRD+OtYQbF9YN BEfo3rITHQNVReS2mRkF+vSZkBwUvC3eQ65UdulG0NQjuc53ZNaf9A38aeXg59fcK+sr 8jCg== X-Gm-Message-State: APjAAAVsr60j1gkwludIx25Kg13W+nf/zyCI3maXzABNKxdVDB+myu6U 4GpSfL/IMtEkd1rKpjkHu4PSA7/Cpi8ubGkd4K9tUyL1 X-Google-Smtp-Source: APXvYqzLCsCMpNEHvs2ms85uQwuwOzMBrIWAiF0cWSF37DwMRBCCTpej8qUb01wCvGmUjY5Vz0n+/lDCHAnvjG9hPQc= X-Received: by 2002:a6b:7417:: with SMTP id s23mr21147710iog.2.1554747597606; Mon, 08 Apr 2019 11:19:57 -0700 (PDT) MIME-Version: 1.0 From: Barry Leiba Date: Mon, 8 Apr 2019 14:19:46 -0400 Message-ID: To: doh@ietf.org, dprive@ietf.org, dnsop@ietf.org, add@ietf.org Cc: doh-chairs@ietf.org, dprive-chairs@ietf.org, dnsop-chairs Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Archived-At: Subject: [DNSOP] Ongoing discussion of DoH, DoT, and related issues X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Apr 2019 18:20:04 -0000 A mailing list has been created for the ongoing discussion of issues with DNS over HTTPS, DNS over TLS, implementation choices for those, application usage, operational concerns, privacy concerns, performance concerns, and any other such. Please take all that related discussion to the new list and please stop discussing it on DOH, DPRIVE, DNSOP, and any other lists =E2=80=94 that will keep the related discussion in one place, and avoid fragmenting it and having people repeat themselves because of the fragmentation. The new list is called ADD =E2=80=94 Applications Doing DNS: https://www.ietf.org/mailman/listinfo/add ...and it's in the "to" list of this message. Subscriptions are now open. With this message I=E2=80=99m asking the working group chairs for DOH, DPRI= VE, and DNSOP to be strict about stopping discussion of these topics on their lists, and directing people to the new =E2=80=9CADD=E2=80=9D list. Of course, work directly relevant to the charters of these working groups should continue on their respective lists, as usual. For the longer term, the relevant ADs are discussing the right path. At the moment that looks like a BoF in Montreal (IETF 105) aimed at forming an =E2=80=9CADD=E2=80=9D working group, most likely in the ART Area= but with significant crossover expected and desired from Ops, Sec, Int, and probably the rest of the solar system IETF community. Barry Leiba, ART AD From nobody Mon Apr 8 11:40:52 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A724312032B; Mon, 8 Apr 2019 11:40:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3gtcfGdYXem0; Mon, 8 Apr 2019 11:40:49 -0700 (PDT) Received: from burnttofu.net (burnttofu.net [IPv6:2607:fc50:1:9d00::9977]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FBC4120220; Mon, 8 Apr 2019 11:40:49 -0700 (PDT) Received: from elwha.brokendns.net (elwha.brokendns.net [IPv6:2607:f2f8:a544:0:0:0:0:2]) by burnttofu.net (8.15.2/8.15.2) with ESMTPS id x38IefMN095398 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Mon, 8 Apr 2019 14:40:42 -0400 (EDT) (envelope-from michael@brokendns.net) Received: from kimberton.burnttofu.net (unknown [IPv6:2604:5500:c2c2:fb00::7777]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by elwha.brokendns.net (5.65c/IDA-1.4.4/5.63) with ESMTPSA id 8A0276755B; Mon, 8 Apr 2019 11:40:43 -0700 (PDT) To: Peter Yee , gen-art@ietf.org Cc: draft-ietf-dnsop-algorithm-update.all@ietf.org, dnsop@ietf.org, ietf@ietf.org References: <155454218650.21891.1515975582177931040@ietfa.amsl.com> From: Michael Sinatra Message-ID: <67bae27f-a885-b441-63d2-fca6c7cca8e8@brokendns.net> Date: Mon, 8 Apr 2019 11:40:31 -0700 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <155454218650.21891.1515975582177931040@ietfa.amsl.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-Greylist: Default is to whitelist mail, not delayed by milter-greylist-4.6.2 (burnttofu.net [IPv6:2607:fc50:1:9d00:0:0:0:9977]); Mon, 08 Apr 2019 14:40:43 -0400 (EDT) Archived-At: Subject: Re: [DNSOP] Genart telechat review of draft-ietf-dnsop-algorithm-update-07 X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Apr 2019 18:40:51 -0000 On 2019-04-06 02:16, Peter Yee via Datatracker wrote: > Page 9, Section 8, 2nd paragraph: append a comma after "Hoffman". "Imminent" > in this sentence is probably not the word you want in document at time of > publication, although it's fine to prod the named individuals into submitted > input prior to publication. As one of the "imminent" reviewers, I had previously had some concerns around some of the language of the recommendations. The latest few drafts have settled those concerns, in concert with discussions with other folks in the WG and outside. I think the document is ready to go, pending resolution of the various nits identified in the Genart review. Michael Sinatra From nobody Mon Apr 8 14:11:55 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AFA612010E; Mon, 8 Apr 2019 14:11:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S30gBg2d48de; Mon, 8 Apr 2019 14:11:52 -0700 (PDT) Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00792120013; Mon, 8 Apr 2019 14:11:51 -0700 (PDT) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 44dNQY0tYxzKHt; Mon, 8 Apr 2019 23:11:49 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1554757909; bh=2nwi1IPlapTWFlw1LE1BD6kxIwsc0xL/pgql1tyj88U=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=s+i9eaklm/hB1QyRyEf2xN2oiZWI82ufaig0DPHIxtrAryozxUbVqq66s1MFT2zeZ 8LV5sh1FFlJ1r0NNzyxDBC1m8G5Lw6yNQ6HypBIQSCyGGLKSjq2cY2pOfNE8OUTJCy v6VjMeRuEUNMDm5qt6jixOXHX/LGEWy2A6SvJC/Q= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id NXzfEfs_vyvH; Mon, 8 Apr 2019 23:11:48 +0200 (CEST) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 8 Apr 2019 23:11:48 +0200 (CEST) Received: by bofh.nohats.ca (Postfix, from userid 1000) id 33C5B39A620; Mon, 8 Apr 2019 17:11:47 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 33C5B39A620 Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 271D340D358A; Mon, 8 Apr 2019 17:11:47 -0400 (EDT) Date: Mon, 8 Apr 2019 17:11:47 -0400 (EDT) From: Paul Wouters To: Michael Sinatra cc: gen-art@ietf.org, dnsop , ietf@ietf.org In-Reply-To: <67bae27f-a885-b441-63d2-fca6c7cca8e8@brokendns.net> Message-ID: References: <155454218650.21891.1515975582177931040@ietfa.amsl.com> <67bae27f-a885-b441-63d2-fca6c7cca8e8@brokendns.net> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [DNSOP] Genart telechat review of draft-ietf-dnsop-algorithm-update-07 X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 08 Apr 2019 21:11:53 -0000 On Mon, 8 Apr 2019, Michael Sinatra wrote: > On 2019-04-06 02:16, Peter Yee via Datatracker wrote: > >> Page 9, Section 8, 2nd paragraph: append a comma after "Hoffman". "Imminent" >> in this sentence is probably not the word you want in document at time of >> publication, although it's fine to prod the named individuals into submitted >> input prior to publication. > > As one of the "imminent" reviewers, I had previously had some concerns > around some of the language of the recommendations. The latest few > drafts have settled those concerns, in concert with discussions with > other folks in the WG and outside. I think the document is ready to go, > pending resolution of the various nits identified in the Genart review. I will be working on all the input we got from the IESG and others. Thanks! The word "imminent" was a joke in the draft, as it referred to people who had promised to review the document upon adoption. A little nudge to keep them honest. It should have been removed after the -00 version :) Paul From nobody Tue Apr 9 04:45:28 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A4D1120785; Tue, 9 Apr 2019 04:45:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5kkR7YjFDYPl; Tue, 9 Apr 2019 04:45:25 -0700 (PDT) Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 076B0120784; Tue, 9 Apr 2019 04:45:25 -0700 (PDT) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 44dlpV1P7Qz45c; Tue, 9 Apr 2019 13:45:22 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1554810322; bh=sB9/1xMezZHYraepxEJTSGyaNHmuBoQ/kKK/5Fibt34=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=eXBHUrdumVCXofKY5rUP9UB1OfQc3q+ZC/oUXIwixmAwdHj0hDE920vCxTZka9h7m fSgUA8soPz7A9tdclWqPGr+c12Nj0VNpnkMtPZPHkMKrN7ulHeg14nn85bKVRPUK4i sI4tyBhUJQ9olTppYQ7TaMTWgMjv86yr+0mFkM1o= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id eZ9cVVYuHsBQ; Tue, 9 Apr 2019 13:45:20 +0200 (CEST) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 9 Apr 2019 13:45:19 +0200 (CEST) Received: by bofh.nohats.ca (Postfix, from userid 1000) id AE03B5C856; Tue, 9 Apr 2019 07:45:18 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca AE03B5C856 Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id A353A40D358A; Tue, 9 Apr 2019 07:45:18 -0400 (EDT) Date: Tue, 9 Apr 2019 07:45:18 -0400 (EDT) From: Paul Wouters To: Alissa Cooper cc: Peter Yee , draft-ietf-dnsop-algorithm-update.all@ietf.org, General Area Review Team , dnsop@ietf.org, ietf@ietf.org In-Reply-To: Message-ID: References: <155454218650.21891.1515975582177931040@ietfa.amsl.com> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [DNSOP] [Gen-art] Genart telechat review of draft-ietf-dnsop-algorithm-update-07 X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Apr 2019 11:45:27 -0000 On Mon, 8 Apr 2019, Alissa Cooper wrote: > Peter, thanks for your review. I entered a Yes ballot and pointed to your review. Indeed, thanks for the review Peter! I've incorporated all of your suggestions, with the exception of: >> Page 4, Section 1.3: In general, it would be nice if there were references in >> the paragraphs following the table that point to the research that led to the >> statements of strength or lack of strength of the algorithms. Then again, this >> isn't an academic paper, so references aren't strictly required either. While >> I mostly (but not completely) agree with the notes on the individual >> algorithms, the average reader is left to take the statements as gospel rather >> than being able to make an informed decision on the current state of >> cryptography. We did not want to add these to the document, in an attempt to keep the document short and on topic. >> Page 5, 8th paragraph, 1st sentence: change "ED25519" to "Ed25519". Change >> "ED448" to "Ed448". Only make these two changes if you are referring to these >> algorithms by the names given to them by their authors as opposed to the >> mnemonics used within DNSSEC. (This statement also applies to the Ed25519 >> comment below.) Insert "the" before "Edwards". We are using the mnemonics, so I left these as is. >> Page 5, 8th paragraph, 4th sentence: change "ED25519" to "Ed25519". Same, >> Page 6, Section 3.3, 3rd paragraph, 1st fragment: change "for" to "regarding". >> Append "are summarized in the table below." to the fragment. I did not understand this change request? Paul From nobody Tue Apr 9 04:55:46 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7C62120786; Tue, 9 Apr 2019 04:55:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZoEpemLeJ1rO; Tue, 9 Apr 2019 04:55:43 -0700 (PDT) Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD1E712078A; Tue, 9 Apr 2019 04:55:42 -0700 (PDT) Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 44dm2N1msVz59L; Tue, 9 Apr 2019 13:55:40 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1554810940; bh=+6AL7ISc4jGJP4WxBbXUHs2Ax4V27Ruvy5E2utB1/Jw=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=SNoTNxgyDTRcED7UqiqblTVfjy3SOACk3XZpvnK62PZY/2DDMu4zCsC20jOXDJ0vh lUzR/Yl62wZWIZi6gvPrwac1wpKwy+DxsgtAm4lHUBdI74b03tsYHX2kTCo0A5pTfz XPl+TEzhNS17eFQMWkuXeB06PA+KHTyTuuFX7688= X-Virus-Scanned: amavisd-new at mx.nohats.ca Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 6YSN7GSnJG_d; Tue, 9 Apr 2019 13:55:38 +0200 (CEST) Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 9 Apr 2019 13:55:37 +0200 (CEST) Received: by bofh.nohats.ca (Postfix, from userid 1000) id 8661C5C856; Tue, 9 Apr 2019 07:55:36 -0400 (EDT) DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 8661C5C856 Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 7BCD440D358A; Tue, 9 Apr 2019 07:55:36 -0400 (EDT) Date: Tue, 9 Apr 2019 07:55:36 -0400 (EDT) From: Paul Wouters To: Bob Harold cc: Benjamin Kaduk , Tim Wicinski , draft-ietf-dnsop-algorithm-update@ietf.org, IETF DNSOP WG , dnsop-chairs@ietf.org, The IESG In-Reply-To: Message-ID: References: <155448126450.10133.15933575757540602207.idtracker@ietfa.amsl.com> User-Agent: Alpine 2.21 (LRH 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8BIT Archived-At: Subject: Re: [DNSOP] Benjamin Kaduk's No Objection on draft-ietf-dnsop-algorithm-update-07: (with COMMENT) X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Apr 2019 11:55:45 -0000 On Fri, 5 Apr 2019, Bob Harold wrote: > I'm a little surprised that this is going for PS rather than BCP, > which seems like it would reflect the recognized need for recurring > updates to the guidance given. Personally, it seems a PS feels like it has a little more weight. Not just a recommendation but a strong nudge towards doing this. > In a similar vein, if we stay at PS, a lot of the references seem like > they would need to move from Informative to Normative, since to > implement the various MUST-level algorithms you have to follow those > references. I would not say those references are normative in that sense. You don't HAVE to read how GOST is specified to not implement it. > Section 1.1 > >    The field of cryptography evolves continuously.  New stronger >    algorithms appear and existing algorithms are found to be less secure >    then originally thought.  [...] > > I'd suggest also noting that attacks previously thought to be > computationally infeasible become more accessible as the available > computational resources increase. Added. > Section 1.2 > >                                   For clarification and consistency, an >    algorithm will be specified as MAY in this document only when it has >    been downgraded. > > Does "downgraded" mean that it was formerly mandatory but has been > rotated out of the mandatory role?  Perhaps explicitly saying > "downgraded from " would aid clarity. Added. > Section 3.3 > > >    SHA-384 shares the same properties as SHA-256, but offers a modest >    security advantage over SHA-384 (384-bits of strength versus > > nit: SHA-384 has an advantage over ... SHA-384? Fixed. >    We wish to thank Michael Sinatra, Roland van Rijswijk-Deij, Olafur >    Gudmundsson, Paul Hoffman and Evan Hunt for their imminent feedback. > > IIRC a directorate reviewer noted that "imminent" means "expected to > arrive in the near future but not yet present"; such text does not seem > appropriate for final publication since review after that point would > not be helpful. That was fixed too :) Thanks for the review! Paul From nobody Tue Apr 9 05:02:15 2019 Return-Path: X-Original-To: dnsop@ietf.org Delivered-To: dnsop@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E820120793; Tue, 9 Apr 2019 05:02:08 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: dnsop@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.94.1 Auto-Submitted: auto-generated Precedence: bulk Reply-To: dnsop@ietf.org Message-ID: <155481132834.14236.4961037521991201904@ietfa.amsl.com> Date: Tue, 09 Apr 2019 05:02:08 -0700 Archived-At: Subject: [DNSOP] I-D Action: draft-ietf-dnsop-algorithm-update-08.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Apr 2019 12:02:08 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : Algorithm Implementation Requirements and Usage Guidance for DNSSEC Authors : Paul Wouters Ondrej Sury Filename : draft-ietf-dnsop-algorithm-update-08.txt Pages : 11 Date : 2019-04-09 Abstract: The DNSSEC protocol makes use of various cryptographic algorithms in order to provide authentication of DNS data and proof of non- existence. To ensure interoperability between DNS resolvers and DNS authoritative servers, it is necessary to specify a set of algorithm implementation requirements and usage guidelines to ensure that there is at least one algorithm that all implementations support. This document defines the current algorithm implementation requirements and usage guidance for DNSSEC. This document obsoletes [RFC6944]. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-algorithm-update/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update-08 https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-algorithm-update-08 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-algorithm-update-08 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Tue Apr 9 05:09:35 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8F521207B6 for ; Tue, 9 Apr 2019 05:09:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.022 X-Spam-Level: X-Spam-Status: No, score=-1.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fcelda.cz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rUVlCXm4BhSf for ; Tue, 9 Apr 2019 05:09:32 -0700 (PDT) Received: from mail-vs1-xe2a.google.com (mail-vs1-xe2a.google.com [IPv6:2607:f8b0:4864:20::e2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F41BB1207B5 for ; Tue, 9 Apr 2019 05:09:31 -0700 (PDT) Received: by mail-vs1-xe2a.google.com with SMTP id o10so7032610vsp.12 for ; Tue, 09 Apr 2019 05:09:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fcelda.cz; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/t7sImG1wJdXH8D/x2zDtzfAl5VzsKz7Xxb+oPCf2Bs=; b=WkZP6kWANz0FgJTQt4ozOg6NQODK5TekPlIWgRhWXETLwTiRqN5uHfo3sL1v6tA7Ar g9yMho8FpOp+a8xXubXj6nM8DEjSAKdtRdShf4giwV4TLtQeMe6KNNAzUDB0P6s6jitA xKgxwbENcrUISYL/tkrCy5+tpCaD+pAv6bWpQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/t7sImG1wJdXH8D/x2zDtzfAl5VzsKz7Xxb+oPCf2Bs=; b=I7V5EMyOGTmbsI7e1s5JxyFmZI++5ZiQdzkTzzi8ry9aeXNlsKlUr1dm7us7Grq7yE b+Vny3mTtqaRdKnE4yLF9RnBeelnmyS3OrOQz8q4jaLJfctgLiRJISW0M/IsVTgzu50U QnVyBsZtuYXznVDlLHMnFRN2CBdAlNsHZhBdMvAGaF2yVWkuZltpnLLlTS/K+PoJgU/F UvCFpK6QMq8AjPcukkaObAfR7rwn8/A8g5qTkK227RKxghS0mMYet4XuXFjAao960U7o 5pQRDSj5KqCYwU16yryZAEfunxGmETxMT2ZUxcCmzKvr1PtfFTHZ5PEDwwafSOMo8kgo uzBw== X-Gm-Message-State: APjAAAXMBvs0qXHfH+6qJnJL8meKy41KSnkUTaMHW6+2nXymZRJdD9dW nt1kZNkS/xeqQKPI1hl6LTI13XCLmAe5BPUI7ZjdZbChy8w= X-Google-Smtp-Source: APXvYqyvVM79kJ+wRgEMT9onmeRE70We7RbMYuavBXWbKL2k0/dvvrV3mcxOhm6LhnhjrhhFQASnONodvTzG5Mb4Yyg= X-Received: by 2002:a67:ec47:: with SMTP id z7mr17764567vso.142.1554811770689; Tue, 09 Apr 2019 05:09:30 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: =?UTF-8?B?SmFuIFbEjWVsw6Fr?= Date: Tue, 9 Apr 2019 14:09:18 +0200 Message-ID: To: Tony Finch Cc: dnsop@ietf.org Content-Type: text/plain; charset="UTF-8" Archived-At: Subject: Re: [DNSOP] ANAME discussion X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Apr 2019 12:09:34 -0000 On Tue, Apr 2, 2019 at 5:54 PM Tony Finch wrote: > WRT loop detection, it is much easier if the additional section in the > response from the resolver contains the chain(s). The draft doesn't > specify that at the moment; maybe it should. I meant a situation where an authoritative server is doing the sibling address record substitution using an external resolver. Imagine the following ANAME loop: foo. ANAME bar. bar. ANAME foo. For simplification, expect the zones to live on different authoritative servers and also that the ANAME processing triggers with the first query. The resolution steps will look something like this: 1. Authoritative receives a query for foo. 2. Authoritative finds the ANAME and calls out to the resolver asking for bar. 3. Resolver sends a query for bar to the authoritative. 4. Authoritative finds the ANAME and calls out to the resolver asking for foo. 5. goto 1 The authoritative server acting as a stub resolver doesn't have full context of the resolution chain and therefore cannot break the loop. We would have to pass around additional context in the queries and I'm not sure if DNS firewalls would be happy to see messages with QR = 0 and ARCOUNT > 0. Jan From nobody Tue Apr 9 06:39:02 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8BF61207EE for ; Tue, 9 Apr 2019 06:39:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.301 X-Spam-Level: X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zKjdsXi9697p for ; Tue, 9 Apr 2019 06:38:58 -0700 (PDT) Received: from aserp2130.oracle.com (aserp2130.oracle.com [141.146.126.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C30411207D3 for ; Tue, 9 Apr 2019 06:38:58 -0700 (PDT) Received: from pps.filterd (aserp2130.oracle.com [127.0.0.1]) by aserp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x39DUVDd062979; Tue, 9 Apr 2019 13:38:52 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : to : cc : references : from : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=corp-2018-07-02; bh=yc4YI9xYrdz+qK3S4suA6sg+Jo9QIYy2Ku7NUtuvARs=; b=4tVHU64nX4GRjy9t16VGKB0rwpzMfoGhY4DNAH5q2v/MH0ta97utu4d1PXNMb/icshkH YLlsCSGPg55837/ayyyzvKFLFzNn+iOmV4R5lQuBeYBIvs/2NBSAocTVJ1QMpT/ene7W MptJ6dBVSubrfdf4FW/CjR2izHqFvloGGPs02XvO9RMjyFTWz5ELl9ev3eoTmDDi9zM3 R1zWl4JO50d2WAnEBBW9MmFEt+QcNgYumW87D/31/1CA5R11QhwepcanVii08Gs3F87O k4n4A5wdw+2PScuCRjZeQo7CEiuIz7B2PG3bEh6EcwSK15lI7Aw3+0t9B8bHhusAU4+A BA== Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by aserp2130.oracle.com with ESMTP id 2rphmed6rk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 09 Apr 2019 13:38:51 +0000 Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x39Dbma5085391; Tue, 9 Apr 2019 13:38:51 GMT Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by aserp3030.oracle.com with ESMTP id 2rpj5ajd3f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 09 Apr 2019 13:38:51 +0000 Received: from abhmp0007.oracle.com (abhmp0007.oracle.com [141.146.116.13]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id x39Dck2v026900; Tue, 9 Apr 2019 13:38:46 GMT Received: from [172.16.28.145] (/216.146.45.247) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 09 Apr 2019 06:38:46 -0700 To: =?UTF-8?B?SmFuIFbEjWVsw6Fr?= , Tony Finch Cc: dnsop@ietf.org References: From: Richard Gibson Message-ID: <3f43c4bb-4f71-1082-d569-8e1ab0222abe@oracle.com> Date: Tue, 9 Apr 2019 09:38:44 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9221 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904090087 X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9221 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904090086 Archived-At: Subject: Re: [DNSOP] ANAME discussion X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Apr 2019 13:39:01 -0000 This loop is one reason of several to eliminate inline resolution for ANAME if possible and minimize it otherwise, but is not quite as bad as it seems because all involved servers can—and should—avoid issuing queries that are redundant with an already-active request. But even if they don't, the early queries eventually time out and rate limiting eventually detects and caps the runaway load. In other words, this misconfiguration does not create any new vulnerabilities, and existing mechanisms are already sufficient to handle it (although the document should explicitly mention them to avoid subjecting new implementers to unnecessarily painful lessons). On 4/9/19 08:09, Jan Včelák wrote: > On Tue, Apr 2, 2019 at 5:54 PM Tony Finch wrote: >> WRT loop detection, it is much easier if the additional section in the >> response from the resolver contains the chain(s). The draft doesn't >> specify that at the moment; maybe it should. > I meant a situation where an authoritative server is doing the sibling > address record substitution using an external resolver. > > Imagine the following ANAME loop: > foo. ANAME bar. > bar. ANAME foo. > > For simplification, expect the zones to live on different > authoritative servers and also that the ANAME processing triggers with > the first query. > > The resolution steps will look something like this: > 1. Authoritative receives a query for foo. > 2. Authoritative finds the ANAME and calls out to the resolver asking for bar. > 3. Resolver sends a query for bar to the authoritative. > 4. Authoritative finds the ANAME and calls out to the resolver asking for foo. > 5. goto 1 > > The authoritative server acting as a stub resolver doesn't have full > context of the resolution chain and therefore cannot break the loop. > We would have to pass around additional context in the queries and I'm > not sure if DNS firewalls would be happy to see messages with QR = 0 > and ARCOUNT > 0. > > Jan > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_dnsop&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=-o8MJF7i0TzXAJRB0ncfTVfWKSyTG7nl_iTLU_A2B7c&m=4nTLZAsnHCwTJyrARtQ8uzJN8jmKg6JeQX9gDiHuHhc&s=O9ORRXkRs5TFBIKPXCdq6ck3K88lw-t7xDcNwI-ecMU&e= From nobody Tue Apr 9 08:15:49 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0898120773 for ; Tue, 9 Apr 2019 08:15:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.021 X-Spam-Level: X-Spam-Status: No, score=-6.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HgGGSVgVp2XO for ; Tue, 9 Apr 2019 08:15:45 -0700 (PDT) Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C57C612084B for ; Tue, 9 Apr 2019 08:15:41 -0700 (PDT) Received: from [IPv6:2001:1488:fffe:6:93fd:a34:ffc1:677f] (unknown [IPv6:2001:1488:fffe:6:93fd:a34:ffc1:677f]) by mail.nic.cz (Postfix) with ESMTPSA id 353F3635F5; Tue, 9 Apr 2019 17:15:39 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1554822939; bh=1vENyV1/MpkpycwccaMWhTfFyzk/Vu/bcVdicQziWi4=; h=To:From:Date; b=b2IMs/FGzSPgtnwYy8yKZJ5HQBe65oTguwJXvoxSml3RTOYBavUjnnS6XKw/22v7I jpgPsAEC8HqKdOo5qQ/3lOPyTF2/l7MaKhhoujhUgDVgs4HRE8A3nfwJ0Oc7hpd+Wi RxFTL2qgCxLvM1Pz2Dy4/iVG3FD3VpU4WAIvq08E= To: dnsop@ietf.org, Richard Gibson References: <3f43c4bb-4f71-1082-d569-8e1ab0222abe@oracle.com> From: =?UTF-8?B?VmxhZGltw61yIMSMdW7DoXQ=?= Openpgp: preference=signencrypt Autocrypt: addr=vladimir.cunat+ietf@nic.cz; prefer-encrypt=mutual; keydata= mQINBFgDknYBEADHEQwLBlfqbVCzq7qYcBFFTc1WCAFtqiKehOrsITnKusZw4nhYwlKQxcum gj01xJOhbfHBCBeGlDydYqemKg4IfY2nwSyPwZZYMJn7L7AGrCeytr4VMvDJ7o7qDZjjim4i fv+GUwdk3plXx6oMF4nctesI8aAOuLUHAn0PfrGfNhWoaglOKgdOI6DGjhI/aGkvy+jrI/+X sdMV+3f1RuEOfI+Yu4SXFjJyhAmqEOBRxxdHqKreIIpz3Lg38yWwiVGfwgQT+nFIz9BpHH3l Wg1uS8xM3ezceBmRYV8zT9PvbeZ57BlaTR6rLae5RYwV397PSLBqqLkB5H0TDRUFBnwBsUob LebYHmJCOydvyNv5AFkLmLZ7O4j2jFo1WPSMt3ThM6wRwqrnB4Gi+6onyrZfE1DnVZMqbxZ3 VXa+E4S5YwrfCLUErGEn+d40OtoRZmQXhRPVAsdjimMj9oFM9RoxSgUrDg6Ia3n0IrKFb++z HAFbqkR5g4qzXiOMEG621GYEex2sDEKz/PD4CVKlNI9eld4ToH592kAwzJmd+sAi+Rfos0NE zxuFd0ekAOeWoURo0zoYTSWPlMOmFMvcpH6LP3leJmY7x4z/b1ng/+7UnKonVALVPFbRbElO kIfAtLKcUEofwV1jr7DyYGPalJtiDJPomB041ZHCj2RxyXY/oQARAQABtDBWbGFkaW3DrXIg xIx1bsOhdCAod29yaykgPHZsYWRpbWlyLmN1bmF0QG5pYy5jej6JAlQEEwEIAD4CGyMFCQlm AYAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AWIQS2AGRgtgqA54IGJEnnR98flXWjqgUCWg3w 3gAKCRDnR98flXWjqmD6D/96U4cDZBrHQ5LhqybocZr/N2IS5Wr2SLLB4k2F5/W/wbL05gq6 Ha9/2TMqXoxRkhug+EAHFHxylPR43yN9rz0pjBXHrra87FAPHMqq/qqrOEUdhkytEqa6WIho aoEkdhaMhUyctjVjL2WZ0+MWeRjqedLQX+VCrOVPcVbLreRRhA9N3KPgNwbp9zCg6hEPi4l2 zZKedHkTNjKIAwJ0xZoMwFa1Y+vL8Em8Or+IBZuGBMP/ZMtasPOIQaT/Gvsyx1DDorwsoCdX 6zaTZy5DOWP3FIrMzus/YDbzwAYxSpWk/jF44ySbnJzdjU67EfG3UrsK+RRGw8aJqs3/4qHK ZMZZnNL+4wJpEdnZyFic/MXcw6FBszQEwrIOaM1WEfwzn2ExUYk2pM5zaBwq76OgrmGMzMEi cfMDyqLodwEQqR70PvRbkrh+R02LphwQ9c5AFXcrLjKMmeQlbQVarTUsrELcTK6rElC1ojS7 M37j0XzFE+kgNWn2fyBRgtnGDWEa7r+oDaueXJnEf0/4Ww28IwxakNc7r0N41GIBekwSxKdk epKFZgtVGGSDlFei5hb5LLWFljA1OS7CRVJKpbHafQjdPdb1vNqZAj4y2SJXvVVpI1KO5kq+ dFdYipORv0N2Iho6MNYbQUT1EBeU46G5N0viCoLS15/PxLhIAo+PzKpW97kCDQRYA5J2ARAA yHww3huLEtsdyqgjiGMhtEKOLmp7yFl450HY9oPcHS02U5BC1370ssNShrdOCi2ACDbe41Zx x85WcuaO1OVqung2umX047mj2xQsiTAFRDLZsQu8cQFoEy/DBL2bk7ThfK1Lh+NyZAs0UaPp DkGodS0De9osA+4T6Nf4POYaeavbYVFSdDKS4lUboBqApKnD/TzKFxFcpuFx6FN92lteTbOo jGMiLoZvELY86Kn9KuFZ8FM2ZSNHx1Z75KouufGrdkeCoZYVYiuzT+fnt2it4dIpIlnF+yxM t5LB/MSrmECB5CAFJtxzuMccm6yDUZQSWWi9vUgxIJwvt5w0CIBT353DGeP4WnH0r5YoBKoR bh7i4fT0lWvMXTG/V2lqyzBdClMebyHffMgba26Kj6oeDygDfC5aGsVaqw1Ue/qQ5QRqTJcJ V7xVLTtS1EamVqkfKwPS0zTfnrF1jQtnO/P4qkfgBRRG9BXGGrykHpXOyqmX6Z0wbV2P4j+p 02oSecDl5yVXplJfsXfbS/xXnaSkaN/7mCU29ul26cAVNxDkDPunztSFi9K9LM2T/XWYJQGX M71OpmONQJGF24lx7Wp/kobnHtbjGDzjDPC4eSL7MA56qtrWaLM+4ePKANct2q0q6c0uSLs0 Q2zochS64Mcg0YzL1sinWPN1rXLDk3lwpIsAEQEAAYkCJQQYAQgADwUCWAOSdgIbDAUJCWYB gAAKCRDnR98flXWjqn4yEACA0f1XBAg+WMaNPtIt0k15yFPfhdbOg9GhDcYGgvFIOxRuaFWw 9SLUt7OGuUnIpKxKRXtQJss98fHkijo70ONYWPuLhfRGK/wg9Ao6MuFw5G8m431CBS/awrie b6iPjvAARXJCPTTBZk/NC988jiKdCh8PbTCHDsl+gSDytP15QUrdqSfS2Wf4653ej7+jtuTj xZzmGgvNSi6JDlb9KNtmBQKQAgpnOQM46ItESmzHDnmdcvhPLUDsjwkpIJ6clasOzaObwxJi ba7iFPcGwcClCSwYjMNXFtneCGUnEAa5RBIx+i+LV1iqB3VRvTC6tMIUueoQ7cdTy6afNkhw QYXm4/pDmNT8UMdnzwnlTpFQ0CegDQRDWc+dIDDBHGEEEYBh2vTOE04KrmYUp1bQsNegPfvL woHib0jEvohPMJ2fJtZAd1SJElgwPbM8H7emKBiTsHwF8gL7G2jo7AoGpqYjqXkCRS0tSLTN r+qHh+7Ltrkbu/ZVTTfh4Q/qw3VaLYQh4C0tBma/YevQy1O2c3TZXXFz1QF8b9/Hj/3sq2Kg T1AcZ51E+xG+cb6cUqgkihmgm39xx24GPlNAdCRuq01+iILol+Wox6OwF6hmqx1EMSmxcmGo UREr0rkMnFVsWeAYeVoE4q689qxCPu9iCMJMJnkRe1o9oQYSN7my+S98gA== Message-ID: <0edd5615-e356-5698-6cbd-0e5451f3b96e@nic.cz> Date: Tue, 9 Apr 2019 17:15:39 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.0 MIME-Version: 1.0 In-Reply-To: <3f43c4bb-4f71-1082-d569-8e1ab0222abe@oracle.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US X-Virus-Scanned: clamav-milter 0.99.2 at mail X-Virus-Status: Clean Archived-At: Subject: Re: [DNSOP] ANAME discussion X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Apr 2019 15:15:49 -0000 On 4/9/19 3:38 PM, Richard Gibson wrote: > This loop is one reason of several to eliminate inline resolution for > ANAME if possible and minimize it otherwise, but is not quite as bad > as it seems because all involved servers can—and should—avoid issuing > queries that are redundant with an already-active request. But even if > they don't, the early queries eventually time out and rate limiting > eventually detects and caps the runaway load. > > In other words, this misconfiguration does not create any new > vulnerabilities, and existing mechanisms are already sufficient to > handle it (although the document should explicitly mention them to > avoid subjecting new implementers to unnecessarily painful lessons). I can't even see a simple way of detecting this.  At least in the implementation suggested by Jan where you have an authoritative that calls out to a resolver (which calls out to authoritatives...) - it would need some magic that somehow links one query of the cycle to the other but regular DNS queries do not currently carry such information AFAIK.  Am I missing some obvious approach? --Vladimir (Knot Resolver) From nobody Tue Apr 9 09:45:05 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A8D61201AE for ; Tue, 9 Apr 2019 09:45:03 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.302 X-Spam-Level: X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fw7rivge0PRb for ; Tue, 9 Apr 2019 09:45:00 -0700 (PDT) Received: from userp2130.oracle.com (userp2130.oracle.com [156.151.31.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FA27120311 for ; Tue, 9 Apr 2019 09:45:00 -0700 (PDT) Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x39GdHWs048853; Tue, 9 Apr 2019 16:44:58 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : to : references : from : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=corp-2018-07-02; bh=xhnjCJXqZ85j8OKg4yvMfSO4wnhGDfEmWhclEmCfetY=; b=MrdDY3IsJFgpkAxzIQFXgVidIHLfcJ7HP1CxUsvToDW7Cr8sC/up8//gXIvWirC6Vrp7 jiOj4N9HoZG7Mj3R+uVHnCOx54r3yppfoKwxfAx+DIAwE0kwWXLqvlnuZjX5Gvs/i6bi yfaZMv56lgs+Cnu4kaG45F5y/ZOtIn3E2/iFLsVEOiFZ2NVvV430ugO3m4RuAGSi4qVu 1i8y+xjpl2FQlYXV624Ie2BBlwsLynjdD3pZt4Z7Nio5xgUvzjrreQ2uoKXYCc5H1dvN bkWVETg4iOD+cHU/3VJTrO2173YDTbyynhCZGd0mz2+/SR24D7QUHqhjouqNsgqfPMuc DQ== Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by userp2130.oracle.com with ESMTP id 2rpkhsxb7y-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 09 Apr 2019 16:44:58 +0000 Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x39GiU6H054640; Tue, 9 Apr 2019 16:44:57 GMT Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userp3030.oracle.com with ESMTP id 2rph7spjth-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 09 Apr 2019 16:44:57 +0000 Received: from abhmp0005.oracle.com (abhmp0005.oracle.com [141.146.116.11]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id x39Giubx028184; Tue, 9 Apr 2019 16:44:56 GMT Received: from [172.16.28.145] (/216.146.45.247) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 09 Apr 2019 09:44:56 -0700 To: =?UTF-8?B?VmxhZGltw61yIMSMdW7DoXQ=?= , dnsop@ietf.org References: <3f43c4bb-4f71-1082-d569-8e1ab0222abe@oracle.com> <0edd5615-e356-5698-6cbd-0e5451f3b96e@nic.cz> From: Richard Gibson Message-ID: Date: Tue, 9 Apr 2019 12:44:55 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 MIME-Version: 1.0 In-Reply-To: <0edd5615-e356-5698-6cbd-0e5451f3b96e@nic.cz> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9222 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904090106 X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9222 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904090106 Archived-At: Subject: Re: [DNSOP] ANAME discussion X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Apr 2019 16:45:03 -0000 If an implementation has a resolver, then that component is the logical place for deduplication (e.g., the second inbound query for a given ANAME target does not result in a second outbound query, but rather waits on completion of the first). On 4/9/19 11:15, Vladimír Čunát wrote: > On 4/9/19 3:38 PM, Richard Gibson wrote: >> This loop is one reason of several to eliminate inline resolution for >> ANAME if possible and minimize it otherwise, but is not quite as bad >> as it seems because all involved servers can—and should—avoid issuing >> queries that are redundant with an already-active request. But even if >> they don't, the early queries eventually time out and rate limiting >> eventually detects and caps the runaway load. >> >> In other words, this misconfiguration does not create any new >> vulnerabilities, and existing mechanisms are already sufficient to >> handle it (although the document should explicitly mention them to >> avoid subjecting new implementers to unnecessarily painful lessons). > I can't even see a simple way of detecting this.  At least in the > implementation suggested by Jan where you have an authoritative that > calls out to a resolver (which calls out to authoritatives...) - it > would need some magic that somehow links one query of the cycle to the > other but regular DNS queries do not currently carry such information > AFAIK.  Am I missing some obvious approach? > > --Vladimir (Knot Resolver) > From nobody Tue Apr 9 09:50:57 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10BF012087E for ; Tue, 9 Apr 2019 09:50:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.199 X-Spam-Level: X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KRZiROo7FFbo for ; Tue, 9 Apr 2019 09:50:53 -0700 (PDT) Received: from ppsw-32.csi.cam.ac.uk (ppsw-32.csi.cam.ac.uk [131.111.8.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EB111208D7 for ; Tue, 9 Apr 2019 09:50:41 -0700 (PDT) X-Cam-AntiVirus: no malware found X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus Received: from grey.csi.cam.ac.uk ([131.111.57.57]:33992) by ppsw-32.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.138]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1hDtxH-000snO-1j (Exim 4.91) (return-path ); Tue, 09 Apr 2019 17:50:39 +0100 Date: Tue, 9 Apr 2019 17:50:39 +0100 From: Tony Finch To: =?UTF-8?Q?Vladim=C3=ADr_=C4=8Cun=C3=A1t?= cc: dnsop@ietf.org, Richard Gibson In-Reply-To: <0edd5615-e356-5698-6cbd-0e5451f3b96e@nic.cz> Message-ID: References: <3f43c4bb-4f71-1082-d569-8e1ab0222abe@oracle.com> <0edd5615-e356-5698-6cbd-0e5451f3b96e@nic.cz> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: multipart/mixed; BOUNDARY="1870870841-652712782-1554828639=:13313" Archived-At: Subject: Re: [DNSOP] ANAME discussion X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Apr 2019 16:50:56 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. --1870870841-652712782-1554828639=:13313 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: QUOTED-PRINTABLE Vladim=C3=ADr =C4=8Cun=C3=A1t wrote: > > I can't even see a simple way of detecting this.=C2=A0 At least in the > implementation suggested by Jan where you have an authoritative that > calls out to a resolver (which calls out to authoritatives...) You could prevent the loop from leading to a circular dependency, rather than detecting the loop, e.g. if the auth always answers from zone or cache which are updated asynchronously. Maybe the auth's resolver could chase the chain by making ANAME queries; when the auth replies it can reply from zone data and skip filling in the additional section if it doesn't have fresh address records. The auth can be more eager to make recursive queries when it gets A or AAAA queries. Tony. --=20 f.anthony.n.finch http://dotat.at/ promote human rights and open government --1870870841-652712782-1554828639=:13313-- From nobody Tue Apr 9 10:56:44 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD25F12089D for ; Tue, 9 Apr 2019 10:56:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.302 X-Spam-Level: X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ckd7SXK-WOPe for ; Tue, 9 Apr 2019 10:56:41 -0700 (PDT) Received: from userp2120.oracle.com (userp2120.oracle.com [156.151.31.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEC561203A6 for ; Tue, 9 Apr 2019 10:56:40 -0700 (PDT) Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x39HrU2g121933 for ; Tue, 9 Apr 2019 17:56:39 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=to : from : subject : message-id : date : mime-version : content-type : content-transfer-encoding; s=corp-2018-07-02; bh=t8QF7kI+/2N/gxKwysH4JVyMMCTgmtyT/TnPpxA5qnQ=; b=YugRy8BJzysnUJMJU9FzneVINiKX8Kv32Rr95zk8dyiI91pKTN54iQmmn9vWvpCsNBm3 fNH5LoyYrAKZe01JqIBii4V0mTqYH+FhionYsa7ZdPTRXHUrK4D67VVQQoUOSsLDVX7/ KwrBFM6Jh2W4wsDOgtwq7TeAzU6YFT34/GlnimopxjdoQc33JQfzCaL91QSF5RdxMc5+ SGypD9Yc0n+PfqLtOZpU4whUFQoebvHE5idp/XSrCrxdTuWuhRF13nsKdBWqXmSQMJKZ XwQFsoDUtIEhBqrrcIUrE9jwdkjU8X5BbMmGQZtORALTZuKmLSbryCVylVKUh/jvB/qJ BQ== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by userp2120.oracle.com with ESMTP id 2rpmrq6jyg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Tue, 09 Apr 2019 17:56:39 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x39HtqqM175351 for ; Tue, 9 Apr 2019 17:56:39 GMT Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userp3020.oracle.com with ESMTP id 2rpkeje1wu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Tue, 09 Apr 2019 17:56:39 +0000 Received: from abhmp0013.oracle.com (abhmp0013.oracle.com [141.146.116.19]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id x39HucJb008442 for ; Tue, 9 Apr 2019 17:56:38 GMT Received: from [172.19.128.66] (/216.146.45.33) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 09 Apr 2019 10:56:37 -0700 To: dnsop From: Richard Gibson Message-ID: Date: Tue, 9 Apr 2019 13:56:29 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9222 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=1 spamscore=0 mlxscore=0 mlxlogscore=589 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904090113 X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9222 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=602 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904090113 Archived-At: Subject: [DNSOP] What should ANAME-aware servers do when target records are verifiably missing? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Apr 2019 17:56:43 -0000 Copied from https://github.com/each/draft-aname/issues/54 per Tony Finch. The current draft specifies > We treat missing address records (i.e. NXDOMAIN or NODATA) the same > successfully resolving as a set of zero address records, and distinct > from "failure" which covers error responses such as SERVFAIL or REFUSED. This is both undesirable for customers of DNS service providers (whose active sites will occasionally be inaccessible to some clients for $SOA_MINIMUM seconds), and operationally cumbersome because resolvers are not in a good position to synthesize the necessary SOA records for NXDOMAIN responses (e.g., example.com. ANAME example.invalid. alongside example.com. A 192.0.2.1). Tony suggested that this was to be "as much like CNAME as possible", but I disagree because unlike CNAME, ANAME can have sibling records which are therefore available for use. From nobody Tue Apr 9 13:04:43 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1DC21200A2 for ; Tue, 9 Apr 2019 13:04:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8SIWvKl01dOS for ; Tue, 9 Apr 2019 13:04:39 -0700 (PDT) Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F1C0120325 for ; Tue, 9 Apr 2019 13:04:38 -0700 (PDT) Received: by mail-lj1-x234.google.com with SMTP id v22so15632018lje.9 for ; Tue, 09 Apr 2019 13:04:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6tuAUig5I665aN0xg+yWbQxZvEF7q0pWnww76yJNNko=; b=YivhBu1VaoBlyToHwdTIZEmQi4rmQuqG7J1BwY1p5Fvc9AVhpXNrpg1p5Ho+yClk+h 3b25xLBR0P09wI0YCeDpjfmFHBPdjhNEeD/lsd/m4ca6maFZwT9N+oIq+EdhVJOunPbX SU3b8j1v9vTOxKU8ScWXMX+iwA4/YAjVQVLgE/f+20bWZjTCHl06Y9Xpnh860/hiKpKs PmcYO4HnGDKFaYaL3g1rTKoKYlZWe0Uu/eI9UGX+ZRo5deEMW3AtrvWuqXpTGxTDLE9B SABd3zscytg0+BPlbRI3UJC277KcQBvLqMEH70PU7y3e67RT4sZ2RbXwK7rpHi9e7Tpu mj1A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6tuAUig5I665aN0xg+yWbQxZvEF7q0pWnww76yJNNko=; b=P9dfHa1ZyN4HdRmj4J/sse3g0y/+g0tP8eY19eHWvAQEjecc0xFnzC+xmcYPOm0KxK TPx93RbgubLIUH/1mCqi3z4M1UFBBjBdIr8rPI6lpCDmb7OEysDFAt0wS/oB8141h4ft p1/8N0ZCNuoAdwXrKYza4APvkGOJmFatYT9EdB79T/ngOtNq75u+M+4wzywFfylweoSM hkKi9HKsa8E+bTm6rN9u+nZsInpYBKX8iF1iSycZdoPzFYgA+pw0BHUnCndWiImzlArq uLC4sRMrQR7TS8ufMQ407y2BfjvsgAZZIkAdjbYJ9cQWyfRuYTTA18oNlmY1PkLZDS9H p/CA== X-Gm-Message-State: APjAAAU+92AtkXRPE7n3LL0lf2GfZj4oajfnqNxMLC81WkoR71BQUP1c y+NZQcMxPR8xOdfaLN8qfdGzxBpnTXF6CLuMCyNVlQ== X-Google-Smtp-Source: APXvYqyfvQhgXt0zvQs9JlFpOznxOZg4gB20QAbthHA5p+ap9BDaoueh3gSCQPmellJSbBiKpV1CRajw+OkVP2TFEHM= X-Received: by 2002:a2e:950:: with SMTP id 77mr15553950ljj.113.1554840277076; Tue, 09 Apr 2019 13:04:37 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Bob Harold Date: Tue, 9 Apr 2019 16:04:25 -0400 Message-ID: To: Richard Gibson Cc: dnsop Content-Type: multipart/alternative; boundary="00000000000065e47405861e7688" Archived-At: Subject: Re: [DNSOP] What should ANAME-aware servers do when target records are verifiably missing? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Apr 2019 20:04:42 -0000 --00000000000065e47405861e7688 Content-Type: text/plain; charset="UTF-8" On Tue, Apr 9, 2019 at 1:56 PM Richard Gibson wrote: > Copied from https://github.com/each/draft-aname/issues/54 per Tony Finch. > > The current draft specifies > > > We treat missing address records (i.e. NXDOMAIN or NODATA) the same > > successfully resolving as a set of zero address records, and distinct > > from "failure" which covers error responses such as SERVFAIL or REFUSED. > > This is both undesirable for customers of DNS service providers (whose > active sites will occasionally be inaccessible to some clients for > $SOA_MINIMUM seconds), and operationally cumbersome because resolvers > are not in a good position to synthesize the necessary SOA records for > NXDOMAIN responses (e.g., example.com. ANAME example.invalid. alongside > example.com. A 192.0.2.1). Tony suggested that this was to be "as much > like CNAME as possible", but I disagree because unlike CNAME, ANAME can > have sibling records which are therefore available for use. > If it gets an authoritative answer saying that there are no address records, then it should respect that answer. If that is incorrect, then whatever gave that answer is broken or misconfigured and should be fixed. Perhaps I am missing something. In what cases can you imagine getting a response with no errors and no records? Perhaps a load balancer that has probed all the servers and determined that none are working? If you want a fall-back, it should be configured in the load balancer in that case. -- Bob Harold --00000000000065e47405861e7688 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

On Tue, Apr 9, 2019 at 1:56 PM Richard Gi= bson <richard.j.gibson@or= acle.com> wrote:
Copied from https://github.com/each/draft-aname= /issues/54 per Tony Finch.

The current draft specifies

> We treat missing address records (i.e. NXDOMAIN or NODATA) the same > successfully resolving as a set of zero address records, and distinct =
> from "failure" which covers error responses such as SERVFAIL= or REFUSED.

This is both undesirable for customers of DNS service providers (whose
active sites will occasionally be inaccessible to some clients for
$SOA_MINIMUM seconds), and operationally cumbersome because resolvers
are not in a good position to synthesize the necessary SOA records for
NXDOMAIN responses (e.g., example.com. ANAME example.invalid. alongside
example= .com. A 192.0.2.1). Tony suggested that this was to be "as much like CNAME as possible", but I disagree because unlike CNAME, ANAME ca= n
have sibling records which are therefore available for use.

If it gets an authoritative answer saying that there a= re no address records, then it should respect that answer.=C2=A0 If that is= incorrect, then whatever gave that answer is broken or misconfigured and s= hould be fixed.=C2=A0=C2=A0

Perhaps I am missing s= omething.=C2=A0 In what cases can you imagine getting a response with no er= rors and no records?=C2=A0=C2=A0

Perhaps a load ba= lancer that has probed all the servers and determined that none are working= ?=C2=A0 If you want a fall-back, it should be configured in the load balanc= er in that case.

--=C2=A0
Bob Harold

--00000000000065e47405861e7688-- From nobody Wed Apr 10 08:13:56 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEA9B1203E3 for ; Wed, 10 Apr 2019 08:13:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.021 X-Spam-Level: X-Spam-Status: No, score=-6.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hk5HAcw84oBA for ; Wed, 10 Apr 2019 08:13:52 -0700 (PDT) Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E61A81203DB for ; Wed, 10 Apr 2019 08:13:50 -0700 (PDT) Received: from [IPv6:2001:1488:fffe:6:bfe7:e41a:8e5f:81be] (unknown [IPv6:2001:1488:fffe:6:bfe7:e41a:8e5f:81be]) by mail.nic.cz (Postfix) with ESMTPSA id ED3336055B; Wed, 10 Apr 2019 17:13:48 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1554909229; bh=rx89rEFMHwekUctfKGOQBgmNm+w7n6rwCjpg1R9Zy40=; h=To:From:Date; b=D5oyZZ+U5/g91fkd0+8WY3CI5r7RQYOWRczSe45KZGmKBWRyNR00tfdBLYKQYKk8D Xiv06b5bXbgx/TeZ7unsLt+s4++3kWgUC2bZ7whxH0g8RHI9ZtgwD+C/gnerx7T2Bu OWU3r2IhSliKKxEeR4piR2CTtfbrmuy0nrQZ7naw= To: Richard Gibson References: <3f43c4bb-4f71-1082-d569-8e1ab0222abe@oracle.com> <0edd5615-e356-5698-6cbd-0e5451f3b96e@nic.cz> Cc: dnsop@ietf.org From: =?UTF-8?B?VmxhZGltw61yIMSMdW7DoXQ=?= Openpgp: preference=signencrypt Autocrypt: addr=vladimir.cunat+ietf@nic.cz; prefer-encrypt=mutual; keydata= mQINBFgDknYBEADHEQwLBlfqbVCzq7qYcBFFTc1WCAFtqiKehOrsITnKusZw4nhYwlKQxcum gj01xJOhbfHBCBeGlDydYqemKg4IfY2nwSyPwZZYMJn7L7AGrCeytr4VMvDJ7o7qDZjjim4i fv+GUwdk3plXx6oMF4nctesI8aAOuLUHAn0PfrGfNhWoaglOKgdOI6DGjhI/aGkvy+jrI/+X sdMV+3f1RuEOfI+Yu4SXFjJyhAmqEOBRxxdHqKreIIpz3Lg38yWwiVGfwgQT+nFIz9BpHH3l Wg1uS8xM3ezceBmRYV8zT9PvbeZ57BlaTR6rLae5RYwV397PSLBqqLkB5H0TDRUFBnwBsUob LebYHmJCOydvyNv5AFkLmLZ7O4j2jFo1WPSMt3ThM6wRwqrnB4Gi+6onyrZfE1DnVZMqbxZ3 VXa+E4S5YwrfCLUErGEn+d40OtoRZmQXhRPVAsdjimMj9oFM9RoxSgUrDg6Ia3n0IrKFb++z HAFbqkR5g4qzXiOMEG621GYEex2sDEKz/PD4CVKlNI9eld4ToH592kAwzJmd+sAi+Rfos0NE zxuFd0ekAOeWoURo0zoYTSWPlMOmFMvcpH6LP3leJmY7x4z/b1ng/+7UnKonVALVPFbRbElO kIfAtLKcUEofwV1jr7DyYGPalJtiDJPomB041ZHCj2RxyXY/oQARAQABtDBWbGFkaW3DrXIg xIx1bsOhdCAod29yaykgPHZsYWRpbWlyLmN1bmF0QG5pYy5jej6JAlQEEwEIAD4CGyMFCQlm AYAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AWIQS2AGRgtgqA54IGJEnnR98flXWjqgUCWg3w 3gAKCRDnR98flXWjqmD6D/96U4cDZBrHQ5LhqybocZr/N2IS5Wr2SLLB4k2F5/W/wbL05gq6 Ha9/2TMqXoxRkhug+EAHFHxylPR43yN9rz0pjBXHrra87FAPHMqq/qqrOEUdhkytEqa6WIho aoEkdhaMhUyctjVjL2WZ0+MWeRjqedLQX+VCrOVPcVbLreRRhA9N3KPgNwbp9zCg6hEPi4l2 zZKedHkTNjKIAwJ0xZoMwFa1Y+vL8Em8Or+IBZuGBMP/ZMtasPOIQaT/Gvsyx1DDorwsoCdX 6zaTZy5DOWP3FIrMzus/YDbzwAYxSpWk/jF44ySbnJzdjU67EfG3UrsK+RRGw8aJqs3/4qHK ZMZZnNL+4wJpEdnZyFic/MXcw6FBszQEwrIOaM1WEfwzn2ExUYk2pM5zaBwq76OgrmGMzMEi cfMDyqLodwEQqR70PvRbkrh+R02LphwQ9c5AFXcrLjKMmeQlbQVarTUsrELcTK6rElC1ojS7 M37j0XzFE+kgNWn2fyBRgtnGDWEa7r+oDaueXJnEf0/4Ww28IwxakNc7r0N41GIBekwSxKdk epKFZgtVGGSDlFei5hb5LLWFljA1OS7CRVJKpbHafQjdPdb1vNqZAj4y2SJXvVVpI1KO5kq+ dFdYipORv0N2Iho6MNYbQUT1EBeU46G5N0viCoLS15/PxLhIAo+PzKpW97kCDQRYA5J2ARAA yHww3huLEtsdyqgjiGMhtEKOLmp7yFl450HY9oPcHS02U5BC1370ssNShrdOCi2ACDbe41Zx x85WcuaO1OVqung2umX047mj2xQsiTAFRDLZsQu8cQFoEy/DBL2bk7ThfK1Lh+NyZAs0UaPp DkGodS0De9osA+4T6Nf4POYaeavbYVFSdDKS4lUboBqApKnD/TzKFxFcpuFx6FN92lteTbOo jGMiLoZvELY86Kn9KuFZ8FM2ZSNHx1Z75KouufGrdkeCoZYVYiuzT+fnt2it4dIpIlnF+yxM t5LB/MSrmECB5CAFJtxzuMccm6yDUZQSWWi9vUgxIJwvt5w0CIBT353DGeP4WnH0r5YoBKoR bh7i4fT0lWvMXTG/V2lqyzBdClMebyHffMgba26Kj6oeDygDfC5aGsVaqw1Ue/qQ5QRqTJcJ V7xVLTtS1EamVqkfKwPS0zTfnrF1jQtnO/P4qkfgBRRG9BXGGrykHpXOyqmX6Z0wbV2P4j+p 02oSecDl5yVXplJfsXfbS/xXnaSkaN/7mCU29ul26cAVNxDkDPunztSFi9K9LM2T/XWYJQGX M71OpmONQJGF24lx7Wp/kobnHtbjGDzjDPC4eSL7MA56qtrWaLM+4ePKANct2q0q6c0uSLs0 Q2zochS64Mcg0YzL1sinWPN1rXLDk3lwpIsAEQEAAYkCJQQYAQgADwUCWAOSdgIbDAUJCWYB gAAKCRDnR98flXWjqn4yEACA0f1XBAg+WMaNPtIt0k15yFPfhdbOg9GhDcYGgvFIOxRuaFWw 9SLUt7OGuUnIpKxKRXtQJss98fHkijo70ONYWPuLhfRGK/wg9Ao6MuFw5G8m431CBS/awrie b6iPjvAARXJCPTTBZk/NC988jiKdCh8PbTCHDsl+gSDytP15QUrdqSfS2Wf4653ej7+jtuTj xZzmGgvNSi6JDlb9KNtmBQKQAgpnOQM46ItESmzHDnmdcvhPLUDsjwkpIJ6clasOzaObwxJi ba7iFPcGwcClCSwYjMNXFtneCGUnEAa5RBIx+i+LV1iqB3VRvTC6tMIUueoQ7cdTy6afNkhw QYXm4/pDmNT8UMdnzwnlTpFQ0CegDQRDWc+dIDDBHGEEEYBh2vTOE04KrmYUp1bQsNegPfvL woHib0jEvohPMJ2fJtZAd1SJElgwPbM8H7emKBiTsHwF8gL7G2jo7AoGpqYjqXkCRS0tSLTN r+qHh+7Ltrkbu/ZVTTfh4Q/qw3VaLYQh4C0tBma/YevQy1O2c3TZXXFz1QF8b9/Hj/3sq2Kg T1AcZ51E+xG+cb6cUqgkihmgm39xx24GPlNAdCRuq01+iILol+Wox6OwF6hmqx1EMSmxcmGo UREr0rkMnFVsWeAYeVoE4q689qxCPu9iCMJMJnkRe1o9oQYSN7my+S98gA== Message-ID: <66a596ff-8952-0a3f-f69b-eaa06a647a9e@nic.cz> Date: Wed, 10 Apr 2019 17:13:48 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Content-Language: en-US X-Virus-Scanned: clamav-milter 0.99.2 at mail X-Virus-Status: Clean Archived-At: Subject: Re: [DNSOP] ANAME discussion X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Apr 2019 15:13:55 -0000 On 4/9/19 6:44 PM, Richard Gibson wrote: > If an implementation has a resolver, then that component is the > logical place for deduplication (e.g., the second inbound query for a > given ANAME target does not result in a second outbound query, but > rather waits on completion of the first). Oh, right, that will simply solve the worst parts (not caching though).  With many resolver instances I imagine it would be a bit more difficult to do efficiently, but it might be too soon to worry about such details. From nobody Wed Apr 10 08:30:07 2019 Return-Path: X-Original-To: dnsop@ietf.org Delivered-To: dnsop@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 80561120304; Wed, 10 Apr 2019 08:30:05 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit From: Roman Danyliw via Datatracker To: "The IESG" Cc: draft-ietf-dnsop-algorithm-update@ietf.org, Tim Wicinski , dnsop-chairs@ietf.org, tjw.ietf@gmail.com, dnsop@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.95.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: Roman Danyliw Message-ID: <155491020552.9385.6655700279959491253.idtracker@ietfa.amsl.com> Date: Wed, 10 Apr 2019 08:30:05 -0700 Archived-At: Subject: [DNSOP] Roman Danyliw's No Objection on draft-ietf-dnsop-algorithm-update-08: (with COMMENT) X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Apr 2019 15:30:05 -0000 Roman Danyliw has entered the following ballot position for draft-ietf-dnsop-algorithm-update-08: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-dnsop-algorithm-update/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- (1) Abstract. Nit. There is a reference, [RFC6944], in the abstract which isn’t permitted. (2) Section 1.2, Per “This document only provides recommendations with respect to mandatory-to-implement algorithms or algorithms so weak that recommendation cannot be recommended” ** Editorial: s/algorithms so weak that recommendation cannot be recommended/ algorithms so weak that they cannot be recommended/ ** The first part of the sentence doesn’t appear to be consistent with the RFC2119 words in the Section 3.1 Table which also includes RECOMMENDED/MAY (which is neither MTI or NOT RECOMMENDED) (3) Section 1.3, Typo, s/from from/from/ (4) Section 3.1, Typo, s/cryptographics/cryptographic/ (5) Section 3.1, ED448 appears to be the only algorithm that doesn’t have treatment in even briefly describing its designated implementation recommendation. (6) Section 3.1, The sentence “It is expected that ED25519 will become the future RECOMMENDED default algorithm …” is clear on the future. However, looking back at the table in this section, it wasn’t clear what the current default algorithm is. (7) Section 3.2, The sentence “Operation recommendation for new and existing deployments.” Seems to stand alone or is missing some words. Should it be something along the lines of “This section provides operational recommendations …” (8) Section 3.2, Typo, s/is RECOMMENDED/is the RECOMMENDED/ (9) Section 3.4, Editorial, s/The SHA-256/SHA-256/ (10) Section 4, Typo, s/seciton/section/ (11) Section 5, Editorial, s/for the use of DNSSEC/for use in DNSSEC/ From nobody Wed Apr 10 09:49:28 2019 Return-Path: X-Original-To: dnsop@ietf.org Delivered-To: dnsop@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 897D31203E2; Wed, 10 Apr 2019 09:49:26 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: dnsop@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.95.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: dnsop@ietf.org Message-ID: <155491496649.8970.3815542586751614886@ietfa.amsl.com> Date: Wed, 10 Apr 2019 09:49:26 -0700 Archived-At: Subject: [DNSOP] I-D Action: draft-ietf-dnsop-algorithm-update-09.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Apr 2019 16:49:27 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : Algorithm Implementation Requirements and Usage Guidance for DNSSEC Authors : Paul Wouters Ondrej Sury Filename : draft-ietf-dnsop-algorithm-update-09.txt Pages : 11 Date : 2019-04-10 Abstract: The DNSSEC protocol makes use of various cryptographic algorithms in order to provide authentication of DNS data and proof of non- existence. To ensure interoperability between DNS resolvers and DNS authoritative servers, it is necessary to specify a set of algorithm implementation requirements and usage guidelines to ensure that there is at least one algorithm that all implementations support. This document defines the current algorithm implementation requirements and usage guidance for DNSSEC. This document obsoletes RFC6944. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-algorithm-update/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update-09 https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-algorithm-update-09 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-algorithm-update-09 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Wed Apr 10 09:49:48 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0467C1205F5 for ; Wed, 10 Apr 2019 09:49:32 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 67KgX8_VqhWL for ; Wed, 10 Apr 2019 09:49:29 -0700 (PDT) Received: from mail-lj1-f169.google.com (mail-lj1-f169.google.com [209.85.208.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7174012030F for ; Wed, 10 Apr 2019 09:49:26 -0700 (PDT) Received: by mail-lj1-f169.google.com with SMTP id v13so2787440ljk.4 for ; Wed, 10 Apr 2019 09:49:26 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UMSCBTbR4wi7d8JsOvwKpx6XN0NGmZIJklpp6fCz1ys=; b=GWkU7mnbA/niKcnSshPl6l58syVWLNC6Y/G7d4twhrpAvXKp/JzgSBzfHqH4sX1D/u 6ZfzXi4ZcstDW7mzrKCjte7MOBtlBJ37YSStWMULsd+g+9kRbV5dl5D7Oq07OBIpQCqP XCM+4cvTEZOtDZPc0cj784NyslzZwnwHPmoqzaHAn+Et25cfaW0GXwWVbCbsCyjwkcb1 q+IXgSClgFCi6El9bVyO2hFB3dr7R5X8BwANCh6SM+qxSdimIwJv48Arn6u56zFiGFTm goOgba7GglTaD3Nr//NMZlaiCV4ZhApU/Ig8Lcu9eERmEH+LmxQ7gfJeyv03A8Yy+ZMa bQDA== X-Gm-Message-State: APjAAAVy3ctA6O8lIwAhnAk/E27hkXK93Mt8psbhKTceAjXI0woeYMmL 6JPKFXHEGbosbx+SURs0Ha+KkMl0GcRrHITAHqa4uQ== X-Google-Smtp-Source: APXvYqwGoRvdn9mBXFcSBnLzZx/K/QuNvizeXozlZXNRjvkjS7xW/Sxy4Ni9Vnxvok5PKAbLW4vKQl5UuYFRcp4x9Gk= X-Received: by 2002:a2e:9649:: with SMTP id z9mr6937534ljh.92.1554914964598; Wed, 10 Apr 2019 09:49:24 -0700 (PDT) MIME-Version: 1.0 References: <155491020552.9385.6655700279959491253.idtracker@ietfa.amsl.com> In-Reply-To: <155491020552.9385.6655700279959491253.idtracker@ietfa.amsl.com> From: Paul Wouters Date: Wed, 10 Apr 2019 18:49:12 +0200 Message-ID: To: Roman Danyliw Cc: The IESG , draft-ietf-dnsop-algorithm-update@ietf.org, Tim Wicinski , dnsop-chairs@ietf.org, dnsop@ietf.org Content-Type: multipart/alternative; boundary="0000000000001f0cee05862fdad3" Archived-At: Subject: Re: [DNSOP] Roman Danyliw's No Objection on draft-ietf-dnsop-algorithm-update-08: (with COMMENT) X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Apr 2019 16:49:37 -0000 --0000000000001f0cee05862fdad3 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Thanks for the review! On Wed, Apr 10, 2019 at 5:30 PM Roman Danyliw via Datatracker < noreply@ietf.org> wrote: > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > (1) Abstract. Nit. There is a reference, [RFC6944], in the abstract whi= ch > isn=E2=80=99t permitted. > Hmm, it is really just giving a clickable reference to the document we are obsoleting. It's kind of nice to have there. But I guess you are right that it is not allowed, so I've made the text without a reference. > > (2) Section 1.2, Per =E2=80=9CThis document only provides recommendations= with > respect > to mandatory-to-implement algorithms or algorithms so weak that > recommendation > cannot be recommended=E2=80=9D > > ** Editorial: > s/algorithms so weak that recommendation cannot be recommended/ > algorithms so weak that they cannot be recommended/ > Was fixed in -08 ** The first part of the sentence doesn=E2=80=99t appear to be consistent w= ith the > RFC2119 words in the Section 3.1 Table which also includes RECOMMENDED/MA= Y > (which is neither MTI or NOT RECOMMENDED) > It is recommended in lower case, not in 2119 meaning? (3) Section 1.3, Typo, s/from from/from/ > > (4) Section 3.1, Typo, s/cryptographics/cryptographic/ > Were already fixed. > (5) Section 3.1, ED448 appears to be the only algorithm that doesn=E2=80= =99t have > treatment in even briefly describing its designated implementation > recommendation. > It does get mentioned in the beginning of the paragraph. But there isn't much to say really. It's there but just slightly stronger than 25519, so not really worth the effort. I think it is okay to leave it as motsly uninteresting, but if someone has some text, I'm fine with that too. > (6) Section 3.1, The sentence =E2=80=9CIt is expected that ED25519 will b= ecome the > future RECOMMENDED default algorithm =E2=80=A6=E2=80=9D is clear on the f= uture. However, > looking back at the table in this section, it wasn=E2=80=99t clear what t= he current > default algorithm is. > I've changed it a little bit to indicate this by adding a sentence here: RSASHA256 is in wide use and considered strong. It has been the default algorithm for a number of years and is now slowly being replaced with ECDSAP256SHA256 due to its shorter key and signature size, resulting in smaller DNS packets. > > (7) Section 3.2, The sentence =E2=80=9COperation recommendation for new a= nd > existing > deployments.=E2=80=9D Seems to stand alone or is missing some words. Sho= uld it be > something along the lines of =E2=80=9CThis section provides operational > recommendations > =E2=80=A6=E2=80=9D > I've removed the sentence. > (8) Section 3.2, Typo, s/is RECOMMENDED/is the RECOMMENDED/ > > (9) Section 3.4, Editorial, s/The SHA-256/SHA-256/ > Were already fixed in -08. > (10) Section 4, Typo, s/seciton/section/ > Fixed. (11) Section 5, Editorial, s/for the use of DNSSEC/for use in DNSSEC/ > Fixed. The -09 should appear shortly with these fixes. Thanks! Paul --0000000000001f0cee05862fdad3 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Thanks for the review!

=
On Wed, Ap= r 10, 2019 at 5:30 PM Roman Danyliw via Datatracker <noreply@ietf.org> wrote:
=C2=A0
=
-------------------------= ---------------------------------------------
COMMENT:
----------------------------------------------------------------------

(1) Abstract.=C2=A0 Nit.=C2=A0 There is a reference, [RFC6944], in the abst= ract which
isn=E2=80=99t permitted.

Hmm, it is rea= lly just giving a clickable reference to the document we are obsoleting. It= 's kind of nice to have there. But I guess you are right that it is not= allowed, so I've made the text without a reference.

(2) Section 1.2, Per =E2=80=9CThis document only provides recommendations w= ith respect
to mandatory-to-implement algorithms or algorithms so weak that recommendat= ion
cannot be recommended=E2=80=9D

** Editorial:
s/algorithms so weak that recommendation cannot be recommended/
algorithms so weak that they cannot be recommended/
Was fixed in -08

** The first part of the sentence doesn=E2=80=99t appear to be consistent w= ith the
RFC2119 words in the Section 3.1 Table which also includes RECOMMENDED/MAY<= br> (which is neither MTI or NOT RECOMMENDED)

It is recommended in lower case, not in 2119 meaning?

(3) Section 1.3, Typo, s/from from/from/

(4) Section 3.1, Typo, s/cryptographics/cryptographic/

Were already fixed.


(5) Section 3.1, ED448 appears to be the only algorithm that doesn=E2=80=99= t have
treatment in even briefly describing its designated implementation
recommendation.

It does get mentioned i= n the beginning of the paragraph. But there isn't much to say really. I= t's there but just slightly stronger than 25519, so not really worth th= e effort. I think it is okay to leave it as motsly uninteresting, but if so= meone has some text, I'm fine with that too.


(6) Section 3.1, The sentence =E2=80=9CIt is expected that ED25519 will bec= ome the
future RECOMMENDED default algorithm =E2=80=A6=E2=80=9D is clear on the fut= ure.=C2=A0 However,
looking back at the table in this section, it wasn=E2=80=99t clear what the= current
default algorithm is.

I've changed = it a little bit to indicate this by adding a sentence here:
<= br>
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =C2=A0 RSASHA256 i= s in wide use and considered strong. It has been the default
=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 algorithm for a number of yea= rs and is now slowly being replaced with
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 ECDSAP256SHA256 due to its shorter key and signatu= re size, resulting in
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 smaller DNS packets.
=C2=A0

(7) Section 3.2, The sentence =E2=80=9COperation recommendation for new and= existing
deployments.=E2=80=9D Seems to stand alone or is missing some words.=C2=A0 = Should it be
something along the lines of =E2=80=9CThis section provides operational rec= ommendations
=E2=80=A6=E2=80=9D

I've removed the= sentence.


(8) Section 3.2, Typo, s/is RECOMMENDED/is the RECOMMENDED/

(9) Section 3.4, Editorial, s/The SHA-256/SHA-256/
Were already fixed in -08.


(10) Section 4, Typo, s/seciton/section/

Fixed.

(11) Section 5, Editorial, s/for the use of DNSSEC/for use in DNSSEC/

Fixed.

The -09 shou= ld appear shortly with these fixes.

Thanks!
<= div>
Paul


= --0000000000001f0cee05862fdad3-- From nobody Wed Apr 10 13:42:56 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F13441203F2 for ; Wed, 10 Apr 2019 13:42:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.3 X-Spam-Level: X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sGkdAqV7Tp05 for ; Wed, 10 Apr 2019 13:42:51 -0700 (PDT) Received: from userp2130.oracle.com (userp2130.oracle.com [156.151.31.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 090C4120676 for ; Wed, 10 Apr 2019 13:42:49 -0700 (PDT) Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x3AKYDCo025157; Wed, 10 Apr 2019 20:42:49 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : to : cc : references : from : message-id : date : mime-version : in-reply-to : content-type; s=corp-2018-07-02; bh=JlD4Jtn9ijZQKYGpuiJEy7HXob0hjjri4duKH+rfF4o=; b=fYPWTT0Nsd8XG1knGF1hAkVGR3ldJp7xVYut0bi0NcopHaH+yLbBnKhWwJmarJpNY4hR uEKs6HVUlyTgKqv4qVEp5hE9Wtd42OU1zgTmjlrdNksxdwMMnZznVfczBDuIOQyPJOdj OGe59PkXDddGvyRNCLPiCTXHJq76xy7Rake9b+hWERp0QswzUrIu3cfrby/02DvuqGzH qVtD7hBSpur4a+ShtCxC9KZbL+j5UEB9az07R2J5Lvc/pxQK9p0yVTjOgQkyOZv6ARfG 1ltftuuCRLvtUtrnNkCXgnDaqWBoNEtunrSLHFvyc3YUk9cFc4WLvVmbRinuNFycvqr8 +g== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by userp2130.oracle.com with ESMTP id 2rpkht5e7m-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 10 Apr 2019 20:42:48 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x3AKfuAL194656; Wed, 10 Apr 2019 20:42:48 GMT Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userp3020.oracle.com with ESMTP id 2rpkek4bcf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 10 Apr 2019 20:42:48 +0000 Received: from abhmp0002.oracle.com (abhmp0002.oracle.com [141.146.116.8]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id x3AKglAT026760; Wed, 10 Apr 2019 20:42:47 GMT Received: from [172.19.128.66] (/216.146.45.33) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 10 Apr 2019 13:42:47 -0700 To: Bob Harold Cc: dnsop References: From: Richard Gibson Message-ID: <25b38d21-c572-d782-6b35-a187fa0caae8@oracle.com> Date: Wed, 10 Apr 2019 16:42:45 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------5C6DF636D9136C6F2D3FEBE2" Content-Language: en-US X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9223 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904100134 X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9223 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904100134 Archived-At: Subject: Re: [DNSOP] What should ANAME-aware servers do when target records are verifiably missing? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Apr 2019 20:42:54 -0000 This is a multi-part message in MIME format. --------------5C6DF636D9136C6F2D3FEBE2 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Responses below. On 4/9/19 16:04, Bob Harold wrote: > If it gets an authoritative answer saying that there are no address > records, then it should respect that answer.  If that is incorrect, > then whatever gave that answer is broken or misconfigured and should > be fixed. > > Perhaps I am missing something.  In what cases can you imagine getting > a response with no errors and no records? Misconfiguration is precisely the case, but quite possibly misconfiguration in the zone of /target/ records as opposed to the zone containing the ANAME. And there are two problems with respecting that [negative] answer. The first problem is for the owner of the ANAME-containing zone, for whom the upstream misconfiguration will result in downtime and be extended by caching to the MINIMUM value from their SOA, which in many cases will be one to three orders of magnitude greater than the TTL of the ANAME itself. The second problem is for the query originator and their ANAME-aware resolver, which will be forced to resolve the SOA of the ANAME-containing zone in order to issue a proper RFC 2308 Type 2 NODATA response —and such resolution must take place synchronously, tying up resolver resources and increasing end-user latency (insignificantly when the SOA is already cached, significantly when it is not). Both of these problems can be addressed by allowing/recommending/requiring ANAME-aware servers to preserve ANAME siblings when resolution of ANAME targets results in NXDOMAIN or NODATA responses, rather than replacing them with an empty RRSet... which, to be honest, seems to be always-undesirable behavior anyway—if anyone can think of a scenario where it would be /beneficial/ to dynamically remove ANAME siblings, please share it. --------------5C6DF636D9136C6F2D3FEBE2 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit

Responses below.

On 4/9/19 16:04, Bob Harold wrote:
If it gets an authoritative answer saying that there are no address records, then it should respect that answer.  If that is incorrect, then whatever gave that answer is broken or misconfigured and should be fixed.  

Perhaps I am missing something.  In what cases can you imagine getting a response with no errors and no records?

Misconfiguration is precisely the case, but quite possibly misconfiguration in the zone of target records as opposed to the zone containing the ANAME. And there are two problems with respecting that [negative] answer.

The first problem is for the owner of the ANAME-containing zone, for whom the upstream misconfiguration will result in downtime and be extended by caching to the MINIMUM value from their SOA, which in many cases will be one to three orders of magnitude greater than the TTL of the ANAME itself.

The second problem is for the query originator and their ANAME-aware resolver, which will be forced to resolve the SOA of the ANAME-containing zone in order to issue a proper RFC 2308 Type 2 NODATA response—and such resolution must take place synchronously, tying up resolver resources and increasing end-user latency (insignificantly when the SOA is already cached, significantly when it is not).

Both of these problems can be addressed by allowing/recommending/requiring ANAME-aware servers to preserve ANAME siblings when resolution of ANAME targets results in NXDOMAIN or NODATA responses, rather than replacing them with an empty RRSet... which, to be honest, seems to be always-undesirable behavior anyway—if anyone can think of a scenario where it would be beneficial to dynamically remove ANAME siblings, please share it.

--------------5C6DF636D9136C6F2D3FEBE2-- From nobody Thu Apr 11 06:48:47 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 280801202CC for ; Thu, 11 Apr 2019 06:48:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x6T0b5uxT6fj for ; Thu, 11 Apr 2019 06:48:35 -0700 (PDT) Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 452E41202E2 for ; Thu, 11 Apr 2019 06:48:34 -0700 (PDT) Received: by mail-lj1-x232.google.com with SMTP id l7so5588858ljg.6 for ; Thu, 11 Apr 2019 06:48:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0zxnddxYkeGT47fbYWFSgtdR2pdSjQOW41ADq08+kEk=; b=D5p3flpkuoFPSIHAOUOPNW+RjmT+cYD9WH4LWqjd1CHbTkhIXnBx85/ZVX0jsOAUfH U0ZsFRm4bBZvx2ym6qSO7kdAvaLzNB3ITaUzjpw1c3kuN9UIsVzCkAvU2ZSySkBI7gQo vPwcgdHW0Q579qpKfHb/XV1POgmfIt8WivuytFdA2emDDs458yAUB7yGlDlqIAhLjVfg OqevMxKZpy5MCNzeF1kcaNt5LfrcrDe1VX1MU0Qszvt9+Y6t4cO3h50VG2wvlKzsEhUs lOPzKJJSF3YY7dEz8Bn5GkyNhP4hDBXLCSF5AMuqysPrBBnQCJgw2bO8OYy3UsfbNo/T 0nDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0zxnddxYkeGT47fbYWFSgtdR2pdSjQOW41ADq08+kEk=; b=pw8zgaHUXvnj5J+j9nxOEYQujU34KpRe699h4/sh4ByRXXR2ToNrvJIzCyxVK+JZxT w6JYu92ic3mDQUnuG16F0SqZ6ziE/Y/EKYsZEJsO7pXEEjBdw8eaFqUfV7jZoWu4X1kn Jxll0vxoyfTH9N0zZhP7LuVsmZs3N6bnSI8+2/DUF5gffEvaEC9XERvnGAf43k7ebVBD vpPq7oc+j2dDeeo7MeyHLdHsVH4x9HFS2qBAx34W5ZkKUQMf/45jMfuKfwvf338wiXm2 2T0eacV0bhKxw+glVGSDlPrVEdoIIfRty2dJT4JEiJS8G/AqvOFWZchTEtVDtw4uEGR2 9J6g== X-Gm-Message-State: APjAAAXt5MDIfD0q+acxarxjlJEkkPuXgMFIhUq5c7wOu3vc9EVIeKm5 V6cZ7peONqjGIGZDNWENoTP4bM4Wor45CiXUg8E8kA== X-Google-Smtp-Source: APXvYqypxVdB1Ifb07sYjDf3rNLXUw+ICu8e7KMEW3ox/wsVqaFNly/m3Grl5hFG7TXXzkNSAUM5ZwPaGUr4n/VPmVA= X-Received: by 2002:a2e:9213:: with SMTP id k19mr12156356ljg.118.1554990512971; Thu, 11 Apr 2019 06:48:32 -0700 (PDT) MIME-Version: 1.0 References: <25b38d21-c572-d782-6b35-a187fa0caae8@oracle.com> In-Reply-To: <25b38d21-c572-d782-6b35-a187fa0caae8@oracle.com> From: Bob Harold Date: Thu, 11 Apr 2019 09:48:21 -0400 Message-ID: To: Richard Gibson Cc: dnsop Content-Type: multipart/alternative; boundary="00000000000027b63d0586417188" Archived-At: Subject: Re: [DNSOP] What should ANAME-aware servers do when target records are verifiably missing? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Apr 2019 13:48:38 -0000 --00000000000027b63d0586417188 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Apr 10, 2019 at 4:42 PM Richard Gibson wrote: > Responses below. > On 4/9/19 16:04, Bob Harold wrote: > > If it gets an authoritative answer saying that there are no address > records, then it should respect that answer. If that is incorrect, then > whatever gave that answer is broken or misconfigured and should be fixed. > > Perhaps I am missing something. In what cases can you imagine getting a > response with no errors and no records? > > Misconfiguration is precisely the case, but quite possibly > misconfiguration in the zone of *target* records as opposed to the zone > containing the ANAME. And there are two problems with respecting that > [negative] answer. > > The first problem is for the owner of the ANAME-containing zone, for whom > the upstream misconfiguration will result in downtime and be extended by > caching to the MINIMUM value from their SOA, which in many cases will be > one to three orders of magnitude greater than the TTL of the ANAME itself= . > > The second problem is for the query originator and their ANAME-aware > resolver, which will be forced to resolve the SOA of the ANAME-containing > zone in order to issue a proper RFC 2308 Type 2 NODATA response > =E2=80=94and such reso= lution > must take place synchronously, tying up resolver resources and increasing > end-user latency (insignificantly when the SOA is already cached, > significantly when it is not). > > Both of these problems can be addressed by allowing/recommending/requirin= g > ANAME-aware servers to preserve ANAME siblings when resolution of ANAME > targets results in NXDOMAIN or NODATA responses, rather than replacing th= em > with an empty RRSet... which, to be honest, seems to be always-undesirabl= e > behavior anyway=E2=80=94if anyone can think of a scenario where it would = be > *beneficial* to dynamically remove ANAME siblings, please share it. > Fair enough. I would rather solve the long MINIMUM problem in general, rather than only for this specific case. But here was have a fairly easy source of backup answers, so it will be easier than a general solution. I don't like it, but I see your point. As for when we might want an NXDOMAIN answer, perhaps: CDN is overwhelmed or web servers are all down, so stop users from trying to connect. Or server changes and we don't want users to fall back to old, incorrect addresses. --=20 Bob Harold --00000000000027b63d0586417188 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

On Wed, Apr 10, 2019= at 4:42 PM Richard Gibson <richard.j.gibson@oracle.com> wrote:
=20 =20 =20

Responses below.

On 4/9/19 16:= 04, Bob Harold wrote:
=20
If it gets an authoritative answer saying that there are no address records, then it should respect that answer.=C2=A0 If that is incorrect, then whatever ga= ve that answer is broken or misconfigured and should be fixed.=C2=A0= =C2=A0

Perhaps I am missing something.=C2=A0 In what cases can you imagine getting a response with no errors and no records?

Misconfiguration is precisely the case, but quite possibly misconfiguration in the zone of target records as opposed to the zone containing the ANAME. And there are two problems with respecting that [negative] answer.

The first problem is for the owner of the ANAME-containing zone, for whom the upstream misconfiguration will result in downtime and be extended by caching to the MINIMUM value from their SOA, which in many cases will be one to three orders of magnitude greater than the TTL of the ANAME itself.

The second problem is for the query originator and their ANAME-aware resolver, which will be forced to resolve the SOA of the ANAME-containing zone in order to issue a proper RFC 2308 Ty= pe 2 NODATA response=E2=80=94and such resolution must take place synchronously, tying up resolver resources and increasing end-user latency (insignificantly when the SOA is already cached, significantly when it is not).

Both of these problems can be addressed by allowing/recommending/requiring ANAME-aware servers to preserve ANAME siblings when resolution of ANAME targets results in NXDOMAIN or NODATA responses, rather than replacing them with an empty RRSet... which, to be honest, seems to be always-undesirable behavior anyway=E2=80=94if anyone can think of a scenario where it wo= uld be beneficial to dynamically remove ANAME siblings, please share it.

Fair enough.=C2=A0 I would r= ather solve the long MINIMUM problem in general, rather than only for this = specific case.=C2=A0 But here was have a fairly easy source of backup answe= rs, so it will be easier than a general solution.=C2=A0 I don't like it= , but I see your point.

As for when we might want = an NXDOMAIN answer, perhaps:
CDN is overwhelmed or web servers ar= e all down, so stop users from trying to connect.
Or server chang= es and we don't want users to fall back to old, incorrect addresses.

--=C2=A0
Bob Harold

--00000000000027b63d0586417188-- From nobody Thu Apr 11 08:10:50 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BD8A120392; Thu, 11 Apr 2019 08:10:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lkNMPFZcL8Ol; Thu, 11 Apr 2019 08:10:39 -0700 (PDT) Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B04B120305; Thu, 11 Apr 2019 08:10:39 -0700 (PDT) Received: by rfc-editor.org (Postfix, from userid 30) id 89284B81FDF; Thu, 11 Apr 2019 08:10:34 -0700 (PDT) To: rpf@acm.org, dcrocker@bbiw.net X-PHP-Originating-Script: 30:errata_mail_lib.php From: RFC Errata System Cc: warren@kumari.net, iesg@ietf.org, dnsop@ietf.org, rfc-editor@rfc-editor.org Content-Type: text/plain; charset=UTF-8 Message-Id: <20190411151034.89284B81FDF@rfc-editor.org> Date: Thu, 11 Apr 2019 08:10:34 -0700 (PDT) Archived-At: Subject: [DNSOP] [Errata Held for Document Update] RFC8552 (5665) X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Apr 2019 15:10:42 -0000 The following errata report has been held for document update for RFC8552, "Scoped Interpretation of DNS Resource Records through "Underscored" Naming of Attribute Leaves". -------------------------------------- You may review the report below and at: http://www.rfc-editor.org/errata/eid5665 -------------------------------------- Status: Held for Document Update Type: Editorial Reported by: Ronan Flood Date Reported: 2019-03-21 Held by: Warren Kumari (Ops AD) (IESG) Section: 4.1.3 Original Text ------------- 4.1.3. _ta Under the NULL RR Type, the entry "_ta-*" denotes all node names beginning with the string "_ta-*". It does NOT refer to a DNS wildcard specification. Corrected Text -------------- 4.1.3. _ta Under the NULL RR Type, the entry "_ta-*" denotes all node names beginning with the string "_ta-". It does NOT refer to a DNS wildcard specification. Notes ----- The second '*' should not be present, as a literal asterisk does not appear in all node names beginning with "_ta-". -------------------------------------- RFC8552 (draft-ietf-dnsop-attrleaf-16) -------------------------------------- Title : Scoped Interpretation of DNS Resource Records through "Underscored" Naming of Attribute Leaves Publication Date : March 2019 Author(s) : D. Crocker Category : BEST CURRENT PRACTICE Source : Domain Name System Operations Area : Operations and Management Stream : IETF Verifying Party : IESG From nobody Thu Apr 11 09:21:06 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B5F71203B6 for ; Thu, 11 Apr 2019 09:21:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RkLHRdUerYKy for ; Thu, 11 Apr 2019 09:21:02 -0700 (PDT) Received: from mail-qk1-x731.google.com (mail-qk1-x731.google.com [IPv6:2607:f8b0:4864:20::731]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52BFA1203B4 for ; Thu, 11 Apr 2019 09:21:00 -0700 (PDT) Received: by mail-qk1-x731.google.com with SMTP id w20so3814205qka.7 for ; Thu, 11 Apr 2019 09:21:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Hk2G9zHgp+zvaWUOHiyXpcfni16YgZTeExTTmFequWU=; b=DzHmDf+J14TFN/pdvwyktfMEk50cqoEbINzM62VC/7hoVHFtozuVqpX/ABU8RWnQK+ I91Q0TZaQ7l2Oo3LOuxQ076z7JADW60l9rLSdQhBGDrcCBPBesmC+5x+xZW13EtX3zTA AWQjtqMT6WCxJsjq1Y6VABfh/wtpmaGHwYg1fOtS5xVjs9PHG2HTxPYe6DXNIzTpjxR5 yCjWQ6Zc2Cxnc2hZHMdhF+bAIkskjgnCRa/njB96G2hFs7SxbhnpKbDSn2bjPnIXq4gb 9cPusLxC+vDGb7sznWMXV1lpUzw7JhMiUqyetRtIo/JmsJxgJbgZuh+Yt7L67X1mzfqk eqEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Hk2G9zHgp+zvaWUOHiyXpcfni16YgZTeExTTmFequWU=; b=DtdR7MGVDzL6EziJK7z9iv3+gx5WY/55BI0jl6wdatJQcFVd5CEDo3EIfOSyaX4hC4 g1AFK4/zjfbW+AsIsv4GenK5uH6fwZxOXveGG5KbObi7dW2x/x5N6gCu/sFM+MOtHj3a oHKz2Ryt2zfL4pgMDcJztqmYotH7FxQ+xsvWFLfvY3KnN2yW575AxnvNHpqsu2eqphU9 ruOkdYyTahb3qxPmFSButd9nk8NGbCnKivPtc9U1UNvFq2Xp/1NtiRSw11fyDWiGEgV/ 5ED6zBqalHstTWvOpOpojN3GUwehkyGV8bMBbhdhCWpb8896ZutOvv/GpHSPoTp+GR5W u3pA== X-Gm-Message-State: APjAAAUYes4nypnNvr5AUQaGQjxRAqDq23xJjguwWmbI2Iw5v03XnDdl VGvHNX+6jznF93hgkdB/j9CDr8kwg8gnYxfBKDW9qw== X-Google-Smtp-Source: APXvYqx7WjTp1U8x0s51hCwScKPMnKr2wKI6Y6veB32SP9VRD0JC9bRCdjDuTyALWX/S3lQNO0AGoptqNXEUb3LF8dI= X-Received: by 2002:a37:a650:: with SMTP id p77mr39601637qke.256.1554999658772; Thu, 11 Apr 2019 09:20:58 -0700 (PDT) MIME-Version: 1.0 References: <155448126450.10133.15933575757540602207.idtracker@ietfa.amsl.com> In-Reply-To: From: Warren Kumari Date: Thu, 11 Apr 2019 12:20:21 -0400 Message-ID: To: Paul Wouters Cc: DNSOP-Chairs Chairs , IETF DNSOP WG , Benjamin Kaduk , draft-ietf-dnsop-algorithm-update@ietf.org Content-Type: multipart/alternative; boundary="00000000000049919d05864392d8" Archived-At: Subject: Re: [DNSOP] Benjamin Kaduk's No Objection on draft-ietf-dnsop-algorithm-update-07: (with COMMENT) X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Apr 2019 16:21:04 -0000 --00000000000049919d05864392d8 Content-Type: text/plain; charset="UTF-8" [ - IESG (for clutter), Bob & Tim (through DNSOP / Chairs respectively) ] On Tue, Apr 9, 2019 at 7:55 AM Paul Wouters wrote: > On Fri, 5 Apr 2019, Bob Harold wrote: > > [ SNIP ] > > > In a similar vein, if we stay at PS, a lot of the references seem > like > > they would need to move from Informative to Normative, since to > > implement the various MUST-level algorithms you have to follow > those > > references. > > I would not say those references are normative in that sense. You don't > HAVE to read how GOST is specified to not implement it. > > Perhaps, but there are still lots of Informative references which implementers would need to read. For example: RFC5702, RFC6605: 8 RSA/SHA-256 RSASHA256 Y * [RFC5702] 10 RSA/SHA-512 RSASHA512 Y * [RFC5702] 13 ECDSA Curve P-256 with SHA-256 ECDSAP256SHA256 Y * [RFC6605] RFC4509: 2 SHA-256 MANDATORY [RFC4509] It is a simple matter to make these Normative.... -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf --00000000000049919d05864392d8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
[ - IESG (for clutter), Bob & Tim (through DNSOP = / Chairs respectively) ]=C2=A0


On Tue, Apr 9, 2019 at 7:55 AM Pau= l Wouters <paul@nohats.ca> wrot= e:
On Fri, 5 Apr= 2019, Bob Harold wrote:

[ SN= IP ]=C2=A0

>=C2=A0 =C2=A0 =C2=A0 =C2=A0In a similar vein, if we stay at PS, a lot o= f the references seem like
>=C2=A0 =C2=A0 =C2=A0 =C2=A0they would need to move from Informative to = Normative, since to
>=C2=A0 =C2=A0 =C2=A0 =C2=A0implement the various MUST-level algorithms = you have to follow those
>=C2=A0 =C2=A0 =C2=A0 =C2=A0references.

I would not say those references are normative in that sense. You don't=
HAVE to read how GOST is specified to not implement it.


Perhaps, but there are still lots of Informative references whic= h implementers would need to read. For example:

RFC5702, RFC6605:
8 RSA/SHA-256 = RSASHA256 Y * [RFC5702]
10 RSA/SHA-512 RSASHA512 Y * [RFC5702]
13 ECDSA Curve P-25= 6 with SHA-256 ECDSAP256SHA256 Y = * [RFC6605]
RFC4509:
2= SHA-256 MANDATORY [RFC4509]

It is a simp= le matter to make these Normative....


--
=
I don't think the execution = is relevant when it was obviously a bad idea in the first place.
This is= like putting rabid weasels in your pants, and later expressing regret at h= aving chosen those particular rabid weasels and that pair of pants.
=C2= =A0 =C2=A0---maf
--00000000000049919d05864392d8-- From nobody Thu Apr 11 12:24:35 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 151E6120615; Thu, 11 Apr 2019 12:24:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J8-I8sx4wf-T; Thu, 11 Apr 2019 12:24:32 -0700 (PDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0C22120604; Thu, 11 Apr 2019 12:24:31 -0700 (PDT) Received: from kduck.mit.edu (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x3BJOQxe029886 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 11 Apr 2019 15:24:29 -0400 Date: Thu, 11 Apr 2019 14:24:26 -0500 From: Benjamin Kaduk To: Warren Kumari Cc: Paul Wouters , DNSOP-Chairs Chairs , IETF DNSOP WG , draft-ietf-dnsop-algorithm-update@ietf.org Message-ID: <20190411192426.GR18549@kduck.mit.edu> References: <155448126450.10133.15933575757540602207.idtracker@ietfa.amsl.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Archived-At: Subject: Re: [DNSOP] Benjamin Kaduk's No Objection on draft-ietf-dnsop-algorithm-update-07: (with COMMENT) X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Apr 2019 19:24:34 -0000 On Thu, Apr 11, 2019 at 12:20:21PM -0400, Warren Kumari wrote: > [ - IESG (for clutter), Bob & Tim (through DNSOP / Chairs respectively) ] > > > On Tue, Apr 9, 2019 at 7:55 AM Paul Wouters wrote: > > > On Fri, 5 Apr 2019, Bob Harold wrote: > > > > [ SNIP ] > > > > > In a similar vein, if we stay at PS, a lot of the references seem > > like > > > they would need to move from Informative to Normative, since to > > > implement the various MUST-level algorithms you have to follow > > those > > > references. > > > > I would not say those references are normative in that sense. You don't > > HAVE to read how GOST is specified to not implement it. > > > > > Perhaps, but there are still lots of Informative references which > implementers would need to read. For example: > > RFC5702, RFC6605: > 8 RSA/SHA-256 RSASHA256 Y * [RFC5702] > 10 RSA/SHA-512 RSASHA512 Y * [RFC5702] > 13 ECDSA Curve P-256 with SHA-256 ECDSAP256SHA256 Y * [RFC6605] > > RFC4509: > 2 SHA-256 MANDATORY [RFC4509] > > It is a simple matter to make these Normative.... I'll also note (sic) that note 1 at https://www.ietf.org/blog/iesg-statement-normative-and-informative-references/ says: Even references that are relevant only for optional features must be classified as normative if they meet the above conditions for normative references. -Ben From nobody Thu Apr 11 15:50:26 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 703411201BD for ; Thu, 11 Apr 2019 15:50:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=conundrum-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FZO3ElvLcj5l for ; Thu, 11 Apr 2019 15:50:23 -0700 (PDT) Received: from mail-it1-x12f.google.com (mail-it1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E14312016A for ; Thu, 11 Apr 2019 15:50:23 -0700 (PDT) Received: by mail-it1-x12f.google.com with SMTP id x132so12604052itf.2 for ; Thu, 11 Apr 2019 15:50:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=conundrum-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Vsq3NKcSfEGAgf8n6Y+hvmTUZPwnphpToBiQeW+iFFg=; b=BlgNaBQCcfBAp2Zo0o6c7iCfZk23k+4kcJS+ohyWein5eWSdYYSdPIOBM3OWCk9e6j hHf0lZ2f5M4+jkYdAoLZQpAOJ55yh8dRZ3oHRe9F3B0s8ipEh6GTLRG5xHw+mdve2GWU WQ+WhTRpzO0iPa0WMRg7WZMJHZ21ZPvpNJ7AKck58HprcSyZKodu281wmb/dvxr4SNDh ZZRtHZ+JX7eSP4BqA8oY/POxjkPwDZI47XMsXJSs3XymbfWydh6iksN3xqTN7sz1aTBR llK6y91M3okDayh84JwAvjbb5v1GEYPGKg+IB2BURjSufHPlHdwqkLSGBmN/kiXwN4F0 7C0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Vsq3NKcSfEGAgf8n6Y+hvmTUZPwnphpToBiQeW+iFFg=; b=W60hElQCNGJgv+taS2JjdMlkzDuc2qcDOvERUJbIAedqBir9k0+C8iF3iEzBiaHIOw U4fYxqvMH279vLYWsTkelS26Zu7+ewHyZawNr/DuD2Afyn6OV/5HwNYdn+euJ0zUrzdB O3b6cgJgsRqfHv6NDxZKwUOl5rPQ2iAf7RJ9ZUStrpfzGyHM/h2xrntkeeQC95iuZRnC 4hU34CQ3TBGskARLH9vC5IRnAgiv9qKXuYmk+uty/cAxQgjcAXIg7J9Ea6ZPJpmFhRiB zAydqz5teYlNVihetj6nAE9EfU/+mcaXeLsiThCGIdSJAu0C3nsCTyiOYvEFdxqGwoJe vFgg== X-Gm-Message-State: APjAAAXq5HQnq4+z9ODd7ylzLJjv7eV3Bh9Qv85ZCd+t93FtdqPpNiyK re5T/WQHZlnyM7qaHXQ/coJJJsI68YE0XYbzTPid5Q== X-Google-Smtp-Source: APXvYqzIvqSFryDB2d9iMMKPxHHZjH5wI5GgIwS4VpP676gidgfiS2OA/QoCUw6E9K3QHfYGMtBv+gmFu6eabQNEI/Q= X-Received: by 2002:a02:c6d8:: with SMTP id r24mr13927243jan.93.1555023022372; Thu, 11 Apr 2019 15:50:22 -0700 (PDT) MIME-Version: 1.0 References: <25b38d21-c572-d782-6b35-a187fa0caae8@oracle.com> In-Reply-To: <25b38d21-c572-d782-6b35-a187fa0caae8@oracle.com> From: Matthew Pounsett Date: Thu, 11 Apr 2019 18:50:11 -0400 Message-ID: To: Richard Gibson Cc: Bob Harold , dnsop Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [DNSOP] What should ANAME-aware servers do when target records are verifiably missing? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Apr 2019 22:50:25 -0000 On Wed, 10 Apr 2019 at 16:43, Richard Gibson wrote: > > > The first problem is for the owner of the ANAME-containing zone, for whom= the upstream misconfiguration will result in downtime and be extended by c= aching to the MINIMUM value from their SOA, which in many cases will be one= to three orders of magnitude greater than the TTL of the ANAME itself. I think I'm missing something here. If, for example, the TTL of the ANAME is 1 hour, what mechanism results in caching holding onto a negative answer for a broken target name for a minimum of 10 hours, and to 40 days? > > Both of these problems can be addressed by allowing/recommending/requirin= g ANAME-aware servers to preserve ANAME siblings when resolution of ANAME t= argets results in NXDOMAIN or NODATA responses, rather than replacing them = with an empty RRSet... which, to be honest, seems to be always-undesirable = behavior anyway=E2=80=94if anyone can think of a scenario where it would be= beneficial to dynamically remove ANAME siblings, please share it. I feel like this is creating an even bigger potential problem. What happens when the owner of the ANAME target legitimately wants that name to go away, but some other zone owner is leaving an ANAME in place pointing to that now-nonexistent name? Continuing to serve the sibling records indefinitely seems like serve-stale gone horribly wrong. From nobody Thu Apr 11 17:02:41 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 556F912044A for ; Thu, 11 Apr 2019 17:02:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.301 X-Spam-Level: X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uo9fKsEhGGiu for ; Thu, 11 Apr 2019 17:02:38 -0700 (PDT) Received: from userp2130.oracle.com (userp2130.oracle.com [156.151.31.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06F03120013 for ; Thu, 11 Apr 2019 17:02:37 -0700 (PDT) Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x3BNxC9P139786; Fri, 12 Apr 2019 00:02:36 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : to : cc : references : from : message-id : date : mime-version : in-reply-to : content-type; s=corp-2018-07-02; bh=gJZnJ9zzTJOpohac2IeknpKkWn8vNE6X+kMP2erZ12U=; b=yY9vhktgx7u4bxsXHcRAiAKlX8Vm4GRIy4KQ5oOs8qlgtqFmGWE41DmvmYXj2+mTepSB +joKy9+gjFiabShGqWTuTr1W0NI6x3Ve47BzlKbSWoJqWb/w2RHPrGDaewfsOTXMiMSl 0jaNc0eYJWu7I2tvTqb13xesHHJ9oQu5Pk//9EmHVSM4QTngceNiUXu8Mzp01ya1Q7n0 ipFzlNfWljBKqVk0zvZ+Tpe/DTSQKfv4ByzwTmsP7JRYggOySMgaRsOMZSH7iYSGiRlZ NTIh44MtGng/579TJx2r6bMlhKcu2Tk9N8QddoAiLgVT8XeJ6Akw9EUB0rrhyd++8tom Vw== Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by userp2130.oracle.com with ESMTP id 2rpkhtbtrd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 12 Apr 2019 00:02:35 +0000 Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x3C02Z6S024490; Fri, 12 Apr 2019 00:02:35 GMT Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userp3030.oracle.com with ESMTP id 2rph7u19mn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 12 Apr 2019 00:02:34 +0000 Received: from abhmp0004.oracle.com (abhmp0004.oracle.com [141.146.116.10]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id x3C02SSl018535; Fri, 12 Apr 2019 00:02:32 GMT Received: from [192.168.1.213] (/67.189.230.160) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 11 Apr 2019 17:02:28 -0700 To: Matthew Pounsett Cc: Bob Harold , dnsop References: <25b38d21-c572-d782-6b35-a187fa0caae8@oracle.com> From: Richard Gibson Message-ID: <516fda75-bb6e-67c6-cd52-0a5017bc889f@oracle.com> Date: Thu, 11 Apr 2019 20:02:26 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------6CAD79BC8B8BB40AD96D9247" Content-Language: en-US X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9224 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904110155 X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9224 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904110155 Archived-At: Subject: Re: [DNSOP] What should ANAME-aware servers do when target records are verifiably missing? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Apr 2019 00:02:40 -0000 This is a multi-part message in MIME format. --------------6CAD79BC8B8BB40AD96D9247 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Responses inline. On 4/11/19 18:50, Matthew Pounsett wrote: > On Wed, 10 Apr 2019 at 16:43, Richard Gibson > wrote: >> The first problem is for the owner of the ANAME-containing zone, for whom the upstream misconfiguration will result in downtime and be extended by caching to the MINIMUM value from their SOA, which in many cases will be one to three orders of magnitude greater than the TTL of the ANAME itself. > I think I'm missing something here. If, for example, the TTL of the > ANAME is 1 hour, what mechanism results in caching holding onto a > negative answer for a broken target name for a minimum of 10 hours, > and to 40 days? Demonstrative example zone: example.com.  3600  IN    SOA  ns.example.net. hostmaster.example.net. 1 ( 7200 ; REFRESH 3600 ; RETRY 86400 ; EXPIRE 3600 ); MINIMUM example.com.    60  IN  ANAME  example.invalid. example.com. 60 IN A 192.0.2.1 When an ANAME-aware resolver queries an ANAME-aware authoritative server for example.com. A, it will receive the A record in the answer section and the ANAME in the additional section. If it then chases the ANAME target to an NXDOMAIN and accepts that as justification for replacing the sibling A RRSet with nothing as currently specified in the draft, then the appropriate response will be a Type 2 NODATA in which the answer section is empty and the additional section contains the SOA. But this suffers from both of the problems I have been complaining about—the resolver does not necessarily /have/ the zone SOA, possibility necessitating an inline lookup, and per RFC 2308 the negative response will be cached according to values from the SOA that are unrelated to and far exceed the TTL of the ANAME. >> Both of these problems can be addressed by allowing/recommending/requiring ANAME-aware servers to preserve ANAME siblings when resolution of ANAME targets results in NXDOMAIN or NODATA responses, rather than replacing them with an empty RRSet... which, to be honest, seems to be always-undesirable behavior anyway—if anyone can think of a scenario where it would be beneficial to dynamically remove ANAME siblings, please share it. > I feel like this is creating an even bigger potential problem. What > happens when the owner of the ANAME target legitimately wants that > name to go away, but some other zone owner is leaving an ANAME in > place pointing to that now-nonexistent name? Continuing to serve the > sibling records indefinitely seems like serve-stale gone horribly > wrong. In such a configuration, the owner of the ANAME will be able to see that clients are using its static sibling records rather than its target (and therefore that they are getting no benefit from the ANAME), and can react accordingly. If your concern is excess queries for the ANAME target, then this seems no different from e.g. CNAME—the owner of the target can issue long-lived negative responses while performing whatever other exploration and/or mitigation they deem fit. But this seems like it will be much more rare and frankly much less of a problem than stretching out misconfiguration at an ANAME target into extended downtime for an ANAME owner. It must be possible for the latter to execute a recovery plan as quickly as possible, and if ANAME is specified well then that the first step of recovery can be literally instant and automatic. --------------6CAD79BC8B8BB40AD96D9247 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit

Responses inline.

On 4/11/19 18:50, Matthew Pounsett wrote:
On Wed, 10 Apr 2019 at 16:43, Richard Gibson
<richard.j.gibson@oracle.com> wrote:

The first problem is for the owner of the ANAME-containing zone, for whom the upstream misconfiguration will result in downtime and be extended by caching to the MINIMUM value from their SOA, which in many cases will be one to three orders of magnitude greater than the TTL of the ANAME itself.

I think I'm missing something here.  If, for example, the TTL of the
ANAME is 1 hour, what mechanism results in caching holding onto a
negative answer for a broken target name for a minimum of 10 hours,
and to 40 days?
Demonstrative example zone:
example.com.  3600  IN    SOA  ns.example.net. hostmaster.example.net. 1 (
                                  7200   ; REFRESH
                                  3600   ; RETRY
                                 86400   ; EXPIRE
                                  3600  ); MINIMUM
example.com.    60  IN  ANAME  example.invalid.
example.com.    60  IN      A  192.0.2.1

When an ANAME-aware resolver queries an ANAME-aware authoritative server for example.com. A, it will receive the A record in the answer section and the ANAME in the additional section. If it then chases the ANAME target to an NXDOMAIN and accepts that as justification for replacing the sibling A RRSet with nothing as currently specified in the draft, then the appropriate response will be a Type 2 NODATA in which the answer section is empty and the additional section contains the SOA. But this suffers from both of the problems I have been complaining about—the resolver does not necessarily have the zone SOA, possibility necessitating an inline lookup, and per RFC 2308 the negative response will be cached according to values from the SOA that are unrelated to and far exceed the TTL of the ANAME. 

Both of these problems can be addressed by allowing/recommending/requiring ANAME-aware servers to preserve ANAME siblings when resolution of ANAME targets results in NXDOMAIN or NODATA responses, rather than replacing them with an empty RRSet... which, to be honest, seems to be always-undesirable behavior anyway—if anyone can think of a scenario where it would be beneficial to dynamically remove ANAME siblings, please share it.

I feel like this is creating an even bigger potential problem.  What
happens when the owner of the ANAME target legitimately wants that
name to go away, but some other zone owner is leaving an ANAME in
place pointing to that now-nonexistent name?  Continuing to serve the
sibling records indefinitely seems like serve-stale gone horribly
wrong.

In such a configuration, the owner of the ANAME will be able to see that clients are using its static sibling records rather than its target (and therefore that they are getting no benefit from the ANAME), and can react accordingly. If your concern is excess queries for the ANAME target, then this seems no different from e.g. CNAME—the owner of the target can issue long-lived negative responses while performing whatever other exploration and/or mitigation they deem fit.

But this seems like it will be much more rare and frankly much less of a problem than stretching out misconfiguration at an ANAME target into extended downtime for an ANAME owner. It must be possible for the latter to execute a recovery plan as quickly as possible, and if ANAME is specified well then that the first step of recovery can be literally instant and automatic.

--------------6CAD79BC8B8BB40AD96D9247-- From nobody Thu Apr 11 20:45:26 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B60921201AA for ; Thu, 11 Apr 2019 20:45:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=conundrum-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rWPyfyBSYHTo for ; Thu, 11 Apr 2019 20:45:22 -0700 (PDT) Received: from mail-it1-x132.google.com (mail-it1-x132.google.com [IPv6:2607:f8b0:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3729F12018E for ; Thu, 11 Apr 2019 20:45:22 -0700 (PDT) Received: by mail-it1-x132.google.com with SMTP id y204so13447945itf.3 for ; Thu, 11 Apr 2019 20:45:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=conundrum-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=kU4hgk53NNoDs2w5xx207NPGx8JBVZxEVzEWwLIkWrA=; b=c28lmLhaVsmdL8x8epI749vlU30tCp4472RauME4ifkEA5CmbBX0/utdshI0dgKDa0 vLVI3OXL1XyEtcts9f4RBW465j/B+slNQKSJyRTO+4+cKKRPLnCzvpba7Q3oRymV3xEE Y64rKi7NkzdCNZRNXy5bj83ajzYvIdcSCAp7WazWaLP7x+KJqw7pMAE8N3LGb60av0ej +Kd9hYKKw99YCWGOZt8WQU/j1bnZiQ9UnLQi4jHlSyd2J+u/lBFozi/C+TiT3j2myRqk rZOZC75SfLbNVSsW4+dbNiemMeEIbhO/uINdEksQGUJG5EbeyGCgfS8vJmQXAst7m5Cn DN5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=kU4hgk53NNoDs2w5xx207NPGx8JBVZxEVzEWwLIkWrA=; b=kl/d71kUdSwJr5kvd77gd7YwB7LsY0qH7/OJp0N+US/Le7Uxojir03jLwFQryr1Hum sGm2kH9aNl8iBMx4NxvywS2SUBg2ZfYS334QwDuDC98ZAQV5qO/RHM8ou4KitOplLi55 fWtj4+jL2R1NiQPLzC/pfEbUejONc+d3IcFsHRRb2zspmvXedfL1Mt8DLXRSQRvoLXOv ugJXEZouOxd+q35OPOOdeZ8Nilz+DXp+d5Vk2GpqYyQAnSqPB4rqkD5DDes3zQR0StpR YsBuSVHcdK9L1f0nOwEiC/lCDFIBRep381eIzN3BTJeisXx5EXVqXYSUkJC4kBh7sc9P gEHQ== X-Gm-Message-State: APjAAAXhDRlA5K+tQOgk/dBUOncvoVTnOL9f+IurSRJxwf2vxib+A3lc S6Zs2ifk3RMMQOoAUzu7VSz7SMMNjfPlavCNfQVQ4Q== X-Google-Smtp-Source: APXvYqy2AIgGbjaP/4hY69chzzYhpQnbDbow7K6FfWNrQCtQVQ2T5xPPMoDooDcwpL5wAr4Wq42LvaYXPzGW7M+6KCY= X-Received: by 2002:a24:5f8c:: with SMTP id r134mr11632932itb.110.1555040721094; Thu, 11 Apr 2019 20:45:21 -0700 (PDT) MIME-Version: 1.0 References: <25b38d21-c572-d782-6b35-a187fa0caae8@oracle.com> <516fda75-bb6e-67c6-cd52-0a5017bc889f@oracle.com> In-Reply-To: <516fda75-bb6e-67c6-cd52-0a5017bc889f@oracle.com> From: Matthew Pounsett Date: Thu, 11 Apr 2019 23:45:10 -0400 Message-ID: To: Richard Gibson Cc: Bob Harold , dnsop Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [DNSOP] What should ANAME-aware servers do when target records are verifiably missing? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Apr 2019 03:45:25 -0000 On Thu, 11 Apr 2019 at 20:02, Richard Gibson wrote: > > The first problem is for the owner of the ANAME-containing zone, for whom= the upstream misconfiguration will result in downtime and be extended by c= aching to the MINIMUM value from their SOA, which in many cases will be one= to three orders of magnitude greater than the TTL of the ANAME itself. [snip] > But this suffers from both of the problems I have been complaining about= =E2=80=94the resolver does not necessarily have the zone SOA, possibility n= ecessitating an inline lookup, and per RFC 2308 the negative response will = be cached according to values from the SOA that are unrelated to and far ex= ceed the TTL of the ANAME. Ah, I see the confusion. You're using definitive statements such as "will" when what you actually mean is "may." There's no specific mechanism that causes the client to cache the negative response "for one to three orders of magnitude greater than the TTL of the ANAME." And, the TTL of the SOA doesn't necessarily "far exceed" the TTL of the ANAME. You're just presupposing that will be a common configuration? I think we're still talking about misconfigurations here, and designing a protocol around people who misconfigure their DNS at the expense of people who configure it properly seems like a bad path to take. > Both of these problems can be addressed by allowing/recommending/requirin= g ANAME-aware servers to preserve ANAME siblings when resolution of ANAME t= argets results in NXDOMAIN or NODATA responses, rather than replacing them = with an empty RRSet... which, to be honest, seems to be always-undesirable = behavior anyway=E2=80=94if anyone can think of a scenario where it would be= beneficial to dynamically remove ANAME siblings, please share it. Yes, I can think of a case where it would be beneficial to remove ANAME siblings: when the target of the ANAME is removed from the DNS. > In such a configuration, the owner of the ANAME will be able to see that = clients are using its static sibling records rather than its target (and th= erefore that they are getting no benefit from the ANAME), and can react acc= ordingly. If your concern is excess queries for the ANAME target, then this= seems no different from e.g. CNAME=E2=80=94the owner of the target can iss= ue long-lived negative responses while performing whatever other exploratio= n and/or mitigation they deem fit. If the target of the ANAME disappears, the owner of the ANAME will similarly be able to recognize the problem and deal with it. If the administrator of the name owning the ANAME is concerned about downtime due to misconfigurations by the target, then that administrator can either select a different target (presumably by selecting a different service provider) or set their TTLs appropriately to not be subject to the potential issue you identified above. However, if the spec requires preserving the target in the DNS despite the administrator of the target zone removing it, then that is a path for abuse by the administrator of the zone containing the ANAME, and the owner of the target will have no recourse. This is what I meant by my reference to serve-stale. From nobody Fri Apr 12 04:05:39 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81C6E120292 for ; Fri, 12 Apr 2019 04:05:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.199 X-Spam-Level: X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6JsrkqBu4-vi for ; Fri, 12 Apr 2019 04:05:34 -0700 (PDT) Received: from ppsw-32.csi.cam.ac.uk (ppsw-32.csi.cam.ac.uk [131.111.8.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9D5C120293 for ; Fri, 12 Apr 2019 04:05:33 -0700 (PDT) X-Cam-AntiVirus: no malware found X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus Received: from grey.csi.cam.ac.uk ([131.111.57.57]:43242) by ppsw-32.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.138]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1hEtzo-0001EJ-2s (Exim 4.91) (return-path ); Fri, 12 Apr 2019 12:05:24 +0100 Date: Fri, 12 Apr 2019 12:05:24 +0100 From: Tony Finch To: Matthew Pounsett cc: Richard Gibson , Bob Harold , dnsop In-Reply-To: Message-ID: References: <25b38d21-c572-d782-6b35-a187fa0caae8@oracle.com> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Archived-At: Subject: Re: [DNSOP] What should ANAME-aware servers do when target records are verifiably missing? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Apr 2019 11:05:38 -0000 Matthew Pounsett wrote: > > I feel like this is creating an even bigger potential problem. What > happens when the owner of the ANAME target legitimately wants that > name to go away, but some other zone owner is leaving an ANAME in > place pointing to that now-nonexistent name? Continuing to serve the > sibling records indefinitely seems like serve-stale gone horribly > wrong. It's worth noting that Oracle's ANAME model does not couple the sibling addresses to the ANAME target addresses. As I understand it, they have additional "fallback" infrastructure (web servers and whatnot) which is used when the ANAME target isn't available. I'm not sure how this would work as a replacement for CNAME, when the request from the user comes without any information about how to set up a fallback server. Tony. -- f.anthony.n.finch http://dotat.at/ Biscay: Variable 3 or less, becoming southeast 3 or 4. Moderate, becoming slight. Fair. Moderate or good. From nobody Fri Apr 12 04:34:26 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E04E01202BD for ; Fri, 12 Apr 2019 04:34:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W9nkhFm8iUd8 for ; Fri, 12 Apr 2019 04:34:19 -0700 (PDT) Received: from lb3-smtp-cloud9.xs4all.net (lb3-smtp-cloud9.xs4all.net [194.109.24.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFEBC12028F for ; Fri, 12 Apr 2019 04:34:18 -0700 (PDT) Received: from [IPv6:2001:980:4eb1:1:7ded:78bc:2f3d:68df] ([IPv6:2001:980:4eb1:1:7ded:78bc:2f3d:68df]) by smtp-cloud9.xs4all.net with ESMTPSA id EuRihwFhLiLOmEuRjhEyaI; Fri, 12 Apr 2019 13:34:16 +0200 To: dnsop@ietf.org References: <25b38d21-c572-d782-6b35-a187fa0caae8@oracle.com> From: Matthijs Mekking Message-ID: <317dae7d-7f8c-b724-0a00-06a6d318138b@pletterpet.nl> Date: Fri, 12 Apr 2019 13:34:14 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-CMAE-Envelope: MS4wfA8yHHcUbw9IvQ4aZQdA/T6aRI2vp7JAzBUPOm3GUALp3fTIM94pv8itPQfoVayVjI4U+LgPJ9Dod7cGogsp5ETojcEGbSbqkvYZG23W+0qGWrqkleQI n1TGrBnP9Yznej4o6sqdz4El/b1eCENi83kD1hLpa6g/PBCAoRefegwv6n9l99bR6yCuc2OeQ+m9Mp1BGHeHQtQs1KFMWKL2pAhhTkDT0jO5ePeDIJ8k9oSV 9kWC/pZAgRy1D7s3mbWulWEi8zE/K7DzNs46p6Nm7q0= Archived-At: Subject: Re: [DNSOP] What should ANAME-aware servers do when target records are verifiably missing? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Apr 2019 11:34:24 -0000 On 4/12/19 1:05 PM, Tony Finch wrote: > Matthew Pounsett wrote: >> >> I feel like this is creating an even bigger potential problem. What >> happens when the owner of the ANAME target legitimately wants that >> name to go away, but some other zone owner is leaving an ANAME in >> place pointing to that now-nonexistent name? Continuing to serve the >> sibling records indefinitely seems like serve-stale gone horribly >> wrong. > > It's worth noting that Oracle's ANAME model does not couple the sibling > addresses to the ANAME target addresses. As I understand it, they have > additional "fallback" infrastructure (web servers and whatnot) which is > used when the ANAME target isn't available. > > I'm not sure how this would work as a replacement for CNAME, when the > request from the user comes without any information about how to set up a > fallback server. I think the logic suggested for ANAME is given this example: 1. Have ANAME and A and AAAA sibling address records. 2. Look up ANAME target A and AAAA target records. 3. If there is no positive answer (SERVFAIL, NXDOMAIN, NODATA) keep sibling address records. 4. Otherwise replace sibling address records with ANAME target records. This is different than NS1, that will never replace sibling address records. Instead, if there is no sibling address record, it will perform ANAME resolution. If that response is a SERVFAIL, NXDOMAIN or NODATA, that is what will be given to the client (although returning SERVFAIL won't be a thing in the ANAME specification). In order to fit both use cases I think we need to relax the steps in the ANAME resolution logic, but am hesitant to do that: If you make steps optional it will be unclear what the optional resolver's behavior is going to do. I would very much like to see an agreement on the ANAME resolution logic, especially so that customers can have multiple providers or switch providers and can expect the same thing in both places. Best regards, Matthijs > > Tony. > From nobody Fri Apr 12 05:57:07 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3278D12049E; Fri, 12 Apr 2019 05:57:00 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f4LzyC0Fyb2V; Fri, 12 Apr 2019 05:56:58 -0700 (PDT) Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF9F41204A8; Fri, 12 Apr 2019 05:56:57 -0700 (PDT) Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x3CCuth3018356; Fri, 12 Apr 2019 08:56:55 -0400 DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu x3CCuth3018356 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1555073816; bh=E2TN8ADHHF48wofN7Buf2GKJwQEAITySOL/QhKDN66k=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=X02qKV+skz7WSEXKlrstZnJlGiic3YyIxplaMXmtRvY6MdQNGp2/PW+XEPfVvdJDy BRDN+5IrdedSMFF+4gj8cdGaQnOifyZXaswRIluQ1vvQaYbhqb5kQSaCpHIy58ScIz lvfB0Qg3OC3FhQCFpGQL74EXBwHp2NKTiDVFQnd8= Received: from CASCADE.ad.sei.cmu.edu (cascade.ad.sei.cmu.edu [10.64.28.248]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x3CCurZ9010541; Fri, 12 Apr 2019 08:56:53 -0400 Received: from MARCHAND.ad.sei.cmu.edu ([10.64.28.251]) by CASCADE.ad.sei.cmu.edu ([10.64.28.248]) with mapi id 14.03.0435.000; Fri, 12 Apr 2019 08:56:53 -0400 From: Roman Danyliw To: Paul Wouters CC: The IESG , "draft-ietf-dnsop-algorithm-update@ietf.org" , Tim Wicinski , "dnsop-chairs@ietf.org" , "dnsop@ietf.org" Thread-Topic: Roman Danyliw's No Objection on draft-ietf-dnsop-algorithm-update-08: (with COMMENT) Thread-Index: AQHU77JQKu/IEQHXDUK2cBCxgPIJRqY13k8AgAKfD4A= Date: Fri, 12 Apr 2019 12:56:51 +0000 Message-ID: <359EC4B99E040048A7131E0F4E113AFC01B332A50A@marchand> References: <155491020552.9385.6655700279959491253.idtracker@ietfa.amsl.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.64.22.6] Content-Type: multipart/alternative; boundary="_000_359EC4B99E040048A7131E0F4E113AFC01B332A50Amarchand_" MIME-Version: 1.0 Archived-At: Subject: Re: [DNSOP] Roman Danyliw's No Objection on draft-ietf-dnsop-algorithm-update-08: (with COMMENT) X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Apr 2019 12:57:00 -0000 --_000_359EC4B99E040048A7131E0F4E113AFC01B332A50Amarchand_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 SGkhDQoNCkZyb206IFBhdWwgV291dGVycyBbbWFpbHRvOnB3b3V0ZXJzQHJlZGhhdC5jb21dDQpT ZW50OiBXZWRuZXNkYXksIEFwcmlsIDEwLCAyMDE5IDEyOjQ5IFBNDQpUbzogUm9tYW4gRGFueWxp dyA8cmRkQGNlcnQub3JnPg0KQ2M6IFRoZSBJRVNHIDxpZXNnQGlldGYub3JnPjsgZHJhZnQtaWV0 Zi1kbnNvcC1hbGdvcml0aG0tdXBkYXRlQGlldGYub3JnOyBUaW0gV2ljaW5za2kgPHRqdy5pZXRm QGdtYWlsLmNvbT47IGRuc29wLWNoYWlyc0BpZXRmLm9yZzsgZG5zb3BAaWV0Zi5vcmcNClN1Ympl Y3Q6IFJlOiBSb21hbiBEYW55bGl3J3MgTm8gT2JqZWN0aW9uIG9uIGRyYWZ0LWlldGYtZG5zb3At YWxnb3JpdGhtLXVwZGF0ZS0wODogKHdpdGggQ09NTUVOVCkNCg0KVGhhbmtzIGZvciB0aGUgcmV2 aWV3IQ0KDQpPbiBXZWQsIEFwciAxMCwgMjAxOSBhdCA1OjMwIFBNIFJvbWFuIERhbnlsaXcgdmlh IERhdGF0cmFja2VyIDxub3JlcGx5QGlldGYub3JnPG1haWx0bzpub3JlcGx5QGlldGYub3JnPj4g d3JvdGU6DQoNCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCkNPTU1FTlQ6DQotLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQoNCigxKSBB YnN0cmFjdC4gIE5pdC4gIFRoZXJlIGlzIGEgcmVmZXJlbmNlLCBbUkZDNjk0NF0sIGluIHRoZSBh YnN0cmFjdCB3aGljaA0KaXNu4oCZdCBwZXJtaXR0ZWQuDQoNCkhtbSwgaXQgaXMgcmVhbGx5IGp1 c3QgZ2l2aW5nIGEgY2xpY2thYmxlIHJlZmVyZW5jZSB0byB0aGUgZG9jdW1lbnQgd2UgYXJlIG9i c29sZXRpbmcuIEl0J3Mga2luZCBvZiBuaWNlIHRvIGhhdmUgdGhlcmUuIEJ1dCBJIGd1ZXNzIHlv dSBhcmUgcmlnaHQgdGhhdCBpdCBpcyBub3QgYWxsb3dlZCwgc28gSSd2ZSBtYWRlIHRoZSB0ZXh0 IHdpdGhvdXQgYSByZWZlcmVuY2UuDQoNCltSb21hbl0gVGhhbmtzLg0KDQoNCigyKSBTZWN0aW9u IDEuMiwgUGVyIOKAnFRoaXMgZG9jdW1lbnQgb25seSBwcm92aWRlcyByZWNvbW1lbmRhdGlvbnMg d2l0aCByZXNwZWN0DQp0byBtYW5kYXRvcnktdG8taW1wbGVtZW50IGFsZ29yaXRobXMgb3IgYWxn b3JpdGhtcyBzbyB3ZWFrIHRoYXQgcmVjb21tZW5kYXRpb24NCmNhbm5vdCBiZSByZWNvbW1lbmRl ZOKAnQ0KDQoqKiBFZGl0b3JpYWw6DQpzL2FsZ29yaXRobXMgc28gd2VhayB0aGF0IHJlY29tbWVu ZGF0aW9uIGNhbm5vdCBiZSByZWNvbW1lbmRlZC8NCmFsZ29yaXRobXMgc28gd2VhayB0aGF0IHRo ZXkgY2Fubm90IGJlIHJlY29tbWVuZGVkLw0KDQpXYXMgZml4ZWQgaW4gLTA4DQoNCltSb21hbl0g VGhhbmtzLg0KDQoqKiBUaGUgZmlyc3QgcGFydCBvZiB0aGUgc2VudGVuY2UgZG9lc27igJl0IGFw cGVhciB0byBiZSBjb25zaXN0ZW50IHdpdGggdGhlDQpSRkMyMTE5IHdvcmRzIGluIHRoZSBTZWN0 aW9uIDMuMSBUYWJsZSB3aGljaCBhbHNvIGluY2x1ZGVzIFJFQ09NTUVOREVEL01BWQ0KKHdoaWNo IGlzIG5laXRoZXIgTVRJIG9yIE5PVCBSRUNPTU1FTkRFRCkNCg0KSXQgaXMgcmVjb21tZW5kZWQg aW4gbG93ZXIgY2FzZSwgbm90IGluIDIxMTkgbWVhbmluZz8NCg0KW1JvbWFuXSBPay4gIEkgZGlk buKAmXQgcmVhZCBpdCBsaWtlIHRoYXQuDQoNCigzKSBTZWN0aW9uIDEuMywgVHlwbywgcy9mcm9t IGZyb20vZnJvbS8NCg0KKDQpIFNlY3Rpb24gMy4xLCBUeXBvLCBzL2NyeXB0b2dyYXBoaWNzL2Ny eXB0b2dyYXBoaWMvDQoNCldlcmUgYWxyZWFkeSBmaXhlZC4NCg0KDQooNSkgU2VjdGlvbiAzLjEs IEVENDQ4IGFwcGVhcnMgdG8gYmUgdGhlIG9ubHkgYWxnb3JpdGhtIHRoYXQgZG9lc27igJl0IGhh dmUNCnRyZWF0bWVudCBpbiBldmVuIGJyaWVmbHkgZGVzY3JpYmluZyBpdHMgZGVzaWduYXRlZCBp bXBsZW1lbnRhdGlvbg0KcmVjb21tZW5kYXRpb24uDQoNCkl0IGRvZXMgZ2V0IG1lbnRpb25lZCBp biB0aGUgYmVnaW5uaW5nIG9mIHRoZSBwYXJhZ3JhcGguIEJ1dCB0aGVyZSBpc24ndCBtdWNoIHRv IHNheSByZWFsbHkuIEl0J3MgdGhlcmUgYnV0IGp1c3Qgc2xpZ2h0bHkgc3Ryb25nZXIgdGhhbiAy NTUxOSwgc28gbm90IHJlYWxseSB3b3J0aCB0aGUgZWZmb3J0LiBJIHRoaW5rIGl0IGlzIG9rYXkg dG8gbGVhdmUgaXQgYXMgbW90c2x5IHVuaW50ZXJlc3RpbmcsIGJ1dCBpZiBzb21lb25lIGhhcyBz b21lIHRleHQsIEknbSBmaW5lIHdpdGggdGhhdCB0b28uDQoNCg0KKDYpIFNlY3Rpb24gMy4xLCBU aGUgc2VudGVuY2Ug4oCcSXQgaXMgZXhwZWN0ZWQgdGhhdCBFRDI1NTE5IHdpbGwgYmVjb21lIHRo ZQ0KZnV0dXJlIFJFQ09NTUVOREVEIGRlZmF1bHQgYWxnb3JpdGhtIOKApuKAnSBpcyBjbGVhciBv biB0aGUgZnV0dXJlLiAgSG93ZXZlciwNCmxvb2tpbmcgYmFjayBhdCB0aGUgdGFibGUgaW4gdGhp cyBzZWN0aW9uLCBpdCB3YXNu4oCZdCBjbGVhciB3aGF0IHRoZSBjdXJyZW50DQpkZWZhdWx0IGFs Z29yaXRobSBpcy4NCg0KSSd2ZSBjaGFuZ2VkIGl0IGEgbGl0dGxlIGJpdCB0byBpbmRpY2F0ZSB0 aGlzIGJ5IGFkZGluZyBhIHNlbnRlbmNlIGhlcmU6DQoNCiAgICAgICAgICBSU0FTSEEyNTYgaXMg aW4gd2lkZSB1c2UgYW5kIGNvbnNpZGVyZWQgc3Ryb25nLiBJdCBoYXMgYmVlbiB0aGUgZGVmYXVs dA0KICAgICAgICAgIGFsZ29yaXRobSBmb3IgYSBudW1iZXIgb2YgeWVhcnMgYW5kIGlzIG5vdyBz bG93bHkgYmVpbmcgcmVwbGFjZWQgd2l0aA0KICAgICAgICAgIEVDRFNBUDI1NlNIQTI1NiBkdWUg dG8gaXRzIHNob3J0ZXIga2V5IGFuZCBzaWduYXR1cmUgc2l6ZSwgcmVzdWx0aW5nIGluDQogICAg ICAgICAgc21hbGxlciBETlMgcGFja2V0cy4NCg0KDQpbUm9tYW5dIFRoaXMgaXMgY2xlYXJlci4g IFRoYW5rcy4NCg0KDQooNykgU2VjdGlvbiAzLjIsIFRoZSBzZW50ZW5jZSDigJxPcGVyYXRpb24g cmVjb21tZW5kYXRpb24gZm9yIG5ldyBhbmQgZXhpc3RpbmcNCmRlcGxveW1lbnRzLuKAnSBTZWVt cyB0byBzdGFuZCBhbG9uZSBvciBpcyBtaXNzaW5nIHNvbWUgd29yZHMuICBTaG91bGQgaXQgYmUN CnNvbWV0aGluZyBhbG9uZyB0aGUgbGluZXMgb2Yg4oCcVGhpcyBzZWN0aW9uIHByb3ZpZGVzIG9w ZXJhdGlvbmFsIHJlY29tbWVuZGF0aW9ucw0K4oCm4oCdDQoNCkkndmUgcmVtb3ZlZCB0aGUgc2Vu dGVuY2UuDQoNCg0KKDgpIFNlY3Rpb24gMy4yLCBUeXBvLCBzL2lzIFJFQ09NTUVOREVEL2lzIHRo ZSBSRUNPTU1FTkRFRC8NCg0KKDkpIFNlY3Rpb24gMy40LCBFZGl0b3JpYWwsIHMvVGhlIFNIQS0y NTYvU0hBLTI1Ni8NCg0KV2VyZSBhbHJlYWR5IGZpeGVkIGluIC0wOC4NCg0KDQooMTApIFNlY3Rp b24gNCwgVHlwbywgcy9zZWNpdG9uL3NlY3Rpb24vDQoNCkZpeGVkLg0KDQooMTEpIFNlY3Rpb24g NSwgRWRpdG9yaWFsLCBzL2ZvciB0aGUgdXNlIG9mIEROU1NFQy9mb3IgdXNlIGluIEROU1NFQy8N Cg0KRml4ZWQuDQoNClRoZSAtMDkgc2hvdWxkIGFwcGVhciBzaG9ydGx5IHdpdGggdGhlc2UgZml4 ZXMuDQoNCltSb21hbl0gIFRoYW5rcyBzbyBtdWNoIGZvciBjbG9zaW5nIHRoZSBsb29wIG9uIHRo ZXNlIGFuZCBtYWtpbmcgdGhlIGNoYW5nZXMuDQoNClRoYW5rcyENCg0KUGF1bA0KDQoNCg== --_000_359EC4B99E040048A7131E0F4E113AFC01B332A50Amarchand_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 IkNhbWJyaWEgTWF0aCI7DQoJcGFub3NlLTE6MiA0IDUgMyA1IDQgNiAzIDIgNDt9DQpAZm9udC1m YWNlDQoJe2ZvbnQtZmFtaWx5OkNhbGlicmk7DQoJcGFub3NlLTE6MiAxNSA1IDIgMiAyIDQgMyAy IDQ7fQ0KLyogU3R5bGUgRGVmaW5pdGlvbnMgKi8NCnAuTXNvTm9ybWFsLCBsaS5Nc29Ob3JtYWws IGRpdi5Nc29Ob3JtYWwNCgl7bWFyZ2luOjBpbjsNCgltYXJnaW4tYm90dG9tOi4wMDAxcHQ7DQoJ Zm9udC1zaXplOjEyLjBwdDsNCglmb250LWZhbWlseToiVGltZXMgTmV3IFJvbWFuIixzZXJpZjt9 DQphOmxpbmssIHNwYW4uTXNvSHlwZXJsaW5rDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCglj b2xvcjpibHVlOw0KCXRleHQtZGVjb3JhdGlvbjp1bmRlcmxpbmU7fQ0KYTp2aXNpdGVkLCBzcGFu Lk1zb0h5cGVybGlua0ZvbGxvd2VkDQoJe21zby1zdHlsZS1wcmlvcml0eTo5OTsNCgljb2xvcjpw dXJwbGU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQpzcGFuLkVtYWlsU3R5bGUxNw0K CXttc28tc3R5bGUtdHlwZTpwZXJzb25hbC1yZXBseTsNCglmb250LWZhbWlseToiQ2FsaWJyaSIs c2Fucy1zZXJpZjsNCgljb2xvcjojMUY0OTdEO30NCi5Nc29DaHBEZWZhdWx0DQoJe21zby1zdHls ZS10eXBlOmV4cG9ydC1vbmx5Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmO30N CkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXplOjguNWluIDExLjBpbjsNCgltYXJnaW46MS4waW4g MS4waW4gMS4waW4gMS4waW47fQ0KZGl2LldvcmRTZWN0aW9uMQ0KCXtwYWdlOldvcmRTZWN0aW9u MTt9DQotLT48L3N0eWxlPjwhLS1baWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVkZWZhdWx0 cyB2OmV4dD0iZWRpdCIgc3BpZG1heD0iMTAyNiIgLz4NCjwveG1sPjwhW2VuZGlmXS0tPjwhLS1b aWYgZ3RlIG1zbyA5XT48eG1sPg0KPG86c2hhcGVsYXlvdXQgdjpleHQ9ImVkaXQiPg0KPG86aWRt YXAgdjpleHQ9ImVkaXQiIGRhdGE9IjEiIC8+DQo8L286c2hhcGVsYXlvdXQ+PC94bWw+PCFbZW5k aWZdLS0+DQo8L2hlYWQ+DQo8Ym9keSBsYW5nPSJFTi1VUyIgbGluaz0iYmx1ZSIgdmxpbms9InB1 cnBsZSI+DQo8ZGl2IGNsYXNzPSJXb3JkU2VjdGlvbjEiPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZx dW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPkhpITxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxhIG5hbWU9Il9NYWlsRW5kQ29tcG9zZSI+PHNwYW4gc3R5 bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5z LXNlcmlmO2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvYT48L3A+DQo8 ZGl2IHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCBibHVlIDEuNXB0O3BhZGRp bmc6MGluIDBpbiAwaW4gNC4wcHQiPg0KPGRpdj4NCjxkaXYgc3R5bGU9ImJvcmRlcjpub25lO2Jv cmRlci10b3A6c29saWQgI0UxRTFFMSAxLjBwdDtwYWRkaW5nOjMuMHB0IDBpbiAwaW4gMGluIj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2Zv bnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZiI+RnJvbTo8L3NwYW4+PC9i PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkm cXVvdDssc2Fucy1zZXJpZiI+IFBhdWwgV291dGVycyBbbWFpbHRvOnB3b3V0ZXJzQHJlZGhhdC5j b21dDQo8YnI+DQo8Yj5TZW50OjwvYj4gV2VkbmVzZGF5LCBBcHJpbCAxMCwgMjAxOSAxMjo0OSBQ TTxicj4NCjxiPlRvOjwvYj4gUm9tYW4gRGFueWxpdyAmbHQ7cmRkQGNlcnQub3JnJmd0Ozxicj4N CjxiPkNjOjwvYj4gVGhlIElFU0cgJmx0O2llc2dAaWV0Zi5vcmcmZ3Q7OyBkcmFmdC1pZXRmLWRu c29wLWFsZ29yaXRobS11cGRhdGVAaWV0Zi5vcmc7IFRpbSBXaWNpbnNraSAmbHQ7dGp3LmlldGZA Z21haWwuY29tJmd0OzsgZG5zb3AtY2hhaXJzQGlldGYub3JnOyBkbnNvcEBpZXRmLm9yZzxicj4N CjxiPlN1YmplY3Q6PC9iPiBSZTogUm9tYW4gRGFueWxpdydzIE5vIE9iamVjdGlvbiBvbiBkcmFm dC1pZXRmLWRuc29wLWFsZ29yaXRobS11cGRhdGUtMDg6ICh3aXRoIENPTU1FTlQpPG86cD48L286 cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8L2Rpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9wPg0KPGRpdj4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+VGhhbmtzIGZvciB0aGUgcmV2aWV3ITxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjxkaXY+DQo8ZGl2Pg0KPHAgY2xh c3M9Ik1zb05vcm1hbCI+T24gV2VkLCBBcHIgMTAsIDIwMTkgYXQgNTozMCBQTSBSb21hbiBEYW55 bGl3IHZpYSBEYXRhdHJhY2tlciAmbHQ7PGEgaHJlZj0ibWFpbHRvOm5vcmVwbHlAaWV0Zi5vcmci Pm5vcmVwbHlAaWV0Zi5vcmc8L2E+Jmd0OyB3cm90ZTo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0K PGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+ DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9yZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0ND QyAxLjBwdDtwYWRkaW5nOjBpbiAwaW4gMGluIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdp bi1yaWdodDowaW4iPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+LS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTxicj4NCkNP TU1FTlQ6PGJyPg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTxicj4NCjxicj4NCigxKSBBYnN0cmFjdC4mbmJzcDsg Tml0LiZuYnNwOyBUaGVyZSBpcyBhIHJlZmVyZW5jZSwgW1JGQzY5NDRdLCBpbiB0aGUgYWJzdHJh Y3Qgd2hpY2g8YnI+DQppc27igJl0IHBlcm1pdHRlZC48bzpwPjwvbzpwPjwvcD4NCjwvYmxvY2tx dW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4N CjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo1 LjI1cHQiPkhtbSwgaXQgaXMgcmVhbGx5IGp1c3QgZ2l2aW5nIGEgY2xpY2thYmxlIHJlZmVyZW5j ZSB0byB0aGUgZG9jdW1lbnQgd2UgYXJlIG9ic29sZXRpbmcuIEl0J3Mga2luZCBvZiBuaWNlIHRv IGhhdmUgdGhlcmUuIEJ1dCBJIGd1ZXNzIHlvdSBhcmUgcmlnaHQgdGhhdCBpdCBpcyBub3QgYWxs b3dlZCwgc28gSSd2ZSBtYWRlIHRoZSB0ZXh0IHdpdGhvdXQgYSByZWZlcmVuY2UuPHNwYW4gc3R5 bGU9ImNvbG9yOiMxRjQ5N0QiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0Nh bGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEx LjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFG NDk3RCI+W1JvbWFuXSBUaGFua3MuPG86cD48L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7 Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiIHN0eWxlPSJtYXJnaW4tbGVmdDo1LjI1 cHQiPjxicj4NCigyKSBTZWN0aW9uIDEuMiwgUGVyIOKAnFRoaXMgZG9jdW1lbnQgb25seSBwcm92 aWRlcyByZWNvbW1lbmRhdGlvbnMgd2l0aCByZXNwZWN0PGJyPg0KdG8gbWFuZGF0b3J5LXRvLWlt cGxlbWVudCBhbGdvcml0aG1zIG9yIGFsZ29yaXRobXMgc28gd2VhayB0aGF0IHJlY29tbWVuZGF0 aW9uPGJyPg0KY2Fubm90IGJlIHJlY29tbWVuZGVk4oCdPGJyPg0KPGJyPg0KKiogRWRpdG9yaWFs Ojxicj4NCnMvYWxnb3JpdGhtcyBzbyB3ZWFrIHRoYXQgcmVjb21tZW5kYXRpb24gY2Fubm90IGJl IHJlY29tbWVuZGVkLzxicj4NCmFsZ29yaXRobXMgc28gd2VhayB0aGF0IHRoZXkgY2Fubm90IGJl IHJlY29tbWVuZGVkLzxzcGFuIHN0eWxlPSJjb2xvcjojMUY0OTdEIj48bzpwPjwvbzpwPjwvc3Bh bj48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwv bzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPldhcyBmaXhlZCBp biAtMDg8bzpwPjwvbzpwPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJm b250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJp Zjtjb2xvcjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVv dDtDYWxpYnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+W1JvbWFuXSBUaGFua3Mu PG86cD48L286cD48L3NwYW4+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3Jk ZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAw aW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXJpZ2h0OjBpbiI+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj4qKiBUaGUgZmlyc3QgcGFydCBvZiB0aGUgc2VudGVuY2UgZG9lc27igJl0IGFw cGVhciB0byBiZSBjb25zaXN0ZW50IHdpdGggdGhlPGJyPg0KUkZDMjExOSB3b3JkcyBpbiB0aGUg U2VjdGlvbiAzLjEgVGFibGUgd2hpY2ggYWxzbyBpbmNsdWRlcyBSRUNPTU1FTkRFRC9NQVk8YnI+ DQood2hpY2ggaXMgbmVpdGhlciBNVEkgb3IgTk9UIFJFQ09NTUVOREVEKTxvOnA+PC9vOnA+PC9w Pg0KPC9ibG9ja3F1b3RlPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7 PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SXQgaXMgcmVj b21tZW5kZWQgaW4gbG93ZXIgY2FzZSwgbm90IGluIDIxMTkgbWVhbmluZz88bzpwPjwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJjb2xv cjojMUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjExLjBwdDtmb250LWZhbWlseTomcXVvdDtDYWxp YnJpJnF1b3Q7LHNhbnMtc2VyaWY7Y29sb3I6IzFGNDk3RCI+W1JvbWFuXSBPay4mbmJzcDsgSSBk aWRu4oCZdCByZWFkIGl0IGxpa2UgdGhhdC4mbmJzcDsNCjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTEuMHB0O2ZvbnQt ZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjojMUY0OTdEIj48bzpw PiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3Jk ZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAw aW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXJpZ2h0OjBpbiI+DQo8cCBjbGFzcz0i TXNvTm9ybWFsIj4oMykgU2VjdGlvbiAxLjMsIFR5cG8sIHMvZnJvbSBmcm9tL2Zyb20vPGJyPg0K PGJyPg0KKDQpIFNlY3Rpb24gMy4xLCBUeXBvLCBzL2NyeXB0b2dyYXBoaWNzL2NyeXB0b2dyYXBo aWMvPG86cD48L286cD48L3A+DQo8L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj5XZXJlIGFscmVhZHkgZml4ZWQuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGJs b2NrcXVvdGUgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNDQ0NDQ0MgMS4w cHQ7cGFkZGluZzowaW4gMGluIDBpbiA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJnaW4tcmln aHQ6MGluIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxicj4NCig1KSBTZWN0aW9uIDMuMSwgRUQ0 NDggYXBwZWFycyB0byBiZSB0aGUgb25seSBhbGdvcml0aG0gdGhhdCBkb2VzbuKAmXQgaGF2ZTxi cj4NCnRyZWF0bWVudCBpbiBldmVuIGJyaWVmbHkgZGVzY3JpYmluZyBpdHMgZGVzaWduYXRlZCBp bXBsZW1lbnRhdGlvbjxicj4NCnJlY29tbWVuZGF0aW9uLjxvOnA+PC9vOnA+PC9wPg0KPC9ibG9j a3F1b3RlPg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9w Pg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SXQgZG9lcyBnZXQgbWVudGlv bmVkIGluIHRoZSBiZWdpbm5pbmcgb2YgdGhlIHBhcmFncmFwaC4gQnV0IHRoZXJlIGlzbid0IG11 Y2ggdG8gc2F5IHJlYWxseS4gSXQncyB0aGVyZSBidXQganVzdCBzbGlnaHRseSBzdHJvbmdlciB0 aGFuIDI1NTE5LCBzbyBub3QgcmVhbGx5IHdvcnRoIHRoZSBlZmZvcnQuIEkgdGhpbmsgaXQgaXMg b2theSB0byBsZWF2ZSBpdCBhcyBtb3RzbHkgdW5pbnRlcmVzdGluZywgYnV0IGlmDQogc29tZW9u ZSBoYXMgc29tZSB0ZXh0LCBJJ20gZmluZSB3aXRoIHRoYXQgdG9vLjxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+ DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xp ZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGluIDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44 cHQ7bWFyZ2luLXJpZ2h0OjBpbiI+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48YnI+DQooNikgU2Vj dGlvbiAzLjEsIFRoZSBzZW50ZW5jZSDigJxJdCBpcyBleHBlY3RlZCB0aGF0IEVEMjU1MTkgd2ls bCBiZWNvbWUgdGhlPGJyPg0KZnV0dXJlIFJFQ09NTUVOREVEIGRlZmF1bHQgYWxnb3JpdGhtIOKA puKAnSBpcyBjbGVhciBvbiB0aGUgZnV0dXJlLiZuYnNwOyBIb3dldmVyLDxicj4NCmxvb2tpbmcg YmFjayBhdCB0aGUgdGFibGUgaW4gdGhpcyBzZWN0aW9uLCBpdCB3YXNu4oCZdCBjbGVhciB3aGF0 IHRoZSBjdXJyZW50PGJyPg0KZGVmYXVsdCBhbGdvcml0aG0gaXMuPG86cD48L286cD48L3A+DQo8 L2Jsb2NrcXVvdGU+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286 cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5JJ3ZlIGNoYW5nZWQg aXQgYSBsaXR0bGUgYml0IHRvIGluZGljYXRlIHRoaXMgYnkgYWRkaW5nIGEgc2VudGVuY2UgaGVy ZTo8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxv OnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+ Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZuYnNwOyBSU0FTSEEy NTYgaXMgaW4gd2lkZSB1c2UgYW5kIGNvbnNpZGVyZWQgc3Ryb25nLiBJdCBoYXMgYmVlbiB0aGUg ZGVmYXVsdDxicj4NCiZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZuYnNwOyZu YnNwOyZuYnNwOyBhbGdvcml0aG0gZm9yIGEgbnVtYmVyIG9mIHllYXJzIGFuZCBpcyBub3cgc2xv d2x5IGJlaW5nIHJlcGxhY2VkIHdpdGg8YnI+DQombmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgRUNEU0FQMjU2U0hBMjU2IGR1ZSB0byBpdHMgc2hv cnRlciBrZXkgYW5kIHNpZ25hdHVyZSBzaXplLCByZXN1bHRpbmcgaW48YnI+DQombmJzcDsmbmJz cDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsmbmJzcDsgc21hbGxlciBETlMg cGFja2V0cy48bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3Jt YWwiPiZuYnNwOzxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8YmxvY2txdW90ZSBzdHlsZT0iYm9y ZGVyOm5vbmU7Ym9yZGVyLWxlZnQ6c29saWQgI0NDQ0NDQyAxLjBwdDtwYWRkaW5nOjBpbiAwaW4g MGluIDYuMHB0O21hcmdpbi1sZWZ0OjQuOHB0O21hcmdpbi1yaWdodDowaW4iPg0KPHAgY2xhc3M9 Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjoj MUY0OTdEIj5bUm9tYW5dIFRoaXMgaXMgY2xlYXJlci4mbmJzcDsgVGhhbmtzLjxvOnA+PC9vOnA+ PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJmb250LXNpemU6 MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1zZXJpZjtjb2xvcjoj MUY0OTdEIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFs Ij48YnI+DQooNykgU2VjdGlvbiAzLjIsIFRoZSBzZW50ZW5jZSDigJxPcGVyYXRpb24gcmVjb21t ZW5kYXRpb24gZm9yIG5ldyBhbmQgZXhpc3Rpbmc8YnI+DQpkZXBsb3ltZW50cy7igJ0gU2VlbXMg dG8gc3RhbmQgYWxvbmUgb3IgaXMgbWlzc2luZyBzb21lIHdvcmRzLiZuYnNwOyBTaG91bGQgaXQg YmU8YnI+DQpzb21ldGhpbmcgYWxvbmcgdGhlIGxpbmVzIG9mIOKAnFRoaXMgc2VjdGlvbiBwcm92 aWRlcyBvcGVyYXRpb25hbCByZWNvbW1lbmRhdGlvbnM8YnI+DQrigKbigJ08bzpwPjwvbzpwPjwv cD4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNw OzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkkndmUgcmVt b3ZlZCB0aGUgc2VudGVuY2UuPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFz cz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUg c3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNDQ0NDQ0MgMS4wcHQ7cGFkZGlu ZzowaW4gMGluIDBpbiA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJnaW4tcmlnaHQ6MGluIj4N CjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxicj4NCig4KSBTZWN0aW9uIDMuMiwgVHlwbywgcy9pcyBS RUNPTU1FTkRFRC9pcyB0aGUgUkVDT01NRU5ERUQvPGJyPg0KPGJyPg0KKDkpIFNlY3Rpb24gMy40 LCBFZGl0b3JpYWwsIHMvVGhlIFNIQS0yNTYvU0hBLTI1Ni88bzpwPjwvbzpwPjwvcD4NCjwvYmxv Y2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwv cD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPldlcmUgYWxyZWFkeSBmaXhl ZCBpbiAtMDguPG86cD48L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGJsb2NrcXVvdGUgc3R5bGU9ImJv cmRlcjpub25lO2JvcmRlci1sZWZ0OnNvbGlkICNDQ0NDQ0MgMS4wcHQ7cGFkZGluZzowaW4gMGlu IDBpbiA2LjBwdDttYXJnaW4tbGVmdDo0LjhwdDttYXJnaW4tcmlnaHQ6MGluIj4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxicj4NCigxMCkgU2VjdGlvbiA0LCBUeXBvLCBzL3NlY2l0b24vc2VjdGlv bi88bzpwPjwvbzpwPjwvcD4NCjwvYmxvY2txdW90ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9y bWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPkZpeGVkLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1z b05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxibG9ja3F1b3RlIHN0eWxl PSJib3JkZXI6bm9uZTtib3JkZXItbGVmdDpzb2xpZCAjQ0NDQ0NDIDEuMHB0O3BhZGRpbmc6MGlu IDBpbiAwaW4gNi4wcHQ7bWFyZ2luLWxlZnQ6NC44cHQ7bWFyZ2luLXJpZ2h0OjBpbiI+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj4oMTEpIFNlY3Rpb24gNSwgRWRpdG9yaWFsLCBzL2ZvciB0aGUgdXNl IG9mIEROU1NFQy9mb3IgdXNlIGluIEROU1NFQy88bzpwPjwvbzpwPjwvcD4NCjwvYmxvY2txdW90 ZT4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwv ZGl2Pg0KPGRpdj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPkZpeGVkLjxvOnA+PC9vOnA+PC9wPg0K PC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+ DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj5UaGUgLTA5IHNob3VsZCBhcHBl YXIgc2hvcnRseSB3aXRoIHRoZXNlIGZpeGVzLjxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImNvbG9yOiMxRjQ5N0QiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxl PSJmb250LXNpemU6MTEuMHB0O2ZvbnQtZmFtaWx5OiZxdW90O0NhbGlicmkmcXVvdDssc2Fucy1z ZXJpZjtjb2xvcjojMUY0OTdEIj5bUm9tYW5dJm5ic3A7IFRoYW5rcyBzbyBtdWNoIGZvciBjbG9z aW5nIHRoZSBsb29wIG9uIHRoZXNlIGFuZCBtYWtpbmcgdGhlIGNoYW5nZXMuPG86cD48L286cD48 L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZTox MS4wcHQ7Zm9udC1mYW1pbHk6JnF1b3Q7Q2FsaWJyaSZxdW90OyxzYW5zLXNlcmlmO2NvbG9yOiMx RjQ5N0QiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPlRoYW5rcyE8bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+UGF1bDxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+ DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPC9k aXY+DQo8L2Rpdj4NCjwvZGl2Pg0KPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_359EC4B99E040048A7131E0F4E113AFC01B332A50Amarchand_-- From nobody Fri Apr 12 08:05:46 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 224D812062A for ; Fri, 12 Apr 2019 08:05:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ElBRKDJRJSrX for ; Fri, 12 Apr 2019 08:05:43 -0700 (PDT) Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97C9A1207F0 for ; Fri, 12 Apr 2019 08:05:43 -0700 (PDT) Received: by mail-qk1-x734.google.com with SMTP id s81so5811343qke.13 for ; Fri, 12 Apr 2019 08:05:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=NQVabqgS+v3RS1MqvmBOJizR/nzXPoFXy+a7sGbQqt8=; b=ju08h4SicDV2XuGQQQyTNMq9edmaqmsfRQUwJ/Ep3i7IAboRFCLuM+WfJuXJqpL0Tl L6rQQwe8kvKM+P2GJQAiKgFjClOorMaT/khlTNI2zmCOrg4/owP9z+Bkys7JXbMqH8Pw +/eDhhgxLCGviyEhUZ6Zkkx3JFiSFGY/UdRIlr9Au2TQdaEAMt6om0PpJ5P8HbfBBWoR hBbHMaewUaPjdnx6Ft7WIqIkl7O06hUnfIpi1nLXtSTGyVqRD7DtAyayVQjfUQ1tzanF xLNW+3g3ifx+7pftQO6AxAIFhuE92bnD7KiqGkck5RlkjLfpWQMj0it4omRuQNHbSt/5 iYzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding:content-language; bh=NQVabqgS+v3RS1MqvmBOJizR/nzXPoFXy+a7sGbQqt8=; b=DfM9kGOuUizvoDbeG+9mjUxWK6bKvDIOd2EUhg/yBOdPzKSnO1k8B5CXhowrji67FP rUTKQ2TtIXH3A80nP84EvJMGpJ2j4y9FFUE2j7SQio1hdNv+msT+Rxghk/XLMY/x0Oyh UlBUEXDQ8qhvk225GCn9iWyYgd05P3F2gXZsgHuqcZ/AMBBRmD6mmZ3O1dsi+g7+sRkC +z+/c+5OUoIMlHQwkUiNqnXmq7oF4ABfunTalRacXacxIUz99vYm9b9tXwJRff+CFRyh 2wwpy5+DXl3jhDNF0Vlg+oyrwde+GDVES4hMLiz62ZQNsuYUnYecYCcJf/WGhH1S345K 9hvg== X-Gm-Message-State: APjAAAVWISv9hXt4KlhDfow7Yg6ciU/PwrygZiUgQ7K6fMVcUz45EKgm mBq5kCZXVo61+9aClZdnNK6CWnJx7Ws= X-Google-Smtp-Source: APXvYqzfs3TH9jXE4y+tMmTz4WvbbHXMFwdr6pbAWqTiZUG88h5Bxg+YDYvUK8OusvU8BiuKYR9Gcg== X-Received: by 2002:a05:620a:108f:: with SMTP id g15mr44155444qkk.61.1555081541562; Fri, 12 Apr 2019 08:05:41 -0700 (PDT) Received: from ?IPv6:2601:152:4400:437c:dd59:ba30:6ab0:588? ([2601:152:4400:437c:dd59:ba30:6ab0:588]) by smtp.gmail.com with ESMTPSA id p6sm30546191qtk.70.2019.04.12.08.05.40 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 12 Apr 2019 08:05:40 -0700 (PDT) To: "dnsop@ietf.org" From: Michael StJohns Message-ID: Date: Fri, 12 Apr 2019 11:05:37 -0400 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Archived-At: Subject: [DNSOP] draft-ietf-dnsop-algorithm-update X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Apr 2019 15:05:45 -0000 Hi - I had someone ask me (last night!!) whether or not the "must sign each RRSet with all of the algorithms in the DNSKEY RRSet" rule applies if the only key with algorithm A in the RRSet has the revoke bit set.  A question I had never previously considered. Given that you can't trace trust through that revoked key, and any RRSig originated by that key is just extraneous bits, I came to three conclusions:  1) A key must not be counted for the purposes of the rule if it has the (RFC5011) revoke bit set, (s) the only RRSigs created by a revoked key are over the DNSKEY RRSet and 3) it's possible/probable that interpretations could differ. I tagged this email with the algorithm update ID/RFC candidate because about the only time you're going to see a revoked singleton key of a given algorithm is when you're transitioning the algorithms for the zone. I hesitate to ask - and apologize for asking given the late date for this document, but should the statements (1) and (2) above or something similar be included in this document for completeness? Alternatively, what breaks if publishers omit the extraneous signatures just because? Later, Mike From nobody Fri Apr 12 08:31:29 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58A2A12081C for ; Fri, 12 Apr 2019 08:31:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KRVRh5At6T9d for ; Fri, 12 Apr 2019 08:31:21 -0700 (PDT) Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E48812080E for ; Fri, 12 Apr 2019 08:31:13 -0700 (PDT) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id E1B433AB066; Fri, 12 Apr 2019 15:31:12 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id CF1AD16003E; Fri, 12 Apr 2019 15:31:12 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id A3E3616005C; Fri, 12 Apr 2019 15:31:12 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id j4Ro-NvPTpwC; Fri, 12 Apr 2019 15:31:12 +0000 (UTC) Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 013A516003E; Fri, 12 Apr 2019 15:31:11 +0000 (UTC) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) From: Mark Andrews In-Reply-To: Date: Sat, 13 Apr 2019 01:31:09 +1000 Cc: "dnsop@ietf.org" Content-Transfer-Encoding: quoted-printable Message-Id: <4CD31719-BC63-4038-9FD0-580B4C04BB64@isc.org> References: To: Michael StJohns X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [DNSOP] draft-ietf-dnsop-algorithm-update X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Apr 2019 15:31:27 -0000 Well given that the actual rule is all the algorithms listed in the DS = RRset rather than DNSKEY RRset and is designed to ensure that there is always = a signature present for each of the algorithms that could be used be used to declare = that the child zone is treated as secure, the answer is NO. Mark > On 13 Apr 2019, at 1:05 am, Michael StJohns = wrote: >=20 > Hi - >=20 > I had someone ask me (last night!!) whether or not the "must sign each = RRSet with all of the algorithms in the DNSKEY RRSet" rule applies if = the only key with algorithm A in the RRSet has the revoke bit set. A = question I had never previously considered. >=20 > Given that you can't trace trust through that revoked key, and any = RRSig originated by that key is just extraneous bits, I came to three = conclusions: 1) A key must not be counted for the purposes of the rule = if it has the (RFC5011) revoke bit set, (s) the only RRSigs created by a = revoked key are over the DNSKEY RRSet and 3) it's possible/probable that = interpretations could differ. >=20 > I tagged this email with the algorithm update ID/RFC candidate because = about the only time you're going to see a revoked singleton key of a = given algorithm is when you're transitioning the algorithms for the = zone. >=20 > I hesitate to ask - and apologize for asking given the late date for = this document, but should the statements (1) and (2) above or something = similar be included in this document for completeness? >=20 > Alternatively, what breaks if publishers omit the extraneous = signatures just because? >=20 > Later, Mike >=20 >=20 >=20 > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop --=20 Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From nobody Fri Apr 12 08:47:50 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9D0312086B for ; Fri, 12 Apr 2019 08:47:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.301 X-Spam-Level: X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WXwFWn6rOiDc for ; Fri, 12 Apr 2019 08:47:42 -0700 (PDT) Received: from userp2120.oracle.com (userp2120.oracle.com [156.151.31.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0597012085D for ; Fri, 12 Apr 2019 08:47:41 -0700 (PDT) Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x3CFiVnR092198; Fri, 12 Apr 2019 15:47:40 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : to : cc : references : from : message-id : date : mime-version : in-reply-to : content-type; s=corp-2018-07-02; bh=FAPtnJ2U34tLWi8KALLnMG4XrV5Kfn/vDaUAww2ezZI=; b=kveQOsXrenDuMGFuRxQkYiB6uoV6mZLjmCKm34Es604HwY0WM94yZ6gElR3LKwNPo06B aOadf7M769SA5FZA3kAOBKCo3mWqBz+gyEUX0nGyERlLDwivMvCAi6EteO7uH5yoPdn3 T/YXbv7DgYQSdDd5ml3AFOBPmWpzDpKr3f6O0oALq0puXGm0/RbqM+2Ttpr5iNF3YfkK b5acXjBmXfaKGRyuoryCgS97SehMp04NuW1cRjm6PY4GvREXJoImizju3f2+19QDfAuP FnzfIUpKIRZnM4bh7hztCqtCoUDT/PAIMxOqHJO9OStrQCI9avQLj/DuphvcF464rSDi kw== Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by userp2120.oracle.com with ESMTP id 2rpmrqq775-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 12 Apr 2019 15:47:39 +0000 Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x3CFjjiD043812; Fri, 12 Apr 2019 15:47:38 GMT Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by aserp3020.oracle.com with ESMTP id 2rpytdcmuc-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 12 Apr 2019 15:47:38 +0000 Received: from abhmp0001.oracle.com (abhmp0001.oracle.com [141.146.116.7]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id x3CFlXeQ020037; Fri, 12 Apr 2019 15:47:36 GMT Received: from [192.168.1.213] (/67.189.230.160) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 12 Apr 2019 08:47:33 -0700 To: Matthew Pounsett Cc: Bob Harold , dnsop References: <25b38d21-c572-d782-6b35-a187fa0caae8@oracle.com> <516fda75-bb6e-67c6-cd52-0a5017bc889f@oracle.com> From: Richard Gibson Message-ID: <734743c3-6603-3d93-de58-e6cf347c783f@oracle.com> Date: Fri, 12 Apr 2019 11:47:31 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------F9871F5950EA0B24457E54F3" Content-Language: en-US X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9224 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904120104 X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9224 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904120104 Archived-At: Subject: Re: [DNSOP] What should ANAME-aware servers do when target records are verifiably missing? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Apr 2019 15:47:50 -0000 This is a multi-part message in MIME format. --------------F9871F5950EA0B24457E54F3 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit On 4/11/19 23:45, Matthew Pounsett wrote: > On Thu, 11 Apr 2019 at 20:02, Richard Gibson > wrote: >> The first problem is for the owner of the ANAME-containing zone, for whom the upstream misconfiguration will result in downtime and be extended by caching to the MINIMUM value from their SOA, which in many cases will be one to three orders of magnitude greater than the TTL of the ANAME itself. > [snip] > >> But this suffers from both of the problems I have been complaining about—the resolver does not necessarily have the zone SOA, possibility necessitating an inline lookup, and per RFC 2308 the negative response will be cached according to values from the SOA that are unrelated to and far exceed the TTL of the ANAME. > Ah, I see the confusion. You're using definitive statements such as > "will" when what you actually mean is "may." There's no specific > mechanism that causes the client to cache the negative response "for > one to three orders of magnitude greater than the TTL of the ANAME." > And, the TTL of the SOA doesn't necessarily "far exceed" the TTL of > the ANAME. You're just presupposing that will be a common > configuration? I am indeed claiming that will be a common configuration, and I have access to data supporting that claim from existing use of Oracle+Dyn ALIAS functionality. Also, please note that those "will" statements are properly understood in the context of the examples they are describing. > I think we're still talking about misconfigurations here, and > designing a protocol around people who misconfigure their DNS at the > expense of people who configure it properly seems like a bad path to > take. You're pretty much making my point... it is a bad path to design a protocol around people who misconfigure their [ANAME-targeted] DNS at the expense of people who configure [ANAMEs with static sibling records] properly. >> Both of these problems can be addressed by allowing/recommending/requiring ANAME-aware servers to preserve ANAME siblings when resolution of ANAME targets results in NXDOMAIN or NODATA responses, rather than replacing them with an empty RRSet... which, to be honest, seems to be always-undesirable behavior anyway—if anyone can think of a scenario where it would be beneficial to dynamically remove ANAME siblings, please share it. > Yes, I can think of a case where it would be beneficial to remove > ANAME siblings: when the target of the ANAME is removed from the DNS. That would take the ANAME-owning domain offline, rather than supporting it with its static A and/or AAAA records. How exactly is that beneficial? >> In such a configuration, the owner of the ANAME will be able to see that clients are using its static sibling records rather than its target (and therefore that they are getting no benefit from the ANAME), and can react accordingly. If your concern is excess queries for the ANAME target, then this seems no different from e.g. CNAME—the owner of the target can issue long-lived negative responses while performing whatever other exploration and/or mitigation they deem fit. > If the target of the ANAME disappears, the owner of the ANAME will > similarly be able to recognize the problem and deal with it. If the > administrator of the name owning the ANAME is concerned about downtime > due to misconfigurations by the target, then that administrator can > either select a different target (presumably by selecting a different > service provider) It seems awfully insensitive to bake into a protocol an unnecessary requirement of its users for all-or-nothing commitment to external service providers. > or set their TTLs appropriately to not be subject to > the potential issue you identified above. At the unnecessary expense of reducing cache lifetime (and therefore undesired traffic) for /all/ negative responses, rather than just those associated with the ANAME. > However, if the spec requires preserving the target in the DNS despite > the administrator of the target zone removing it, then that is a path > for abuse by the administrator of the zone containing the ANAME, and > the owner of the target will have no recourse. This is what I meant > by my reference to serve-stale. The spec requires nothing like "preserving the target in the DNS", with or without my proposed changes. The abuse path you mention is already present with CNAME, and mitigable by owners of ANAME targets in exactly the same way—increase negative caching TTL (and unlike the above, this is a scenario where it /would/ make sense to increase it broadly rather than for specific RRSets). --------------F9871F5950EA0B24457E54F3 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit


On 4/11/19 23:45, Matthew Pounsett wrote:
On Thu, 11 Apr 2019 at 20:02, Richard Gibson
<richard.j.gibson@oracle.com> wrote:

The first problem is for the owner of the ANAME-containing zone, for whom the upstream misconfiguration will result in downtime and be extended by caching to the MINIMUM value from their SOA, which in many cases will be one to three orders of magnitude greater than the TTL of the ANAME itself.

[snip]


But this suffers from both of the problems I have been complaining about—the resolver does not necessarily have the zone SOA, possibility necessitating an inline lookup, and per RFC 2308 the negative response will be cached according to values from the SOA that are unrelated to and far exceed the TTL of the ANAME.

Ah, I see the confusion.  You're using definitive statements such as
"will" when what you actually mean is "may."   There's no specific
mechanism that causes the client to cache the negative response "for
one to three orders of magnitude greater than the TTL of the ANAME."
And, the TTL of the SOA doesn't necessarily "far exceed" the TTL of
the ANAME.  You're just presupposing that will be a common
configuration?
I am indeed claiming that will be a common configuration, and I have access to data supporting that claim from existing use of Oracle+Dyn ALIAS functionality. Also, please note that those "will" statements are properly understood in the context of the examples they are describing.
I think we're still talking about misconfigurations here, and
designing a protocol around people who misconfigure their DNS at the
expense of people who configure it properly seems like a bad path to
take.
You're pretty much making my point... it is a bad path to design a protocol around people who misconfigure their [ANAME-targeted] DNS at the expense of people who configure [ANAMEs with static sibling records] properly. 
Both of these problems can be addressed by allowing/recommending/requiring ANAME-aware servers to preserve ANAME siblings when resolution of ANAME targets results in NXDOMAIN or NODATA responses, rather than replacing them with an empty RRSet... which, to be honest, seems to be always-undesirable behavior anyway—if anyone can think of a scenario where it would be beneficial to dynamically remove ANAME siblings, please share it.

Yes, I can think of a case where it would be beneficial to remove
ANAME siblings: when the target of the ANAME is removed from the DNS.
That would take the ANAME-owning domain offline, rather than supporting it with its static A and/or AAAA records. How exactly is that beneficial? 
In such a configuration, the owner of the ANAME will be able to see that clients are using its static sibling records rather than its target (and therefore that they are getting no benefit from the ANAME), and can react accordingly. If your concern is excess queries for the ANAME target, then this seems no different from e.g. CNAME—the owner of the target can issue long-lived negative responses while performing whatever other exploration and/or mitigation they deem fit.

If the target of the ANAME disappears, the owner of the ANAME will
similarly be able to recognize the problem and deal with it.  If the
administrator of the name owning the ANAME is concerned about downtime
due to misconfigurations by the target, then that administrator can
either select a different target (presumably by selecting a different
service provider)
It seems awfully insensitive to bake into a protocol an unnecessary requirement of its users for all-or-nothing commitment to external service providers.
or set their TTLs appropriately to not be subject to
the potential issue you identified above.
At the unnecessary expense of reducing cache lifetime (and therefore undesired traffic) for all negative responses, rather than just those associated with the ANAME.
However, if the spec requires preserving the target in the DNS despite
the administrator of the target zone removing it, then that is a path
for abuse by the administrator of the zone containing the ANAME, and
the owner of the target will have no recourse.  This is what I meant
by my reference to serve-stale.
The spec requires nothing like "preserving the target in the DNS", with or without my proposed changes. The abuse path you mention is already present with CNAME, and mitigable by owners of ANAME targets in exactly the same way—increase negative caching TTL (and unlike the above, this is a scenario where it would make sense to increase it broadly rather than for specific RRSets).
--------------F9871F5950EA0B24457E54F3-- From nobody Fri Apr 12 10:37:15 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49D1012079C for ; Fri, 12 Apr 2019 10:37:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hopcount.ca Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K7j3XS91t66W for ; Fri, 12 Apr 2019 10:37:09 -0700 (PDT) Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62CC5120776 for ; Fri, 12 Apr 2019 10:37:09 -0700 (PDT) Received: by mail-io1-xd2f.google.com with SMTP id n11so9198265ioh.1 for ; Fri, 12 Apr 2019 10:37:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=WU416Lpk2ymznpxAFKq/sF0ZNTLGn6JEg597jrqlRew=; b=StDa2mNjzYpMdfM3dz5O52H/wA9Zqj1wD42T7TvuXi2OcwUQ0R8zg6GL4ypKzhR+av 2+6pwKJv904mkqeH6svueo7w0/Y5RG/uM1LBIl+xVWiwmdrqdF5rjCmeubXSvelhRJzn HAai27ZNSDiG3U8G/5/P0Dnp5us8ZWmBswJUU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=WU416Lpk2ymznpxAFKq/sF0ZNTLGn6JEg597jrqlRew=; b=K75wqwRHRZ6XGJQJMbDh0wI3EY9bXCrX6tJnDx2Nxp14kYKaVo2L/UzRypCmRxOPvR i0PvMT0yigXr8KMs7VgSRibqCHFqWZfTG7ewqSkEKqyGhR7cOY+hfAwHG4N4l/Uo4uuA AGFoB9Jw5i11F4Uz3EoahsC6X//70u5Rfz4gjbPpEkJ7gZbFcSK8evQuT57xjiRC55oV oTe21SbsnTr9mE5bl2zIsWamGaRbn439sgNeDUX0LPWEZKtjoAAS9sy12ENXGJprPBL6 agX37mrMcjcShPBr2H2VfZxCc3jprLHNV07gB/qdRs98jpejwAbS6ZL3Jlv9VJAwnwK2 cY6w== X-Gm-Message-State: APjAAAWaFM4nA8pjfFFLb3Lu3FNXnkCliJYdlql0lPbMfGEM9WLfWw+i w6AFwudSt5Jl0h27KtSDYXs95A== X-Google-Smtp-Source: APXvYqxGvX0SbWtXr4EmeLdHwCuNBCN1YW3h90A2Q74WbeaJXuEVM+wG30FYk3q0hLFBa7F/0mgFew== X-Received: by 2002:a5e:950f:: with SMTP id r15mr25201351ioj.88.1555090628538; Fri, 12 Apr 2019 10:37:08 -0700 (PDT) Received: from ?IPv6:2607:f2c0:e786:128f:935:27fd:af60:bcbb? ([2607:f2c0:e786:128f:935:27fd:af60:bcbb]) by smtp.gmail.com with ESMTPSA id f126sm4108932ita.31.2019.04.12.10.37.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 12 Apr 2019 10:37:06 -0700 (PDT) From: Joe Abley Message-Id: <374C38F3-AC65-42D8-9250-3EC591DD4F95@hopcount.ca> Content-Type: multipart/signed; boundary="Apple-Mail=_4B0E1A2B-4D66-474C-86BA-D46A549BA2AF"; protocol="application/pgp-signature"; micalg=pgp-sha1 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\)) Date: Fri, 12 Apr 2019 13:37:04 -0400 In-Reply-To: Cc: Richard Gibson , Bob Harold , dnsop To: Matthew Pounsett References: <25b38d21-c572-d782-6b35-a187fa0caae8@oracle.com> <516fda75-bb6e-67c6-cd52-0a5017bc889f@oracle.com> X-Mailer: Apple Mail (2.3445.104.8) Archived-At: Subject: Re: [DNSOP] What should ANAME-aware servers do when target records are verifiably missing? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Apr 2019 17:37:11 -0000 --Apple-Mail=_4B0E1A2B-4D66-474C-86BA-D46A549BA2AF Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 On 11 Apr 2019, at 23:45, Matthew Pounsett wrote: > On Thu, 11 Apr 2019 at 20:02, Richard Gibson > wrote: >>=20 >> The first problem is for the owner of the ANAME-containing zone, for = whom the upstream misconfiguration will result in downtime and be = extended by caching to the MINIMUM value from their SOA, which in many = cases will be one to three orders of magnitude greater than the TTL of = the ANAME itself. >=20 > [snip] >=20 >> But this suffers from both of the problems I have been complaining = about=E2=80=94the resolver does not necessarily have the zone SOA, = possibility necessitating an inline lookup, and per RFC 2308 the = negative response will be cached according to values from the SOA that = are unrelated to and far exceed the TTL of the ANAME. >=20 > Ah, I see the confusion. You're using definitive statements such as > "will" when what you actually mean is "may." There's no specific > mechanism that causes the client to cache the negative response "for > one to three orders of magnitude greater than the TTL of the ANAME." > And, the TTL of the SOA doesn't necessarily "far exceed" the TTL of > the ANAME. You're just presupposing that will be a common > configuration? You can't tell how long to cache a negative answer for unless you know = data from closest-enclosing SOA RRSet (the RRSet TTL and the SOA.MINIMUM = field). In this case potentially there are two SOA RRSets to consider, = the one enclosing the ANAME and the one enclosing the ANAME target, and = there's the additional complication that the ANAME RR also has a TTL. I don't see text in the working draft (the one on github) that makes the = expected behaviour clear in the case that Richard outlined. I think it = makes sense to specify this carefully, otherwise there is a risk of = negative answers being cached for longer than expected, which might be = especially bad in the case (perhaps the expected use case) where = availability and deterministic cache behaviour are kind of important. I have not been following this closely enough, quite possibly. Joe --Apple-Mail=_4B0E1A2B-4D66-474C-86BA-D46A549BA2AF Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQSAt40QkiztAcvphdg0jwy9hlI6LAUCXLDMwAAKCRA0jwy9hlI6 LMbkAJ96b+TRhYpe0AWkHtTiOeJRAHv9ywCgtTcDkaxMqGrYXGsk53U+XTtJpew= =KKr6 -----END PGP SIGNATURE----- --Apple-Mail=_4B0E1A2B-4D66-474C-86BA-D46A549BA2AF-- From nobody Fri Apr 12 11:46:13 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D8D3120486 for ; Fri, 12 Apr 2019 11:46:12 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.302 X-Spam-Level: X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XxvS6pWe3WUl for ; Fri, 12 Apr 2019 11:46:10 -0700 (PDT) Received: from userp2120.oracle.com (userp2120.oracle.com [156.151.31.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97EA8120817 for ; Fri, 12 Apr 2019 11:46:10 -0700 (PDT) Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x3CIhbAY042146; Fri, 12 Apr 2019 18:46:09 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : from : to : cc : references : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=corp-2018-07-02; bh=/W4X6aqFlYBfWquEH5dYmHinYQNKiBBbrkEJ5LsfqA0=; b=jwvTB6LCv5aD8Ys/PoyLRl0tfxXz8mLxznAdKW7dDzAOxhSQMMaRT9GZxAwGHQSdMuPN 9/SLeifZW1ppormpHayuncyNnZVMMfqq2AmjkNAJsaW/8zUsEA7Uie22BiGsnNYAkRJA Sby07oupKlvCO+sXvaRKQD1cQbRNUCmDAm5N4HoFgPr6bJDE3JNy43v5pswuFOqig0rl nF0gw6n2acNLldFe5tPYFljev18FPkOif7gEi05LQI0cXU9NtuSSre56ijTK4CVszWg2 HgH32DhAp9lQvhGkUEND2mBvmYrOTulJvslWRRFyGZhM1L8EZeDrRNqYuZVfgf7qdETk 1Q== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by userp2120.oracle.com with ESMTP id 2rpmrqr033-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 12 Apr 2019 18:46:08 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x3CIk1ng000946; Fri, 12 Apr 2019 18:46:08 GMT Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userp3020.oracle.com with ESMTP id 2rtyj2rm2t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 12 Apr 2019 18:46:08 +0000 Received: from abhmp0020.oracle.com (abhmp0020.oracle.com [141.146.116.26]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id x3CIk2MZ006016; Fri, 12 Apr 2019 18:46:06 GMT Received: from [192.168.1.213] (/67.189.230.160) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 12 Apr 2019 11:46:02 -0700 From: Richard Gibson To: Matthew Pounsett Cc: Bob Harold , dnsop References: <25b38d21-c572-d782-6b35-a187fa0caae8@oracle.com> <516fda75-bb6e-67c6-cd52-0a5017bc889f@oracle.com> <734743c3-6603-3d93-de58-e6cf347c783f@oracle.com> Message-ID: <913d85b5-89eb-7465-88cd-a5865e4bb8c0@oracle.com> Date: Fri, 12 Apr 2019 14:46:00 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <734743c3-6603-3d93-de58-e6cf347c783f@oracle.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9224 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904120126 X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9224 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904120126 Archived-At: Subject: Re: [DNSOP] What should ANAME-aware servers do when target records are verifiably missing? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Apr 2019 18:46:12 -0000 In further support of preserving sibling records when target chasing comes back negative, I'd like to further explore my offhand mention of "A and/or AAAA records". For a domain owner wanting to use a currently IPv4-only service provider (names withheld) while still supporting IPv6, the logical approach would be configuring an ANAME record with one or more AAAA siblings. But that won't work if the AAAA NODATA response from chasing the ANAME target is allowed to override those siblings with nothing. This seems to force a needless choice between abandoning the provider or abandoning IPv6. From nobody Fri Apr 12 11:52:15 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48EA31205EE for ; Fri, 12 Apr 2019 11:52:13 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.302 X-Spam-Level: X-Spam-Status: No, score=-4.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pMx_yK-GjfGO for ; Fri, 12 Apr 2019 11:52:11 -0700 (PDT) Received: from userp2130.oracle.com (userp2130.oracle.com [156.151.31.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CB9C120811 for ; Fri, 12 Apr 2019 11:52:11 -0700 (PDT) Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x3CIi4F8031583; Fri, 12 Apr 2019 18:52:09 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : to : references : from : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=corp-2018-07-02; bh=5O48PfstWRi3jhgy7nGoNKbUypaLRidzYuZyQKdxTok=; b=dTwEgm+lx/RuXdHAWS90YbDeiXM5QbQkIqcolihPz0S0GsJKOS7qOMU9JwwJ/5Ig4Q8q 9wxG1RxUKzix3z8Sur23wsHWOUnrjRa+SUC/YXD9VGLAPkJPFSbbY8FM8k+kUyxxadGg cmTQTXVPj8zPMkJ7FLAdaai+bbFQi+yXc6Tlo9jb2cZpmVkD0n99k5hdC1yWWL/rL1pm Yqra/uT8azMsEK4hXi9pMBLCEEhkPZgf9J5pq+SjLE5tOhmWCBTUvpKsXUc7/XggYUvo INCbGLUDT9W2Guo2t6fvUc1UsCH92CrcOzOK6NoS6MJG5sNCPn499y/4Ryt2l1+2EAkA Rg== Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by userp2130.oracle.com with ESMTP id 2rpkhtg2s9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 12 Apr 2019 18:52:08 +0000 Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x3CIq2ho015987; Fri, 12 Apr 2019 18:52:08 GMT Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userp3020.oracle.com with ESMTP id 2rtyj2rq0n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 12 Apr 2019 18:52:08 +0000 Received: from abhmp0016.oracle.com (abhmp0016.oracle.com [141.146.116.22]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id x3CIq2su032620; Fri, 12 Apr 2019 18:52:02 GMT Received: from [192.168.1.213] (/67.189.230.160) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 12 Apr 2019 11:52:02 -0700 To: Matthijs Mekking , dnsop@ietf.org References: <25b38d21-c572-d782-6b35-a187fa0caae8@oracle.com> <317dae7d-7f8c-b724-0a00-06a6d318138b@pletterpet.nl> From: Richard Gibson Message-ID: <4b48b638-0ffa-1ab2-7615-4b429040b0c0@oracle.com> Date: Fri, 12 Apr 2019 14:52:00 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <317dae7d-7f8c-b724-0a00-06a6d318138b@pletterpet.nl> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9224 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904120126 X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9224 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904120126 Archived-At: Subject: Re: [DNSOP] What should ANAME-aware servers do when target records are verifiably missing? X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Apr 2019 18:52:13 -0000 On 4/12/19 07:34, Matthijs Mekking wrote: > I think the logic suggested for ANAME is given this example: > > 1. Have ANAME and A and AAAA sibling address records. > 2. Look up ANAME target A and AAAA target records. > 3. If there is no positive answer (SERVFAIL, NXDOMAIN, NODATA) keep > sibling address records. > 4. Otherwise replace sibling address records with ANAME target records. > > This is different than NS1, that will never replace sibling address > records. Instead, if there is no sibling address record, it will > perform ANAME resolution. If that response is a SERVFAIL, NXDOMAIN or > NODATA, that is what will be given to the client (although returning > SERVFAIL won't be a thing in the ANAME specification). > > In order to fit both use cases I think we need to relax the steps in the > ANAME resolution logic, but am hesitant to do that: If you make steps > optional it will be unclear what the optional resolver's behavior is > going to do. I would very much like to see an agreement on the ANAME > resolution logic, especially so that customers can have multiple > providers or switch providers and can expect the same thing in both places. The strategy of never replacing siblings seems ill-advised to me, but not really harmful because it's functionally equivalent to being ANAME-ignorant and therefore matches the behavior of all resolvers and nearly all authoritative servers currently on the Internet, and also the behavior of future resolverless ANAME-aware authoritative servers. From nobody Fri Apr 12 13:00:57 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80F911205FB for ; Fri, 12 Apr 2019 13:00:55 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 690V_-Q8Xg4u for ; Fri, 12 Apr 2019 13:00:53 -0700 (PDT) Received: from out.west.pexch112.icann.org (out.west.pexch112.icann.org [64.78.40.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E833C1203CE for ; Fri, 12 Apr 2019 13:00:52 -0700 (PDT) Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Fri, 12 Apr 2019 13:00:51 -0700 Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1367.000; Fri, 12 Apr 2019 13:00:51 -0700 From: Edward Lewis To: Mark Andrews , Michael StJohns CC: "dnsop@ietf.org" Thread-Topic: [Ext] Re: [DNSOP] draft-ietf-dnsop-algorithm-update Thread-Index: AQHU8UTRxZug6BErp06kJNMi5c3Ij6Y5JJqA Date: Fri, 12 Apr 2019 20:00:50 +0000 Message-ID: References: <4CD31719-BC63-4038-9FD0-580B4C04BB64@isc.org> In-Reply-To: <4CD31719-BC63-4038-9FD0-580B4C04BB64@isc.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/10.16.0.190211 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [192.0.47.234] Content-Type: text/plain; charset="utf-8" Content-ID: Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: Re: [DNSOP] [Ext] Re: draft-ietf-dnsop-algorithm-update X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Apr 2019 20:00:56 -0000 SSd2ZSBiZWVuIGluYWN0aXZlIGEgbG9uZyB0aW1lLCBidXQgc29tZW9uZSBhbGVydGVkIG1lIHRv IHRoaXMgbWVzc2FnZS4NCihBcG9sb2dpZXMgd2hhdCBiZWxvdyBsb29rcyBsaWtlIGl0J3MgZnJv bSBhIHJhbnRpbmcgbHVuYXRpYy4gIEJ1dCBpdCBpcy4pDQoNCu+7v09uIDQvMTIvMTksIDExOjMx LCAiRE5TT1Agb24gYmVoYWxmIG9mIE1hcmsgQW5kcmV3cyIgPGRuc29wLWJvdW5jZXNAaWV0Zi5v cmcgb24gYmVoYWxmIG9mIG1hcmthQGlzYy5vcmc+IHdyb3RlOg0KDQogICAgV2VsbCBnaXZlbiB0 aGF0IHRoZSBhY3R1YWwgcnVsZSBpcyBhbGwgdGhlIGFsZ29yaXRobXMgbGlzdGVkIGluIHRoZSBE UyBSUnNldA0KICAgIHJhdGhlciB0aGFuIEROU0tFWSBSUnNldCBhbmQgaXMgZGVzaWduZWQgdG8g ZW5zdXJlIHRoYXQgdGhlcmUgaXMgYWx3YXlzIGENCiAgICBzaWduYXR1cmUgcHJlc2VudCBmb3Ig ZWFjaCBvZiB0aGUgYWxnb3JpdGhtcyB0aGF0IGNvdWxkIGJlIHVzZWQgYmUgdXNlZCB0bw0KICAg IGRlY2xhcmUgdGhhdCB0aGUgY2hpbGQgem9uZSBpcyB0cmVhdGVkIGFzIHNlY3VyZSwgdGhlIGFu c3dlciBpcyBOTy4NCiAgICANCiAgICBNYXJrDQogICAgDQpMb29raW5nIGF0ICJQcm90b2NvbCBN b2RpZmljYXRpb25zIGZvciB0aGUgRE5TIFNlY3VyaXR5IEV4dGVuc2lvbnMiIChha2EgUkZDIDQw MzUpOg0KLi4uDQoyLiAgWm9uZSBTaWduaW5nDQouLi4NCjIuMi4gIEluY2x1ZGluZyBSUlNJRyBS UnMgaW4gYSBab25lDQouLi4NCiAgIFRoZXJlIE1VU1QgYmUgYW4gUlJTSUcgZm9yIGVhY2ggUlJz ZXQgdXNpbmcgYXQgbGVhc3Qgb25lIEROU0tFWSBvZg0KICAgZWFjaCBhbGdvcml0aG0gaW4gdGhl IHpvbmUgYXBleCBETlNLRVkgUlJzZXQuICBUaGUgYXBleCBETlNLRVkgUlJzZXQNCiAgIGl0c2Vs ZiBNVVNUIGJlIHNpZ25lZCBieSBlYWNoIGFsZ29yaXRobSBhcHBlYXJpbmcgaW4gdGhlIERTIFJS c2V0DQogICBsb2NhdGVkIGF0IHRoZSBkZWxlZ2F0aW5nIHBhcmVudCAoaWYgYW55KS4NCg0KRnJv bSB0aGlzIEkgYmVsaWV2ZSBNYXJrJ3Mgd29yZHMgYXJlIGluY29ycmVjdC4gIFdoYXQgSSByZWFk IGlzIHRoYXQgdGhlIGRldGVybWluaW5nIGZhY3RvciBpcyB3aGF0IGlzIGluIGEgem9uZSdzIERO U0tFWSByZXNvdXJjZSByZWNvcmQgc2V0IGFuZCB0aGF0IHRoZSBzZXQgbXVzdCBiZSBzaWduZWQg YnkgYSBrZXkgb2YgZWFjaCBvZiB0aGUgYWxnb3JpdGhtcyBpbiB0aGUgRFMgc2V0LiAgVGhpcyBh bGxvd3MgdGhlIGNoaWxkIGFkbWluaXN0cmF0b3IgdG8gaGF2ZSBETlNLRVkgcmVjb3JkcyBmb3Ig RE5TU0VDIHNlY3VyaXR5IGFsZ29yaXRobXMgb3RoZXIgdGhhbiB0aG9zZSByZXByZXNlbnRlZCBp biB0aGUgcGFyZW50J3MgRFMgcmVzb3VyY2UgcmVjb3JkIHNldCBhbmQgZG9lcyBhY2NvbW1vZGF0 ZSBvdGhlciBzaWduYXR1cmVzIGNvdmVyaW5nIHRoZSBETlNLRVkgcmVjb3JkIHNldC4NCg0KSGlz dG9yaWNhbGx5IHRoZXJlJ3MgYmVlbiBncmVhdCBjb25mdXNpb24gb3ZlciB0aGlzIHBhc3NhZ2Us IHBhcnRseSBiZWNhdXNlIHRoZSBjb250ZXh0IGlzIHVzdWFsbHkgbWlzc2VkLiAgVGhpcyBydWxl IGdvdmVybnMgdGhlIGFjdGlvbnMgb2Ygc2lnbmluZyBhbmQgc2VydmluZyBhIHpvbmUsIG5vdCB2 YWxpZGF0aW5nIGEgem9uZS4gIFRoZSBwdXJwb3NlIG9mIHRoZSBydWxlIGlzIHRvIGFsbG93IGEg dmFsaWRhdG9yIHRvICJrbm93IiBkZXRlcm1pbmlzdGljYWxseSB3aGF0IHNpZ25hdHVyZXMgb3Vn aHQgdG8gYmUgcHJlc2VudCBmb3IgZGF0YS4gIFRoaXMgaXMgbmVlZGVkIHRvIG1pdGlnYXRlIGEg ZG93bmdyYWRlIGF0dGFjayBlbmFjdGVkIGJ5IHNpbXBseSBmaWx0ZXJpbmcgc2lnbmF0dXJlIHJl Y29yZHMuICBUaGUgdmFsaWRhdG9yIG5lZWQgbm90IGNoZWNrIHRvIG1ha2Ugc3VyZSBhbGwgInJl cXVpcmVkIiBzaWduYXR1cmVzIGFyZSBhdmFpbGFibGUsIGl0IHNob3VsZCBiZSBjb250ZW50IHdp dGggYW55dGhpbmcgdGhhdCB3b3Jrcy4gIEkuZS4sIGJlIGFnZ3Jlc3NpdmUgaW4gZGVjbGFyaW5n IHN1Y2Nlc3MgaW4gdGhlIHZhbGlkYXRpb24gcHJvY2VzcyB0byBjb21iYXQgdGhlIGJyaXR0bGVu ZXNzIGludHJvZHVjZWQgYnkgRE5TU0VDLiAgKFRoaXMgaXMgaW50ZW50aW9uYWwsIG5vdCBhbiBh ZnRlcnRob3VnaHQuKQ0KDQpJbWFnaW5lIG9uZSBpcyBkZXNjZW5kaW5nIHRoZSB0cmVlLCBhbmQg ZGV0ZXJtaW5lcyB0aGF0IHRoZSBwYXJlbnQncyB6b25lIGRhdGEgaXMgc2lnbmVkIGJ5IEROU1NF Qy4gIFRha2luZyB0aGUgbmV4dCBzdGVwIGRvd253YXJkIHRvd2FyZCB0aGUgZGVzaXJlZCBkYXRh LCB0aGUgRFMgcmVzb3VyY2UgcmVjb3JkIHNldCBpbmRpY2F0ZXMgaG93IHRoZSBjaGlsZCBpcyBz ZWN1cmVkLiAgUHJvdmVuIGFic2VuY2Ugb2YgYSBEUyByZXNvdXJjZSByZWNvcmQgc2V0IG1lYW5z IHRoZSBwYXJlbnQgY29uc2lkZXJzIHRoZSBjaGlsZCBpcyB1bnNpZ25lZCAod2hldGhlciB0aGUg Y2hpbGQgaXMgb3Igbm90KS4NCg0KT25lIG91Z2h0IHRvIGltYWdpbmUgdGhhdCB3aGVuIHRoZXNl IHJ1bGVzIHdlcmUgd3JpdHRlbiwgaXQgd2FzIGFzc3VtZWQgdmFsaWRhdG9ycyB0YWtpbmcgdGhl c2Ugc3RlcHMgbWlnaHQgbm90ICJrbm93IiBhbGwgb2YgdGhlIEROU1NFQyBzZWN1cml0eSBhbGdv cml0aG1zLiAgSS5lLiwgYSB2YWxpZGF0b3IgbWlnaHQga25vdyAnOCcgYnV0IG5vdCAnMTMnLiAg SWYgYSBwYXJlbnQgdXNlZCAnOCcgdG8gc2lnbiwgYW5kIHRoZSBEUyByZXNvdXJjZSByZWNvcmQg c2V0IGluZGljYXRlZCB0aGF0IG9ubHkgJzEzJyB3YXMgdXNlZCBieSB0aGUgY2hpbGQgKHRoZSBE UyByZXNvdXJjZSByZWNvcmQgc2V0IGl0c2VsZiBzaWduZWQgYnkgJzgnKSwgdGhlbiB0aGUgdmFs aWRhdG9yIHdvdWxkIHRyZWF0IHRoZSBjaGlsZCBhcyB1bnNpZ25lZC4gIEJ1dCBpZiB0aGVyZSB3 ZXJlIGFuICc4JyBpbiB0aGVyZSwgdGhlbiB0aGUgY2hpbGQncyBETlNLRVkgc2V0IHdvdWxkIGhh dmUgdG8gYmUgc2lnbmVkIHdpdGggJzgnIHNvIHRoZSBjaGFpbiB3b3VsZCBjb250aW51ZS4NCg0K SXQncyBwb3NzaWJsZSB0aGF0IGEgY2hpbGQgbWF5IGhhdmUgRE5TS0VZIHJlc291cmNlIHJlY29y ZHMgZm9yIEROU1NFQyBzZWN1cml0eSBhbGdvcml0aG1zIG5vdCBzdXBwb3J0ZWQgYnkgdGhlIHBh cmVudCBvcGVyYXRvci4gIEEgY2hpbGQgb3BlcmF0b3IgbWF5IGhhdmUgYXJyYW5nZWQgdG8gaGF2 ZSB0cnVzdCBhbmNob3JzIGluIGFsbCByZWx5aW5nIHZhbGlkYXRvcnMgb3V0IG9mIGJhbmQgdG8g bWFrZSB0aGlzICJzdGlsbCB3b3JrLiIgIFRoaXMgaXMgdGhlIHJlYXNvbiB0aGUgZGV0ZXJtaW5h dGlvbiBpcyBmcm9tIHRoZSB6b25lJ3MgYXBleCBETlNLRVkgcmVzb3VyY2UgcmVjb3JkIHNldCBh bmQgbm90IHRoZSBwYXJlbnQncyBEUyByZXNvdXJjZSByZWNvcmQgc2V0Lg0KDQpSZW1lbWJlciBh IGNoaWxkIGlzICJkZWxlZ2F0ZWQiIHJlc3BvbnNpYmlsaXR5IGZvciBhIGRvbWFpbi4gIFRoZSBw YXJlbnQgb25seSAiZ2l2ZXMgaXQgbGlmZSIuICBXaGF0IGEgY2hpbGQgem9uZSBzYXlzIGFib3V0 IGl0c2VsZiBydWxlcywgbG9jYWwgcG9saWN5IGFuZCBhbGwgdGhhdC4gIEEgY2hpbGQgbWF5IGJl IHVuZGVyIGEgbm9uLUROU1NFQyBwYXJlbnQgYW5kIHN0aWxsIHByYWN0aWNlIEROU1NFQyB3aXRo IHRoZSB2YWxpZGF0b3JzIGl0IGhhcyBvdXQtb2YtYmFuZCBjb250YWN0IHdpdGguDQoNCiAgICA+ IE9uIDEzIEFwciAyMDE5LCBhdCAxOjA1IGFtLCBNaWNoYWVsIFN0Sm9obnMgPG1zakBudGhwZXJt dXRhdGlvbi5jb20+IHdyb3RlOg0KICAgID4gDQogICAgPiBIaSAtDQogICAgPiANCiAgICA+IEkg aGFkIHNvbWVvbmUgYXNrIG1lIChsYXN0IG5pZ2h0ISEpIHdoZXRoZXIgb3Igbm90IHRoZSAibXVz dCBzaWduIGVhY2ggUlJTZXQgd2l0aCBhbGwgb2YgdGhlIGFsZ29yaXRobXMgaW4gdGhlIEROU0tF WSBSUlNldCIgcnVsZSBhcHBsaWVzIGlmIHRoZSBvbmx5IGtleSB3aXRoIGFsZ29yaXRobSBBIGlu IHRoZSBSUlNldCBoYXMgdGhlIHJldm9rZSBiaXQgc2V0LiAgQSBxdWVzdGlvbiBJIGhhZCBuZXZl ciBwcmV2aW91c2x5IGNvbnNpZGVyZWQuDQogICAgPiANCiAgICA+IEdpdmVuIHRoYXQgeW91IGNh bid0IHRyYWNlIHRydXN0IHRocm91Z2ggdGhhdCByZXZva2VkIGtleSwgYW5kIGFueSBSUlNpZyBv cmlnaW5hdGVkIGJ5IHRoYXQga2V5IGlzIGp1c3QgZXh0cmFuZW91cyBiaXRzLCBJIGNhbWUgdG8g dGhyZWUgY29uY2x1c2lvbnM6ICAxKSBBIGtleSBtdXN0IG5vdCBiZSBjb3VudGVkIGZvciB0aGUg cHVycG9zZXMgb2YgdGhlIHJ1bGUgaWYgaXQgaGFzIHRoZSAoUkZDNTAxMSkgcmV2b2tlIGJpdCBz ZXQsIChzKSB0aGUgb25seSBSUlNpZ3MgY3JlYXRlZCBieSBhIHJldm9rZWQga2V5IGFyZSBvdmVy IHRoZSBETlNLRVkgUlJTZXQgYW5kIDMpIGl0J3MgcG9zc2libGUvcHJvYmFibGUgdGhhdCBpbnRl cnByZXRhdGlvbnMgY291bGQgZGlmZmVyLg0KICAgID4gDQogICAgPiBJIHRhZ2dlZCB0aGlzIGVt YWlsIHdpdGggdGhlIGFsZ29yaXRobSB1cGRhdGUgSUQvUkZDIGNhbmRpZGF0ZSBiZWNhdXNlIGFi b3V0IHRoZSBvbmx5IHRpbWUgeW91J3JlIGdvaW5nIHRvIHNlZSBhIHJldm9rZWQgc2luZ2xldG9u IGtleSBvZiBhIGdpdmVuIGFsZ29yaXRobSBpcyB3aGVuIHlvdSdyZSB0cmFuc2l0aW9uaW5nIHRo ZSBhbGdvcml0aG1zIGZvciB0aGUgem9uZS4NCiAgICA+IA0KICAgID4gSSBoZXNpdGF0ZSB0byBh c2sgLSBhbmQgYXBvbG9naXplIGZvciBhc2tpbmcgZ2l2ZW4gdGhlIGxhdGUgZGF0ZSBmb3IgdGhp cyBkb2N1bWVudCwgYnV0IHNob3VsZCB0aGUgc3RhdGVtZW50cyAoMSkgYW5kICgyKSBhYm92ZSBv ciBzb21ldGhpbmcgc2ltaWxhciBiZSBpbmNsdWRlZCBpbiB0aGlzIGRvY3VtZW50IGZvciBjb21w bGV0ZW5lc3M/DQogICAgPiANCiAgICA+IEFsdGVybmF0aXZlbHksIHdoYXQgYnJlYWtzIGlmIHB1 Ymxpc2hlcnMgb21pdCB0aGUgZXh0cmFuZW91cyBzaWduYXR1cmVzIGp1c3QgYmVjYXVzZT8NCiAg ICA+IA0KICAgID4gTGF0ZXIsIE1pa2UNCiAgICA+IA0KICAgID4gDQogICAgPiANCiAgICA+IF9f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQogICAgPiBETlNP UCBtYWlsaW5nIGxpc3QNCiAgICA+IEROU09QQGlldGYub3JnDQogICAgPiBodHRwczovL3VybGRl ZmVuc2UucHJvb2Zwb2ludC5jb20vdjIvdXJsP3U9aHR0cHMtM0FfX3d3dy5pZXRmLm9yZ19tYWls bWFuX2xpc3RpbmZvX2Ruc29wJmQ9RHdJQ0FnJmM9Rm1ZMXUzUEpwNndyY3J3bGwzbVNWemdma2JQ U1M2c0ptczd4Y2w0STVjTSZyPTlHOC00UF9fQU1neE5PUVBpdTdGa3JJbWVpZUFMS1l0ZkdCRThV VHV5ZzQmbT1EdGNpTDVWenlaeDdPQ2xPdHFVVHd3NDNjTVlpY3ZpTUJzd3I4ZXhhU0RZJnM9aGhI UW9qanlZUlA0eWxkU3ZsWDQ0YUxNREZhZG1hZy1NMlJLaTM1UEk0OCZlPQ0KICAgIA0KICAgIC0t IA0KICAgIE1hcmsgQW5kcmV3cywgSVNDDQogICAgMSBTZXltb3VyIFN0LiwgRHVuZGFzIFZhbGxl eSwgTlNXIDIxMTcsIEF1c3RyYWxpYQ0KICAgIFBIT05FOiArNjEgMiA5ODcxIDQ3NDIgICAgICAg ICAgICAgIElOVEVSTkVUOiBtYXJrYUBpc2Mub3JnDQogICAgDQogICAgX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18NCiAgICBETlNPUCBtYWlsaW5nIGxpc3QN CiAgICBETlNPUEBpZXRmLm9yZw0KICAgIGh0dHBzOi8vdXJsZGVmZW5zZS5wcm9vZnBvaW50LmNv bS92Mi91cmw/dT1odHRwcy0zQV9fd3d3LmlldGYub3JnX21haWxtYW5fbGlzdGluZm9fZG5zb3Am ZD1Ed0lDQWcmYz1GbVkxdTNQSnA2d3JjcndsbDNtU1Z6Z2ZrYlBTUzZzSm1zN3hjbDRJNWNNJnI9 OUc4LTRQX19BTWd4Tk9RUGl1N0ZrckltZWllQUxLWXRmR0JFOFVUdXlnNCZtPUR0Y2lMNVZ6eVp4 N09DbE90cVVUd3c0M2NNWWljdmlNQnN3cjhleGFTRFkmcz1oaEhRb2pqeVlSUDR5bGRTdmxYNDRh TE1ERmFkbWFnLU0yUktpMzVQSTQ4JmU9DQogICAgDQoNCg== From nobody Sun Apr 14 08:13:55 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96B8912000F for ; Sun, 14 Apr 2019 08:13:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=I6Q6f2wm; dkim=pass (1536-bit key) header.d=taugh.com header.b=UMGii84s Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sm7DfF7b3xWo for ; Sun, 14 Apr 2019 08:13:51 -0700 (PDT) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0200C120006 for ; Sun, 14 Apr 2019 08:13:50 -0700 (PDT) Received: (qmail 77918 invoked from network); 14 Apr 2019 15:13:48 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type:user-agent; s=1305a.5cb34e2c.k1904; bh=NVkpS023rjUwyBF61Yn6Mx73/ocmSyqgY1LvM61FZ6w=; b=I6Q6f2wm0hmOMIzg26RFDRwTE/Q9YDiDBwF+L4l9lrNJn33Ce7hUDyMGoyVAo+2LKRLRHU6Bdb/ZqpvJJwEBsAkdlnBBSUMmn9dmsMui1y8kdJZde9q7htKhBR2Ba4iBysVmaczqn5nXU7jozShj7lQxGZHLdSNZTdeb8LUZQufbbiFKGdQsvitmNuINRxh/LJx3M8Uu/+BvqGEPk94jS4q3Nupd8H1/zCbihcpj5IQDVh/uTmfFhWxlOHnqWAeJ DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:subject:in-reply-to:references:mime-version:content-type:user-agent; s=1305a.5cb34e2c.k1904; bh=NVkpS023rjUwyBF61Yn6Mx73/ocmSyqgY1LvM61FZ6w=; b=UMGii84sfEP80TrbNhcg/ZytdErJYMPEZfQJhRpCuUG+eATU/OgevDpHwpAvrwmPn/yEtNdZP60sdltyEbA89RlTHY6P3t4A1sRNJqAxlDZs1FcSF33vfMn0yNE4xO3K7alyJI9Th7hh0fNXOeBhBRTHIAvmRoSCDLV2wpkKOZ0ReZgt7NeQYktA+wxrpeZbc/aEMSW8D7cqLtid+I2Y1GJiYGlQ/Nl2CfiW9HnHgtnBUgumEsp3+/UlEivHwDha Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 14 Apr 2019 15:13:48 -0000 Date: 14 Apr 2019 11:13:48 -0400 Message-ID: From: "John R Levine" To: dnsop@ietf.org In-Reply-To: <20190404012010.64DB6201162C3F@ary.qy> References: <20190404012010.64DB6201162C3F@ary.qy> User-Agent: Alpine 2.21 (OSX 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII Archived-At: Subject: Re: [DNSOP] additional section, was Over on the dbound list: draft-dcrocker-dns-perimeter-00 X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Apr 2019 15:13:54 -0000 On Thu, 3 Apr 2019, John Levine wrote: > The part of interest to DNSOP would be section 7 on pages 12 and 13 > where it discusses tree walks and potential new additional section > processing to find the closest perimeter record above a name being > checked. This draft proposes to publish TXT records to mark logical (not zone) boundaries, sort of like what the Mozilla PSL does. Let's say there's a boundary between d.example and example. Then the domain owner would publish _perim.example to show that's where a boundary (perimiter in the draft's language) is. But what if the names go deeper and a client is wondering where the boundary is in a.b.c.d.example? The proposal is that the client asks for _perim.a.b.c.d.example, and the DNS server returns NXDOMAIN but also puts the _perim.example in the additional section, so the client knows that's where the boundary is and doesn't have to do a tree walk. It seems to me that this can't work. Additional section entries are only hints, and just because it returns _perim.example, that doesn't mean that _perim.c.d.example doesn't exist. In a DNS cache, there's no promise that additional section records will be remembered for the same time as the main answer, or for that matter remembered at all. The client still has to probe all of the intermediate names to check that they don't exist. Another issue is that qname minimzation breaks this, since the authoritative server often won't see the full query. Or if the boundary is above a zone cut, the authoritative server won't have the additional record to return. Although it is legal to put an additional section in an NXDOMAIN response, it's uncommon and I don't know how the bailiwick checks would work. It seems unlikely that any DNS servers or caches would implement a feature that triggers TXT record additional section records based on the qname. Am I missing anything here? Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly PS: for a different design that (ab)uses wildcards to do the same thing and avoids tree walks see draft-levine-dbound-dns-02. From nobody Sun Apr 14 08:30:01 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEB36120058 for ; Sun, 14 Apr 2019 08:29:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ox-ooev7pyA0 for ; Sun, 14 Apr 2019 08:29:58 -0700 (PDT) Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17C6F120006 for ; Sun, 14 Apr 2019 08:29:58 -0700 (PDT) Received: by mail-qt1-x832.google.com with SMTP id z17so16439005qts.13 for ; Sun, 14 Apr 2019 08:29:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=HveHQ5EIQ0+kHG4ApwJ4NaAGCWXtto904qyt1ZH01HY=; b=BACoyx0njvmSaPic4fZZp4N1z1mj2/+u8rH0m3sDx3QPEybIFg64PK/ypXn/2wYgiJ EN0YpUELdaL7wflJ6ORESMLrSY9mZBpytzgX2ITtREi1YNGXdFssvza3vVK2FuA9OjBZ WqtysYd6Udr1m1cESV88FFVkilV5bXbVludlpJA9+GPkp38jUUxZEX7A4WILQvRKtFSo 8mJ4x+JtB/kbmaecWdFLSH2G/IF7WhPUknL2B14OdxrudsSbC17Ht2ujymL60zwGtVV7 9eCvbOfMkiS1vKLL6ndTtQXAIyzCsZ3sGwoB81MBiDW14yMN6WZ36s9OnZUIAmCqm/BA axrg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=HveHQ5EIQ0+kHG4ApwJ4NaAGCWXtto904qyt1ZH01HY=; b=Y0pB+k4VuTEA3fpvW2v+u5oWqT1j7z9tS3EXQnopHr3NjkPx4OmFTQSsAxxz4H2+Dq acK4daTUOt3KwysMPvLhEEKIjTV/wj8eqc2Sru7C6LvQ6/v9/Dw7Cx3JDRcx2RPH9YaO 9H22Em2lxpWeQ3xIW6STcwpWeom3i7a6w7dQ0IVBkTzOddEie/rQDjDorR/yvlITP4mK N5HegsAQexUAAEmODqiVj56y/9xoNqVcFpqqc8ocBIMiuPkXo3LPnrzdpm5jMuDm/rAY +2nbqfe879xvoywcAiP9QJWFyH3XZv8nISk5ANmFG86M5hdFmrOFsM+h4axhPTv6iFH/ tuLg== X-Gm-Message-State: APjAAAXIRPdrTTWuRScly66M/ccYPX3l4nrVFnCkHBr4dUzoCqP/ILka a01F6fDSj77uI9zMIdU7jXi2WpY47f7UBw== X-Google-Smtp-Source: APXvYqy6xRAouRDmOlKRgwerHWkKF0lMUXtqGRAyckEKTm1exwls/9XqvUwqDziuhZGD84tnLGxLIQ== X-Received: by 2002:ac8:348d:: with SMTP id w13mr58670183qtb.329.1555255796967; Sun, 14 Apr 2019 08:29:56 -0700 (PDT) Received: from [10.0.100.12] (c-73-186-137-119.hsd1.ma.comcast.net. [73.186.137.119]) by smtp.gmail.com with ESMTPSA id x184sm17332593qke.35.2019.04.14.08.29.56 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 14 Apr 2019 08:29:56 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.2\)) From: Ted Lemon In-Reply-To: Date: Sun, 14 Apr 2019 11:29:55 -0400 Cc: dnsop@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20190404012010.64DB6201162C3F@ary.qy> To: John R Levine X-Mailer: Apple Mail (2.3445.104.2) Archived-At: Subject: Re: [DNSOP] additional section, was Over on the dbound list: draft-dcrocker-dns-perimeter-00 X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Apr 2019 15:30:00 -0000 On Apr 14, 2019, at 11:13 AM, John R Levine wrote: > Although it is legal to put an additional section in an NXDOMAIN = response, it's uncommon and I don't know how the bailiwick checks would = work. We already do something like this when looking for the zone apex, and it = potentially has the same problem. If I look for the zone apex of a = nonexistent name under a zone that does exist, I=E2=80=99ll get back an = SOA record in the authority section. How do I know that that=E2=80=99s = the real zone apex? If I look up a.b.c.d.example.com and get back an = SOA for example.com, how do I know that there is no SOA for = c.d.example.com? The answer is that I don=E2=80=99t, without validating the answer. And = that requires traversing the trust anchors to the root, so as you say, = this doesn=E2=80=99t save any work. Clearly, this validation should be done=E2=80=94we shouldn=E2=80=99t = just assume that what=E2=80=99s in the additional section is correct. = I think that this means that in the case of a query with DNSSEC enabled, = the additional section should contain as much of the chain of trust as = will fit, in the order the client resolver can be expected to need it. From nobody Sun Apr 14 19:35:43 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85DC312008B for ; Sun, 14 Apr 2019 19:35:41 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.901 X-Spam-Level: X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I77frpZbcKRR for ; Sun, 14 Apr 2019 19:35:39 -0700 (PDT) Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20B78120073 for ; Sun, 14 Apr 2019 19:35:38 -0700 (PDT) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 8CD793AB03F; Mon, 15 Apr 2019 02:35:37 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 6C9BF16000C; Mon, 15 Apr 2019 02:35:37 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 43007160046; Mon, 15 Apr 2019 02:35:37 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id fjEnDYKkqtD3; Mon, 15 Apr 2019 02:35:37 +0000 (UTC) Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 270C816000C; Mon, 15 Apr 2019 02:35:35 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) From: Mark Andrews In-Reply-To: Date: Mon, 15 Apr 2019 12:35:30 +1000 Cc: Michael StJohns , "dnsop@ietf.org" Content-Transfer-Encoding: quoted-printable Message-Id: References: <4CD31719-BC63-4038-9FD0-580B4C04BB64@isc.org> To: Edward Lewis X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [DNSOP] [Ext] Re: draft-ietf-dnsop-algorithm-update X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Apr 2019 02:35:42 -0000 And as DNS is loosely coherent a validator cannot check this rule even = when getting answers from a single IP address as there may be a anycast server behind = that address. This loose coherence allows for servers to incrementally sign a zone = when introducing a new algorithm. A incrementally signed zoned for a algorithm is no = different to a incoherent zone for the purposes of validation. You don=E2=80=99t publish DS records (or trust anchors) for a algorithm = until the incoherent state is resolved (incremental signing with the new algorithm is = complete). The same applies to CDS and CDNSKEY. You can only check if all records are signed with a given algorithm by = performing a transfer of a zone and analysing that. There is no way to do it with = individual queries. As for the original question, if all the DNSKEYs for a algorithm are = revoked I would only be signing the DNSKEY RRset with that algorithm. The zone will = appear to be in a incoherent state but that isn=E2=80=99t a issue unless there are still = DS records referencing that algorithm which there shouldn=E2=80=99t be if they are all revoked.=20= > On 13 Apr 2019, at 6:00 am, Edward Lewis = wrote: >=20 > I've been inactive a long time, but someone alerted me to this = message. > (Apologies what below looks like it's from a ranting lunatic. But it = is.) >=20 > =EF=BB=BFOn 4/12/19, 11:31, "DNSOP on behalf of Mark Andrews" = wrote: >=20 > Well given that the actual rule is all the algorithms listed in the = DS RRset > rather than DNSKEY RRset and is designed to ensure that there is = always a > signature present for each of the algorithms that could be used be = used to > declare that the child zone is treated as secure, the answer is NO. >=20 > Mark >=20 > Looking at "Protocol Modifications for the DNS Security Extensions" = (aka RFC 4035): > ... > 2. Zone Signing > ... > 2.2. Including RRSIG RRs in a Zone > ... > There MUST be an RRSIG for each RRset using at least one DNSKEY of > each algorithm in the zone apex DNSKEY RRset. The apex DNSKEY RRset > itself MUST be signed by each algorithm appearing in the DS RRset > located at the delegating parent (if any). >=20 > =46rom this I believe Mark's words are incorrect. What I read is that = the determining factor is what is in a zone's DNSKEY resource record set = and that the set must be signed by a key of each of the algorithms in = the DS set. This allows the child administrator to have DNSKEY records = for DNSSEC security algorithms other than those represented in the = parent's DS resource record set and does accommodate other signatures = covering the DNSKEY record set. >=20 > Historically there's been great confusion over this passage, partly = because the context is usually missed. This rule governs the actions of = signing and serving a zone, not validating a zone. The purpose of the = rule is to allow a validator to "know" deterministically what signatures = ought to be present for data. This is needed to mitigate a downgrade = attack enacted by simply filtering signature records. The validator = need not check to make sure all "required" signatures are available, it = should be content with anything that works. I.e., be aggressive in = declaring success in the validation process to combat the brittleness = introduced by DNSSEC. (This is intentional, not an afterthought.) >=20 > Imagine one is descending the tree, and determines that the parent's = zone data is signed by DNSSEC. Taking the next step downward toward the = desired data, the DS resource record set indicates how the child is = secured. Proven absence of a DS resource record set means the parent = considers the child is unsigned (whether the child is or not). >=20 > One ought to imagine that when these rules were written, it was = assumed validators taking these steps might not "know" all of the DNSSEC = security algorithms. I.e., a validator might know '8' but not '13'. If = a parent used '8' to sign, and the DS resource record set indicated that = only '13' was used by the child (the DS resource record set itself = signed by '8'), then the validator would treat the child as unsigned. = But if there were an '8' in there, then the child's DNSKEY set would = have to be signed with '8' so the chain would continue. >=20 > It's possible that a child may have DNSKEY resource records for DNSSEC = security algorithms not supported by the parent operator. A child = operator may have arranged to have trust anchors in all relying = validators out of band to make this "still work." This is the reason = the determination is from the zone's apex DNSKEY resource record set and = not the parent's DS resource record set. >=20 > Remember a child is "delegated" responsibility for a domain. The = parent only "gives it life". What a child zone says about itself rules, = local policy and all that. A child may be under a non-DNSSEC parent and = still practice DNSSEC with the validators it has out-of-band contact = with. >=20 >> On 13 Apr 2019, at 1:05 am, Michael StJohns = wrote: >>=20 >> Hi - >>=20 >> I had someone ask me (last night!!) whether or not the "must sign = each RRSet with all of the algorithms in the DNSKEY RRSet" rule applies = if the only key with algorithm A in the RRSet has the revoke bit set. A = question I had never previously considered. >>=20 >> Given that you can't trace trust through that revoked key, and any = RRSig originated by that key is just extraneous bits, I came to three = conclusions: 1) A key must not be counted for the purposes of the rule = if it has the (RFC5011) revoke bit set, (s) the only RRSigs created by a = revoked key are over the DNSKEY RRSet and 3) it's possible/probable that = interpretations could differ. >>=20 >> I tagged this email with the algorithm update ID/RFC candidate = because about the only time you're going to see a revoked singleton key = of a given algorithm is when you're transitioning the algorithms for the = zone. >>=20 >> I hesitate to ask - and apologize for asking given the late date for = this document, but should the statements (1) and (2) above or something = similar be included in this document for completeness? >>=20 >> Alternatively, what breaks if publishers omit the extraneous = signatures just because? >>=20 >> Later, Mike >>=20 >>=20 >>=20 >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> = https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.ietf.org_mailma= n_listinfo_dnsop&d=3DDwICAg&c=3DFmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5c= M&r=3D9G8-4P__AMgxNOQPiu7FkrImeieALKYtfGBE8UTuyg4&m=3DDtciL5VzyZx7OClOtqUT= ww43cMYicviMBswr8exaSDY&s=3DhhHQojjyYRP4yldSvlX44aLMDFadmag-M2RKi35PI48&e=3D= >=20 > --=20 > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: marka@isc.org >=20 > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > = https://urldefense.proofpoint.com/v2/url?u=3Dhttps-3A__www.ietf.org_mailma= n_listinfo_dnsop&d=3DDwICAg&c=3DFmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5c= M&r=3D9G8-4P__AMgxNOQPiu7FkrImeieALKYtfGBE8UTuyg4&m=3DDtciL5VzyZx7OClOtqUT= ww43cMYicviMBswr8exaSDY&s=3DhhHQojjyYRP4yldSvlX44aLMDFadmag-M2RKi35PI48&e=3D= --=20 Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From nobody Mon Apr 15 06:21:50 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 987BB120188 for ; Mon, 15 Apr 2019 06:21:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zXRxLWmV63Ar for ; Mon, 15 Apr 2019 06:21:46 -0700 (PDT) Received: from out.west.pexch112.icann.org (out.west.pexch112.icann.org [64.78.40.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D801812017C for ; Mon, 15 Apr 2019 06:21:46 -0700 (PDT) Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Mon, 15 Apr 2019 06:21:45 -0700 Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1367.000; Mon, 15 Apr 2019 06:21:45 -0700 From: Edward Lewis To: Mark Andrews CC: "dnsop@ietf.org" , Michael StJohns Thread-Topic: [DNSOP] [Ext] Re: draft-ietf-dnsop-algorithm-update Thread-Index: AQHU8zPy6MIqTJVhB0W9RaAKyd6+V6Y9aDkA Date: Mon, 15 Apr 2019 13:21:44 +0000 Message-ID: References: <4CD31719-BC63-4038-9FD0-580B4C04BB64@isc.org> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/10.16.0.190211 x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [192.0.47.234] Content-Type: text/plain; charset="utf-8" Content-ID: <2B9D24078DFE674DB30DB61FDEA620F4@pexch112.icann.org> Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: Re: [DNSOP] [Ext] Re: draft-ietf-dnsop-algorithm-update X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Apr 2019 13:21:49 -0000 QSBmZXcgZm9sbG93IHVwczoNCg0K77u/T24gNC8xNC8xOSwgMjI6MzUsICJETlNPUCBvbiBiZWhh bGYgb2YgTWFyayBBbmRyZXdzIiA8ZG5zb3AtYm91bmNlc0BpZXRmLm9yZyBvbiBiZWhhbGYgb2Yg bWFya2FAaXNjLm9yZz4gd3JvdGU6DQogICAgDQo+WW91IGRvbuKAmXQgcHVibGlzaCBEUyByZWNv cmRzIChvciB0cnVzdCBhbmNob3JzKSBmb3IgYSBhbGdvcml0aG0gdW50aWwgdGhlIGluY29oZXJl bnQgc3RhdGUgaXMgcmVzb2x2ZWQgKGluY3JlbWVudGFsIHNpZ25pbmcgd2l0aCB0aGUgbmV3IGFs Z29yaXRobSBpcyBjb21wbGV0ZSkuDQoNCldoaWxlIHRoYXQgbWFrZXMgc2Vuc2UsIHRoZSBwcm90 b2NvbCBjYW4ndCAobm90IHNpbXBseSBkb2Vzbid0KSBmb3JiaWQgaXQuICBUaGUgcHVibGlzaGVy IG9mIHRoZSBEUyByZXNvdXJjZSByZWNvcmQgc2V0IG1heSBiZSBhIGRpZmZlcmVudCBlbnRpdHkg dGhhbiB0aGUgcHVibGlzaGVyIG9mIHRoZSBjb3JyZXNwb25kaW5nIEROU0tFWSByZXNvdXJjZSBy ZWNvcmQgc2V0LiAgQmVjYXVzZSBvZiB0aGUgcG9zc2liaWxpdHkgb2YgbWlzYWxpZ25tZW50LCB0 aGUgcHJvdG9jb2wgYXMgdG8gYmUgc3BlY2lmaWMgaW4gb3JkZXIgdG8gYmUgcm9idXN0Lg0KICAg IA0KPllvdSBjYW4gb25seSBjaGVjayBpZiBhbGwgcmVjb3JkcyBhcmUgc2lnbmVkIHdpdGggYSBn aXZlbiBhbGdvcml0aG0gYnkgcGVyZm9ybWluZyBhIHRyYW5zZmVyIG9mIGEgem9uZSBhbmQgYW5h bHlzaW5nIHRoYXQuICBUaGVyZSBpcyBubyB3YXkgdG8gZG8gaXQgd2l0aCBpbmRpdmlkdWFsIHF1 ZXJpZXMuDQoNClRoZSBoaXN0b3JpYyBlcnJvciBpbnZvbHZlZCBhIHJlc29sdmVyLCB1cG9uIHJl Y2VpcHQgb2YgYSByZXNwb25zZSwgZGVjbGFyaW5nIGEgZGF0YSBzZXQgaW52YWxpZCB3aGVuIHRo ZSBzZXQgb2YgUlJTSUcgcmVzb3VyY2UgcmVjb3JkcyBkaWQgbm90IGNvdmVyIGFsbCB0aGUgRE5T U0VDIHNlY3VyaXR5IGFsZ29yaXRobXMgdGhhdCB0aGUgcnVsZXMgZm9yIHpvbmUgc2lnbmluZyBz cGVjaWZpZWQsIGFzIG9wcG9zZWQgdG8gdmFsaWRhdGluZyB0aGUgZGF0YSBzZXQgaW4gcXVlc3Rp b24gYmVjYXVzZSB0aGVyZSB3ZXJlIHN1ZmZpY2llbnQgcmVjb3JkcyB0byBidWlsZCBhIHNlY3Vy ZSBjaGFpbi4NCiAgICANCj5BcyBmb3IgdGhlIG9yaWdpbmFsIHF1ZXN0aW9uLCBpZiBhbGwgdGhl IEROU0tFWXMgZm9yIGEgYWxnb3JpdGhtIGFyZSByZXZva2VkIEkgd291bGQgb25seSBiZSBzaWdu aW5nIHRoZSBETlNLRVkgUlJzZXQgd2l0aCB0aGF0IGFsZ29yaXRobS4NCg0KVGhpcyBtYWtlcyBj b21wbGV0ZSBzZW5zZSwgYnV0IGlzIG5vdCBpbi1saW5lIHdpdGggdGhlIGxldHRlciBvZiB0aGUg cHJvdG9jb2wncyBydWxlcy4gIFRoYXQncyB0aGUgaXNzdWUuDQoNClRoZSBjb25zZXF1ZW5jZSBv ZiBmb2xsb3dpbmcgdGhlIHByb3RvY29sJ3MgY3VycmVudCBydWxlcyBpcyBhIGxvdCBvZiBkZWFk d2VpZ2h0LiAgTmFtZWx5LCB1bnVzYWJsZSBSUlNJRyByZXNvdXJjZSByZWNvcmRzIHNlbnQgaW4g ZWFjaCByZXBseSBvZiBhdXRob3JpdGF0aXZlIGRhdGEganVzdCB0byBpbmNsdWRlIHRoZSBETlNT RUMgc2VjdXJpdHkgYWxnb3JpdGhtLiAgVGhlIHNpZ25hdHVyZXMgbmVlZCBub3QgbWFrZSBtYXRo ZW1hdGljIHNlbnNlIC0gYXMgbm8gb25lIHdvdWxkIG5lZWQgdG8gdmFsaWRhdGUgdGhlbSAtIHdp dGggb25lIGV4Y2VwdGlvbi4gV2hlcmUgZXZlciB0aGVyZSBpcyBhIGRpdmlzaW9uIG9mIGtleSBy ZXNwb25zaWJpbGl0aWVzIHN1Y2ggYXMgaGF2aW5nIG9uZSBvcmdhbml6YXRpb24gbWFuYWdlIHRo ZSBLU0sgYW5kIGEgZGlmZmVyZW50IG1hbmFnZSB0aGUgWlNLLCBhIFpTSyBtYXkgYmUgImZvcmNl ZCIgdG8gZXhpc3QgYnkgcnVsZSBhbmQgb3BlcmF0aW9uYWwgY29uZmlndXJhdGlvbi4NCg0KKFJl bW92ZWQgdGhlIHJlbWFpbmRlciBvZiB0aGUgdGhyZWFkIGhpc3RvcnkuLi4pDQogICAgDQoNCg0K From nobody Mon Apr 15 07:03:47 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57DE21200B1 for ; Mon, 15 Apr 2019 07:03:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.901 X-Spam-Level: X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MvDuM2FqEC1A for ; Mon, 15 Apr 2019 07:03:40 -0700 (PDT) Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF614120292 for ; Mon, 15 Apr 2019 07:03:40 -0700 (PDT) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 187593AB03F; Mon, 15 Apr 2019 14:03:40 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 053AD160052; Mon, 15 Apr 2019 14:03:40 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id E8A1F160053; Mon, 15 Apr 2019 14:03:39 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 9dkcQPlBN_z8; Mon, 15 Apr 2019 14:03:39 +0000 (UTC) Received: from [172.30.42.90] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 9C441160052; Mon, 15 Apr 2019 14:03:39 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (1.0) From: Mark Andrews X-Mailer: iPhone Mail (16E227) In-Reply-To: Date: Tue, 16 Apr 2019 00:03:37 +1000 Cc: "dnsop@ietf.org" , Michael StJohns Content-Transfer-Encoding: quoted-printable Message-Id: <5F7D471E-B77B-4A01-90F0-97E73CDB61D6@isc.org> References: <4CD31719-BC63-4038-9FD0-580B4C04BB64@isc.org> To: Edward Lewis Archived-At: Subject: Re: [DNSOP] [Ext] Re: draft-ietf-dnsop-algorithm-update X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Apr 2019 14:03:45 -0000 Well I think it is time for more fine tuning. It=E2=80=99s still only PS.=20= --=20 Mark Andrews > On 15 Apr 2019, at 23:21, Edward Lewis wrote: >=20 > A few follow ups: >=20 > =EF=BB=BFOn 4/14/19, 22:35, "DNSOP on behalf of Mark Andrews" wrote: >=20 >> You don=E2=80=99t publish DS records (or trust anchors) for a algorithm u= ntil the incoherent state is resolved (incremental signing with the new algo= rithm is complete). >=20 > While that makes sense, the protocol can't (not simply doesn't) forbid it.= The publisher of the DS resource record set may be a different entity than= the publisher of the corresponding DNSKEY resource record set. Because of t= he possibility of misalignment, the protocol as to be specific in order to b= e robust. >=20 >> You can only check if all records are signed with a given algorithm by pe= rforming a transfer of a zone and analysing that. There is no way to do it w= ith individual queries. >=20 > The historic error involved a resolver, upon receipt of a response, declar= ing a data set invalid when the set of RRSIG resource records did not cover a= ll the DNSSEC security algorithms that the rules for zone signing specified,= as opposed to validating the data set in question because there were suffic= ient records to build a secure chain. >=20 >> As for the original question, if all the DNSKEYs for a algorithm are revo= ked I would only be signing the DNSKEY RRset with that algorithm. >=20 > This makes complete sense, but is not in-line with the letter of the proto= col's rules. That's the issue. >=20 > The consequence of following the protocol's current rules is a lot of dead= weight. Namely, unusable RRSIG resource records sent in each reply of autho= ritative data just to include the DNSSEC security algorithm. The signatures= need not make mathematic sense - as no one would need to validate them - wi= th one exception. Where ever there is a division of key responsibilities suc= h as having one organization manage the KSK and a different manage the ZSK, a= ZSK may be "forced" to exist by rule and operational configuration. >=20 > (Removed the remainder of the thread history...) >=20 >=20 >=20 From nobody Mon Apr 15 08:25:46 2019 Return-Path: X-Original-To: dnsop@ietf.org Delivered-To: dnsop@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 01E881200B8; Mon, 15 Apr 2019 08:25:37 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: dnsop@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.95.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: dnsop@ietf.org Message-ID: <155534193693.10763.18181205597610934507@ietfa.amsl.com> Date: Mon, 15 Apr 2019 08:25:37 -0700 Archived-At: Subject: [DNSOP] I-D Action: draft-ietf-dnsop-aname-03.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Apr 2019 15:25:37 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : Address-specific DNS aliases (ANAME) Authors : Tony Finch Evan Hunt Peter van Dijk Anthony Eden Matthijs Mekking Filename : draft-ietf-dnsop-aname-03.txt Pages : 15 Date : 2019-04-15 Abstract: This document defines the "ANAME" DNS RR type, to provide similar functionality to CNAME, but only for type A and AAAA queries. Unlike CNAME, an ANAME can coexist with other record types. The ANAME RR allows zone owners to make an apex domain name into an alias in a standards compliant manner. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-aname/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-dnsop-aname-03 https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-aname-03 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-aname-03 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Mon Apr 15 10:45:24 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E37A1200E6 for ; Mon, 15 Apr 2019 10:45:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f-hRednDyPWQ for ; Mon, 15 Apr 2019 10:45:19 -0700 (PDT) Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2CEC1201E6 for ; Mon, 15 Apr 2019 10:45:18 -0700 (PDT) Received: by mail-lf1-x12a.google.com with SMTP id k18so4837075lfj.13 for ; Mon, 15 Apr 2019 10:45:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=cFCmH0T4KsegpOewZAW7qjYGf5VQvdgDQ4CJxShTLrw=; b=sQxIeqAYzl793tzLKzod9Gb4qzJM6QpWiZZ4AUZTLDLp9U76gywZqTyYVBAx+kXK1r 0ZXLUsHCfBLfZ6TDrzDzzuEHXZzcKklv7TF8ucn6GjE0kk9YxSsQ3QaDigvWpAoCh9xa KbIWjX2OvH55H84TXW/Mr6/Zac1PSxoitCn/wEgH5d7gStrtxUzyeiD8j66q/YCJtrgr 429BicA9tZ3ToDzUZf60Mp1z4tuookfj4sbkQ6Cua+lV8N/iHtVRfO1H1kh+JxWaaSd9 XdVWplcfxfKRC5TwuUEPmTYIftSuY/a8G8l9/pDUceq13LzxBEQKmzOhmNzJJ/vAM35k Lnow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=cFCmH0T4KsegpOewZAW7qjYGf5VQvdgDQ4CJxShTLrw=; b=XfWPKdksoW9EO+quYNSUpJa655w2hyEOXV2RQOm6yEMuKWnyuA6EATsUF3notYsMxO HcaSG61+gBFpnBjEKaJTYcEwkSAhCYTNxMKjluVgh9zL2CGw3wlmocYbPGafUXcigW4o amfAx47Eg5RrtvFWpbTHMC1mDYhtmQPKmbpgp8J7kic3jmzjQBVViC8DqiE/tZnt3Uh6 OXHq0s9F5S6sV2O5sKsfx3DaE8gKtIlZjKMo4ub1K9+t8Q6ADVri9UsyyoeTJ06rmZYZ rXJR4GDINDVCjHD/hUVRWl3Dqbj/UbhrvaF3ESvDFoVug4gNxuvNTtMeTD2nb/bBbCpB gqvg== X-Gm-Message-State: APjAAAUgMjSDl2KsTkDlVVdtnQTk5bljLGoZFrbRaoCa5Xj1yo9Q+ZtM uIVpxdkIcPxtJOr7SuPItKkVujPyDvCNZmIYihyGO5j68Y0= X-Google-Smtp-Source: APXvYqwqeWJW7kFUhJVpjmfNoislwwA8LzylrNNE7aSfoPu8oFrSu8piuOGvYuxpDsZAwKpyY0ZTc58MFUv0+0beO3Y= X-Received: by 2002:a19:7d42:: with SMTP id y63mr7444158lfc.92.1555350316480; Mon, 15 Apr 2019 10:45:16 -0700 (PDT) MIME-Version: 1.0 References: <155534193693.10763.18181205597610934507@ietfa.amsl.com> In-Reply-To: <155534193693.10763.18181205597610934507@ietfa.amsl.com> From: Bob Harold Date: Mon, 15 Apr 2019 13:45:05 -0400 Message-ID: To: IETF DNSOP WG Content-Type: multipart/alternative; boundary="0000000000001d92940586953786" Archived-At: Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-03.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Apr 2019 17:45:22 -0000 --0000000000001d92940586953786 Content-Type: text/plain; charset="UTF-8" On Mon, Apr 15, 2019 at 11:25 AM wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Domain Name System Operations WG of the > IETF. > > Title : Address-specific DNS aliases (ANAME) > Authors : Tony Finch > Evan Hunt > Peter van Dijk > Anthony Eden > Matthijs Mekking > Filename : draft-ietf-dnsop-aname-03.txt > Pages : 15 > Date : 2019-04-15 > > Abstract: > This document defines the "ANAME" DNS RR type, to provide similar > functionality to CNAME, but only for type A and AAAA queries. Unlike > CNAME, an ANAME can coexist with other record types. The ANAME RR > allows zone owners to make an apex domain name into an alias in a > standards compliant manner. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-aname/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-dnsop-aname-03 > https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-aname-03 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-aname-03 > > Looks good to me, one minor nit. 5.1. Zone transfers "Secondary servers that rely on zone transfers to obtain sibling address records, just like the rest of the zone, and serve them in the usual way (with Section 3 Additional section processing if they support it)." That's not a complete sentence. Perhaps remove the word "that". -- Bob Harold --0000000000001d92940586953786 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

On Mon, Apr 15, 2019 at 11:25 AM <internet-drafts@ietf.org> = wrote:

A New Internet-Draft is available from the on-line Internet-Drafts director= ies.
This draft is a work item of the Domain Name System Operations WG of the IE= TF.

=C2=A0 =C2=A0 =C2=A0 =C2=A0 Title=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:= Address-specific DNS aliases (ANAME)
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Authors=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0: Tony= Finch
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 Evan Hunt
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 Peter van Dijk
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 Anthony Eden
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 Matthijs Mekking
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Filename=C2=A0 =C2=A0 =C2=A0 =C2=A0 : draft-iet= f-dnsop-aname-03.txt
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Pages=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:= 15
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Date=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 := 2019-04-15

Abstract:
=C2=A0 =C2=A0This document defines the "ANAME" DNS RR type, to pr= ovide similar
=C2=A0 =C2=A0functionality to CNAME, but only for type A and AAAA queries.= =C2=A0 Unlike
=C2=A0 =C2=A0CNAME, an ANAME can coexist with other record types.=C2=A0 The= ANAME RR
=C2=A0 =C2=A0allows zone owners to make an apex domain name into an alias i= n a
=C2=A0 =C2=A0standards compliant manner.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-= dnsop-aname/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-dnsop-an= ame-03
https://datatracker.ietf.org/doc/html= /draft-ietf-dnsop-aname-03

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=3Ddra= ft-ietf-dnsop-aname-03


Looks good to me, o= ne minor nit.

5.1. Zone transfers

"Secondary servers tha= t rely on zone transfers to obtain sibling
=C2=A0 =C2=A0addre= ss records, just like the rest of the zone, and serve them in
=C2= =A0 =C2=A0the usual way (with Section 3 Additional section processing if th= ey
=C2=A0 =C2=A0support it)."

That&= #39;s not a complete sentence.=C2=A0 Perhaps remove the word "that&quo= t;.

--=C2=A0
Bob Harold
=C2=A0=
--0000000000001d92940586953786-- From nobody Mon Apr 15 21:17:48 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5661D12010D for ; Mon, 15 Apr 2019 21:17:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.9 X-Spam-Level: X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BSuLJI3gr_D7 for ; Mon, 15 Apr 2019 21:17:45 -0700 (PDT) Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F4A2120089 for ; Mon, 15 Apr 2019 21:17:45 -0700 (PDT) Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 836EE3AB060; Tue, 16 Apr 2019 04:17:43 +0000 (UTC) Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 69113160064; Tue, 16 Apr 2019 04:17:43 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 3191A160068; Tue, 16 Apr 2019 04:17:43 +0000 (UTC) Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id QdC6OZI9NsaN; Tue, 16 Apr 2019 04:17:43 +0000 (UTC) Received: from [172.30.42.67] (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 22C6B160064; Tue, 16 Apr 2019 04:17:41 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) From: Mark Andrews In-Reply-To: Date: Tue, 16 Apr 2019 14:17:39 +1000 Cc: "dnsop@ietf.org" , Michael StJohns Content-Transfer-Encoding: quoted-printable Message-Id: References: <4CD31719-BC63-4038-9FD0-580B4C04BB64@isc.org> To: Edward Lewis X-Mailer: Apple Mail (2.3445.9.1) Archived-At: Subject: Re: [DNSOP] [Ext] Re: draft-ietf-dnsop-algorithm-update X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Apr 2019 04:17:47 -0000 > On 15 Apr 2019, at 11:21 pm, Edward Lewis = wrote: >=20 > A few follow ups: >=20 > =EF=BB=BFOn 4/14/19, 22:35, "DNSOP on behalf of Mark Andrews" = wrote: >=20 >> You don=E2=80=99t publish DS records (or trust anchors) for a = algorithm until the incoherent state is resolved (incremental signing = with the new algorithm is complete). >=20 > While that makes sense, the protocol can't (not simply doesn't) forbid = it. The publisher of the DS resource record set may be a different = entity than the publisher of the corresponding DNSKEY resource record = set. Because of the possibility of misalignment, the protocol as to be = specific in order to be robust. They will normally be different entities. The same is true for all = delegations. You can be robust and still have more nuanced rules. = Parents of a delegation should only be publishing DS records on the = direction of the child. We have a number of mechanism to pass that = direction (inband: CDS, CDNSKEY, out of band: EPP DS entries). The intent of the rule was to prevent validation failures provided it = was followed. i.e. if you follow this rule, validators should not = produce a bogus result of validation provided you generate good = signatures as they will have the necessary data. Zones were the there = isn=E2=80=99t a supported algorithm in the DS set are deemed to be = insecure. To prevent downgrade attacks you need to look at the DS set, = not the DNSKEY set, as that should only be published before (removal of = algorithm) / after (addition of algorithm) the natural incoherence = resulting from updating zone content (DNSKEY RRset) has stabilised.=20 That said downgrade attacks should be a non issue. If a algorithm is = too weak to validate a response it should be ignored, not conditionally = used which is the only time one would care about downgrade attacks = succeeding. >> You can only check if all records are signed with a given algorithm = by performing a transfer of a zone and analysing that. There is no way = to do it with individual queries. >=20 > The historic error involved a resolver, upon receipt of a response, = declaring a data set invalid when the set of RRSIG resource records did = not cover all the DNSSEC security algorithms that the rules for zone = signing specified, as opposed to validating the data set in question = because there were sufficient records to build a secure chain. Yep. >> As for the original question, if all the DNSKEYs for a algorithm are = revoked I would only be signing the DNSKEY RRset with that algorithm. >=20 > This makes complete sense, but is not in-line with the letter of the = protocol's rules. That's the issue. Basically the protocol rules in this area are and always have been too = simple. I should have pushed for more nuanced rules initially but I = wasn't sure the working group was up to it. They weren=E2=80=99t up to = more nuanced rules to =E2=80=9Calways send CD=3D1=E2=80=9D which should = be struck from the RFC. > The consequence of following the protocol's current rules is a lot of = deadweight. Namely, unusable RRSIG resource records sent in each reply = of authoritative data just to include the DNSSEC security algorithm. = The signatures need not make mathematic sense - as no one would need to = validate them - with one exception. Where ever there is a division of = key responsibilities such as having one organization manage the KSK and = a different manage the ZSK, a ZSK may be "forced" to exist by rule and = operational configuration. >=20 > (Removed the remainder of the thread history=E2=80=A6) --=20 Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org From nobody Tue Apr 16 10:52:23 2019 Return-Path: X-Original-To: dnsop@ietf.org Delivered-To: dnsop@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 99D02120308; Tue, 16 Apr 2019 10:52:17 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: dnsop@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.95.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: dnsop@ietf.org Message-ID: <155543713754.24998.8934172511539336013@ietfa.amsl.com> Date: Tue, 16 Apr 2019 10:52:17 -0700 Archived-At: Subject: [DNSOP] I-D Action: draft-ietf-dnsop-serve-stale-05.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Apr 2019 17:52:18 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : Serving Stale Data to Improve DNS Resiliency Authors : David C Lawrence Warren "Ace" Kumari Puneet Sood Filename : draft-ietf-dnsop-serve-stale-05.txt Pages : 12 Date : 2019-04-16 Abstract: This draft defines a method (serve-stale) for recursive resolvers to use stale DNS data to avoid outages when authoritative nameservers cannot be reached to refresh expired data. It updates the definition of TTL from [RFC1034], [RFC1035], and [RFC2181] to make it clear that data can be kept in the cache beyond the TTL expiry and used for responses when a refreshed answer is not readily available. One of the motivations for serve-stale is to make the DNS more resilient to DoS attacks, and thereby make them less attractive as an attack vector. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-serve-stale/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-dnsop-serve-stale-05 https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-serve-stale-05 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-serve-stale-05 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Tue Apr 16 13:56:22 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC31B12039A; Tue, 16 Apr 2019 13:56:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CInMWQ5VRG7y; Tue, 16 Apr 2019 13:56:19 -0700 (PDT) Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F416120169; Tue, 16 Apr 2019 13:56:19 -0700 (PDT) Received: from [192.168.42.251] (unknown [5.33.6.158]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id BD0BE892C6; Tue, 16 Apr 2019 20:56:17 +0000 (UTC) To: dnsop@ietf.org, internet-drafts@ietf.org Cc: i-d-announce@ietf.org References: <155543713754.24998.8934172511539336013@ietfa.amsl.com> From: Paul Vixie Message-ID: <20273814-ad77-550d-4f56-0409a6a9bcb2@redbarn.org> Date: Tue, 16 Apr 2019 13:56:08 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.14 MIME-Version: 1.0 In-Reply-To: <155543713754.24998.8934172511539336013@ietfa.amsl.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-serve-stale-05.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Apr 2019 20:56:21 -0000 i remain opposed to the protocol described here, for reasons previously given. From nobody Thu Apr 18 04:05:01 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2C031200EA; Thu, 18 Apr 2019 04:04:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zm59IPbusOfj; Thu, 18 Apr 2019 04:04:56 -0700 (PDT) Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B35612009C; Thu, 18 Apr 2019 04:04:56 -0700 (PDT) Received: by mail-qt1-x834.google.com with SMTP id s15so1673782qtn.3; Thu, 18 Apr 2019 04:04:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Oz1K8Tb1TDj0o/z3dycjQ28v1P+VomDFN+WrNcRhK2s=; b=GhUVaHA5TPjvAla61vaxbIk8by4oNnApJvH61uOh5Mg1qT6XiABsl7tAT2D5wBzeLM xQ7shN4B9Sg0wQkbBdXEIwsef9reH5oDVZIa/Bkl3mcaLdqIV6UC+puQyC+mVoeVowDT kTQER39u3fUJ2/xLTx2sjecjDiYV37Gjm/eBMQb/givylYj5X/BrbHAoD94Wy8p2yFek hZL/TW4UHJ15eDJ3DO/lOkfycGURuDELacchWGzaSTtBGse44cVOvb80bWFm3d9NrBjj AwVJOTyxoe6JUpkoqbb/kGfoMCwg1HjkY0tExdWIRcY3xFUzVOGnCkUo73WRwNXNiz/Y VtPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Oz1K8Tb1TDj0o/z3dycjQ28v1P+VomDFN+WrNcRhK2s=; b=Nml0P/KfPUiNf5yf2q0vFgJrk7ZXca5hMLuE7oWUsNMKcPiecszKXTa/NdbwyeHRXp eFN1TJJTMNWLzXHWbh9hiCbTvjFA3Ij3y7uzO6yXJGm0qy3akoJRIeIJh1k/JSnAMMm2 xHgwAx7ao2j3x3XLQ3tekcF4REwClXTa6cTvTVCmCdBGyf2JgdBQOoBvxBlEZ/EfcyJq 48GVGNof+qfWLFoO2QDa3L/aI83NQOjY+4+hSgk6IcvBZMvzxx+yTKrUAoVGEJw6ioJE lyZs0iwaOskRUmWL4DJUh6bbKv6SoV1PRImm7Sd9u9TdU57raUWTMp1E8NP7gI71Wl0+ BRdA== X-Gm-Message-State: APjAAAU/1Z1NLjruoo0RV8WXeixu4Ck9cecAKs5N93DkHOQBIQ351JN4 +8UoZUw5UzZ6sBH6gPrxLgRcPQj/43JqPT2+IldNMmgZyL0= X-Google-Smtp-Source: APXvYqwqnPd9XJOP4b8xd2V+nrSd76X3/DW2Nc+BzcPpfAepK769jJQtgO4zfldkXIgzsXZ9qL6eXXrtltYlWP6vivo= X-Received: by 2002:ac8:fc8:: with SMTP id f8mr75182630qtk.214.1555585495378; Thu, 18 Apr 2019 04:04:55 -0700 (PDT) MIME-Version: 1.0 References: <155543713754.24998.8934172511539336013@ietfa.amsl.com> In-Reply-To: <155543713754.24998.8934172511539336013@ietfa.amsl.com> From: Davey Song Date: Thu, 18 Apr 2019 19:04:44 +0800 Message-ID: To: internet-drafts@ietf.org, dnsop Cc: i-d-announce@ietf.org Content-Type: multipart/alternative; boundary="000000000000deb2050586cbf8e4" Archived-At: Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-serve-stale-05.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Apr 2019 11:05:00 -0000 --000000000000deb2050586cbf8e4 Content-Type: text/plain; charset="UTF-8" Some concerns and comments: 1) It sounds to me that the primary targeted outage described in this draft is on the authoritative server during DDOS attack especially. Think about a case of outage of resolver due to a failure in its network path to the authoritative server. Normally end user have more than one configured resolvers. If only one resolver experience the outage and serve the stale data, could the user tell which resolver have more refreshed data ? If not, it may impact users experience if they have to accept stale data during the period when they still have the choice for refreshed ones. As I mentioned the first time I read it, I dislike the fact of concealing using of stale data from end users. 2) I notice it is proposed as a stand track document. If more people here think its benefit outweighs its impacts, I prefer it published as informational document, because it is based on implementation and operation experience. There is no need to change the protocol and the definition of TTL. I prefer to take the serve-stale behavior as a local policy and a side channel in case of resolver's cache-miss. 3) A minor concern: in an thread in dns-operation mailing list last week, it is said that the behavior of serve stale in some ISPs is abused for reason of traffic hijack/tampering/spoofing. I'm afraid it will be encouraged by this document. Best regards, Davey On Wed, 17 Apr 2019 at 01:52, wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Domain Name System Operations WG of the > IETF. > > Title : Serving Stale Data to Improve DNS Resiliency > Authors : David C Lawrence > Warren "Ace" Kumari > Puneet Sood > Filename : draft-ietf-dnsop-serve-stale-05.txt > Pages : 12 > Date : 2019-04-16 > > Abstract: > This draft defines a method (serve-stale) for recursive resolvers to > use stale DNS data to avoid outages when authoritative nameservers > cannot be reached to refresh expired data. It updates the definition > of TTL from [RFC1034], [RFC1035], and [RFC2181] to make it clear that > data can be kept in the cache beyond the TTL expiry and used for > responses when a refreshed answer is not readily available. One of > the motivations for serve-stale is to make the DNS more resilient to > DoS attacks, and thereby make them less attractive as an attack > vector. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-serve-stale/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-dnsop-serve-stale-05 > https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-serve-stale-05 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-serve-stale-05 > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > I-D-Announce mailing list > I-D-Announce@ietf.org > https://www.ietf.org/mailman/listinfo/i-d-announce > Internet-Draft directories: http://www.ietf.org/shadow.html > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > --000000000000deb2050586cbf8e4 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

<It is my second time to read it. I may miss something discussed before. Sorry>

=C2=A0

Some concerns a= nd comments:

=C2=A0

1) It sounds to= me that the primary targeted outage described in this draft is on the authoritative server during DDOS a= ttack especially. Think about a case of outage of resolver due to a failure in its network path to the auth= oritative server. Normally end user have more than one configured resolvers. If only = one resolver experience the outage and serve the stale data, could the user tel= l which resolver have more refreshed data ? If not, it may impact users experience = if they have to accept stale data during the period when they still have the choice= for refreshed ones. As I mentioned the first time I read it, I dislike the fact= of concealing using of stale data from end users.=C2=A0

=C2=A0

2) I notice it = is proposed as a stand track document. If more people here think its benefit outweighs its impacts, I pr= efer it published as informational document, because it is based on implementati= on and operation experience. There is no need to change the protocol and the d= efinition of TTL. I prefer to take the serve-stale behavior as a local policy and a s= ide channel in case of resolver's cache-miss.

=C2=A0

3) A minor conc= ern: in an thread in dns-operation mailing list last week, it is said that the behavior of serve stale in some= ISPs is abused for reason of traffic hijack/tampering/spoofing. I'm afraid i= t will be encouraged by this document.

=C2=A0

Best regards,

Davey


On Wed, 17 Apr 2019 at 01:52, <internet-drafts@ietf.org> wrote:

A New Internet-Draft is available from the on-line Internet-Drafts director= ies.
This draft is a work item of the Domain Name System Operations WG of the IE= TF.

=C2=A0 =C2=A0 =C2=A0 =C2=A0 Title=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:= Serving Stale Data to Improve DNS Resiliency
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Authors=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0: Davi= d C Lawrence
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 Warren "Ace" Kumari
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 Puneet Sood
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Filename=C2=A0 =C2=A0 =C2=A0 =C2=A0 : draft-iet= f-dnsop-serve-stale-05.txt
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Pages=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:= 12
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Date=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 := 2019-04-16

Abstract:
=C2=A0 =C2=A0This draft defines a method (serve-stale) for recursive resolv= ers to
=C2=A0 =C2=A0use stale DNS data to avoid outages when authoritative nameser= vers
=C2=A0 =C2=A0cannot be reached to refresh expired data.=C2=A0 It updates th= e definition
=C2=A0 =C2=A0of TTL from [RFC1034], [RFC1035], and [RFC2181] to make it cle= ar that
=C2=A0 =C2=A0data can be kept in the cache beyond the TTL expiry and used f= or
=C2=A0 =C2=A0responses when a refreshed answer is not readily available.=C2= =A0 One of
=C2=A0 =C2=A0the motivations for serve-stale is to make the DNS more resili= ent to
=C2=A0 =C2=A0DoS attacks, and thereby make them less attractive as an attac= k
=C2=A0 =C2=A0vector.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft= -ietf-dnsop-serve-stale/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-dn= sop-serve-stale-05
https://datatracker.ietf.org/do= c/html/draft-ietf-dnsop-serve-stale-05

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2= =3Ddraft-ietf-dnsop-serve-stale-05


Please note that it may take a couple of minutes from the time of submissio= n
until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
I-D-Announce mailing list
I-D-Announce@iet= f.org
https://www.ietf.org/mailman/listinfo/i-d-announce=
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
--000000000000deb2050586cbf8e4-- From nobody Sat Apr 20 06:07:28 2019 Return-Path: X-Original-To: dnsop@ietf.org Delivered-To: dnsop@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id AC54B12012C; Sat, 20 Apr 2019 06:07:26 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: dnsop@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.95.0 Auto-Submitted: auto-generated Precedence: bulk Reply-To: dnsop@ietf.org Message-ID: <155576564662.10401.14702748227134627009@ietfa.amsl.com> Date: Sat, 20 Apr 2019 06:07:26 -0700 Archived-At: Subject: [DNSOP] I-D Action: draft-ietf-dnsop-algorithm-update-10.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Apr 2019 13:07:27 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : Algorithm Implementation Requirements and Usage Guidance for DNSSEC Authors : Paul Wouters Ondrej Sury Filename : draft-ietf-dnsop-algorithm-update-10.txt Pages : 11 Date : 2019-04-20 Abstract: The DNSSEC protocol makes use of various cryptographic algorithms in order to provide authentication of DNS data and proof of non- existence. To ensure interoperability between DNS resolvers and DNS authoritative servers, it is necessary to specify a set of algorithm implementation requirements and usage guidelines to ensure that there is at least one algorithm that all implementations support. This document defines the current algorithm implementation requirements and usage guidance for DNSSEC. This document obsoletes RFC6944. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-algorithm-update/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-dnsop-algorithm-update-10 https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-algorithm-update-10 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-algorithm-update-10 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Mon Apr 22 12:19:34 2019 Return-Path: X-Original-To: dnsop@ietf.org Delivered-To: dnsop@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DA8E12014E; Mon, 22 Apr 2019 12:19:33 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: The IESG To: "IETF-Announce" X-Test-IDTracker: no X-IETF-IDTracker: 6.95.0 Auto-Submitted: auto-generated Precedence: bulk Cc: tjw.ietf@gmail.com, The IESG , dnsop-chairs@ietf.org, dnsop@ietf.org, Tim Wicinski , draft-ietf-dnsop-algorithm-update@ietf.org, warren@kumari.net, rfc-editor@rfc-editor.org Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Message-ID: <155596077324.21116.9676453959835250591.idtracker@ietfa.amsl.com> Date: Mon, 22 Apr 2019 12:19:33 -0700 Archived-At: Subject: [DNSOP] Protocol Action: 'Algorithm Implementation Requirements and Usage Guidance for DNSSEC' to Proposed Standard (draft-ietf-dnsop-algorithm-update-10.txt) X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Apr 2019 19:19:33 -0000 The IESG has approved the following document: - 'Algorithm Implementation Requirements and Usage Guidance for DNSSEC' (draft-ietf-dnsop-algorithm-update-10.txt) as Proposed Standard This document is the product of the Domain Name System Operations Working Group. The IESG contact persons are Warren Kumari and Ignas Bagdonas. A URL of this Internet Draft is: https://datatracker.ietf.org/doc/draft-ietf-dnsop-algorithm-update/ Technical Summary The DNSSEC protocol makes use of various cryptographic algorithms in order to provide authentication of DNS data and proof of non- existence. To ensure interoperability between DNS resolvers and DNS authoritative servers, it is necessary to specify a set of algorithm implementation requirements and usage guidelines to ensure that there is at least one algorithm that all implementations support. This document defines the current algorithm implementation requirements and usage guidance for DNSSEC. This document obsoletes [RFC6944]. Working Group Summary The Working Group did not have any controversy on this document. There was discussion around the 2119 Normative terms as this draft uses RECOMMENDED/NOT RECOMMENDED instead of SHOULD/SHOULD NOT. This did not cause any problems gaining consensus Document Quality Document is very concise and informative as it updates the list of recommendations for DNSKEY algorithms. The document (currently) has a section listing which implementations support with algorithms / requirements. Personnel Document Shepherd? Tim Wicinski Responsible Area Director? Warren Kumari RFC Editor Note Please remove section 4 "Implementation Status" plus all references to [RFC7942] prior to publication as an RFC. From nobody Wed Apr 24 02:44:53 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22743120315 for ; Wed, 24 Apr 2019 02:44:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1GPT0PQtESim for ; Wed, 24 Apr 2019 02:44:48 -0700 (PDT) Received: from lb2-smtp-cloud9.xs4all.net (lb2-smtp-cloud9.xs4all.net [194.109.24.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B75212023B for ; Wed, 24 Apr 2019 02:44:48 -0700 (PDT) Received: from [IPv6:2001:980:4eb1:1:61b2:b674:4656:d4b6] ([IPv6:2001:980:4eb1:1:61b2:b674:4656:d4b6]) by smtp-cloud9.xs4all.net with ESMTPSA id JESDh8yFvNExlJESEhQQ9d; Wed, 24 Apr 2019 11:44:44 +0200 From: Matthijs Mekking Openpgp: preference=signencrypt Autocrypt: addr=matthijs@isc.org; keydata= mQENBFwE8S0BCADtYae8WFJO5uKd1n8e/6nOJu/fc63+wrwugPevwfkLthb8URsu50JiQvhW 43Z7aLKV7bdYb6XrxBvTj/H03bBXxPMFChePi7ov+kQODVCaR+jlpaWJRuBUuh6Pbg9jlvj3 TCeTtsAv8e5JUno2uzRk/NVydC5kmx2c5OxxOkxAVugnAGY0+BoGEAXH5DHX4HMcooj1t9XL kWY1tbcZefEyvNpjBtjO00fIybx45slLR29muheZWN5m4r8FD+tJVO/sqfUXDK1P3pZ6cL52 wGrE4eHZOLsXDLiSQZqd226r3IOFtISjX7mWWXsN/OhvSU8Kq61hD0hNjYPXO9qVXggZABEB AAG0I01hdHRoaWpzIE1la2tpbmcgPG1hdHRoaWpzQGlzYy5vcmc+iQE4BBMBCAAiBQJcBPEt AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBUeXtXLXQVHslmB/9I/BEyoMwz2FeD AmjoD8hyfUurGFXgy2mBCbFAHvBwC1RwCpEihuUZKX4mzHluA94xToqTwVG3emOj/tLIdUPd EAhM8kCHqq/ggSnMnm/9nyIGCrYk5Ln6GWUG9GS9UnNZqDGNu4SjXcDpm0WvhV5D/e+J6fcL 6ZcPgWXtnsb6mdJLyviOqknFPLMPszdsyal94+w2tLDGDIMzIQ4HczIuRkIRnuim3b+AADPq 1lyjbuLceGKCziTC4oWzzFr1oF6gL/MslzRLJUsNwXCoTwhMM+MKE/nk58HR+DKYdi/LfxqR 7KBE3p8scLFCaqXPITYbBZci3SG4oPCUG8VTtqf1uQENBFwE8S0BCAD65Qe6tGP+cfSw3VuZ o7rKi+ZNMNY5t0fGt+BW8Euc8eTt4VAcKTaiEFhiOqvkGclUoRxTuhT8rYLiPhcjJhvj9S15 1P1nNNtXXcoo4lSiWDM/1mrvB0Mtjw24/pl1k93SVmJqMCz1QbDO7VmEgi4dX1evretALlun O348o6LerptDtnNtKavTUrJV51v2M/InepIk8rFZr8fRkyqbxgQJ+UvLOmBh9WJskyxPgJjb 2rEMOFGfhtEFqJRm6A+ozr21XWjU2GZlVfq0JAT2WelGuQ/3ZoT9cKyaBK+GSfMMJu1HxKw+ RZopTzEUP46adOYCkBaSknKRnHOhNkiCRe0xABEBAAGJAR8EGAEIAAkFAlwE8S0CGwwACgkQ VHl7Vy10FR7duAgArTxD+1ItUxeplSJiX9DT+fBBU6aKIpkN0otdHjs+KtsQfRfq4alVSKzD LMizDcZU+Maz3LEPVLUFYj0bgD3FL+Jp5mrfnEr1Y/QTCY2amaHFuN8Egvcw35Jj5WbZ2LnI KpIMKpskidd+C1nV6j9nNhqxLv0wiQWbOy6jjgKEIYO20lx3r0Ii3UqdQxVaw9DPTA7wZZbn XW0oCes332l3DhXxais9gaosLOPo/P6NKcq6V/n089wgw1NDBk7TR5zOpgUH8vprf+D3Z8hc bYMqKTVu6w+V0U6YIkzWLX2NrafrDO76GPGMXDNH+P3h8VFMacyacNj8f35Te5sI0kocnQ== To: "dnsop@ietf.org" Message-ID: <87d7d127-20cc-8044-277a-d31b1a546219@pletterpet.nl> Date: Wed, 24 Apr 2019 11:44:37 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-CMAE-Envelope: MS4wfDcWyE/0o33Jl96Z+PpnoVAZmGaMbvPrwl+rYhcKnTlUhyyxZkq8YZIo7jzUXeyd9XD5crjfakuTrk1BVQNoJod2fku2qMa7o1ELHjwYg8Ir76fMEfsb jK5Ldr/jwH1spfpECxIkpTcaGJgc+E6DYaTMVfwTujL/SJxMQmLPxUUKOYDzAdbTqUQb60PKkR+2IT4+gBBI2cit/wF+yeCW2xcZTnnXB6n4h19cypYE+5B1 +0XUxJBUmuDfVzsVe3mTSJWwKCVRd0WYbF5Pvnhrly8= Archived-At: Subject: [DNSOP] ANAME precedence [issue #58] X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Apr 2019 09:44:51 -0000 Hi, I would like to start separate threads on the remaining issues of the ANAME draft. One issue that remains to be solved is whether having an A or AAAA record next to the ANAME should take precedence or not. Draft: https://datatracker.ietf.org/doc/draft-ietf-dnsop-aname/ Issue: https://github.com/each/draft-aname/issues/58 This was discussed face to face during IETF 101 and at that time the conclusion was that the correct behavior is that ANAME takes precedence: If you implement ANAME, the target lookup for A and AAAA will always be made. If the lookup succeeds, the sibling address records are replaced with the target address records. If the lookup fails, the sibling address records remain in the zone. Jan Včelák mentioned that at least NS1 uses a different order of priority: If an sibling address record exists next to the ANAME it takes precedence and no target lookup is done for that address record type. In order to provide identical behavior between providers (make ANAME work in the multi-provider model) we should agree on the priority order. To me, it makes much more sense to use the sibling address record as a default, and the ANAME target lookup can replace the sibling address records. The target address records will improve the answer. If you place an override, adding an address record next to ANAME, you can achieve the same thing by not placing the ANAME record in your zone at all. But when the sibling address records take precedence, it has the property that you can set up ANAME for only one address type, for example ANAME for A but not for AAAA. I would like to know if there is a good use case for having this property. I would like to hear an opinion from the working group (preferably from ANAME providers). Specifically do you have a preference of priority order? Do you think having the "set up ANAME for one address type" property is worth having? Thanks, Matthijs From nobody Thu Apr 25 09:47:25 2019 Return-Path: X-Original-To: dnsop@ietf.org Delivered-To: dnsop@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FBCC1202F3; Thu, 25 Apr 2019 09:47:13 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: IETF Meeting Session Request Tool To: Cc: tjw.ietf@gmail.com, warren@kumari.net, dnsop@ietf.org, dnsop-chairs@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.95.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <155621083351.1179.13322142313177835909.idtracker@ietfa.amsl.com> Date: Thu, 25 Apr 2019 09:47:13 -0700 Archived-At: Subject: [DNSOP] dnsop - New Meeting Session Request for IETF 105 X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Apr 2019 16:47:23 -0000 A new meeting session request has just been submitted by Tim Wicinski, a Chair of the dnsop working group. --------------------------------------------------------- Working Group Name: Domain Name System Operations Area Name: Operations and Management Area Session Requester: Tim Wicinski Number of Sessions: 2 Length of Session(s): 2 Hours, 1 Hour Number of Attendees: 160 Conflicts to Avoid: First Priority: dhc homenet dnssd dprive doh maprg Second Priority: intarea trans acme dmarc lamps People who must be present: Suzanne Woolf Warren "Ace" Kumari Tim Wicinski Benno Overeinder Resources Requested: Special Requests: --------------------------------------------------------- From nobody Thu Apr 25 11:34:49 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0EB31200EA for ; Thu, 25 Apr 2019 11:34:47 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.669 X-Spam-Level: X-Spam-Status: No, score=-0.669 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, FROM_EXCESS_BASE64=0.979, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sLbT539xiU4s for ; Thu, 25 Apr 2019 11:34:46 -0700 (PDT) Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 977BD120074 for ; Thu, 25 Apr 2019 11:34:45 -0700 (PDT) Received: by mail-wm1-f51.google.com with SMTP id v14so600121wmf.2 for ; Thu, 25 Apr 2019 11:34:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UrECqf6N5yatW7MsJG1oha8au4OEnOnlvyfmrdMfRwQ=; b=qoSmbHJXStKjEey+nURLcwK/wdkM4oDG5tTaiTZ8Rb7U1l5AW7vMoWVisYdLhs5RE1 lcCs5r0Sskw6sFD46XLBhByo8XvRVDogyMQpETiXnB1YoGDfV2ro1VDUhGWspE8gWjEt yFtTReEJC4un2XGIvr23GhT5aQVaT/lk6+6OMakUPX/U/i0ys2U48QtFMLCrraucQ6Bd KXjYfLfxuiAVbNFc2IuiPzRh41Y44Vx9GBS8mhxPPjYrYdmlt61LJw1zqLLwNjghkOVR dSKMkLeEt7eQPIbY4cS8igOCG5f1ZEBNaWpwXvpDgUE9O8uPtNVkmbJdYdAu+XnAfqx2 M1ug== X-Gm-Message-State: APjAAAXfFX3nSMZXZaI8MQUEfldangRwCs5/+BUUEV+9uRRVHxWvWBX8 fcO5bdRPS2fiphUIRNFSmyYsBJaTzwoUw5pjLb1VWA== X-Google-Smtp-Source: APXvYqySbP33ACCEGH8jAp7XRSpRnf9gflQ8Cs66q4MMzn0MmTMJ7h62L1acsKJXRDnDe6mZLQwKhfKNNz13zEXLITg= X-Received: by 2002:a1c:9991:: with SMTP id b139mr4824661wme.53.1556217283784; Thu, 25 Apr 2019 11:34:43 -0700 (PDT) MIME-Version: 1.0 References: <87d7d127-20cc-8044-277a-d31b1a546219@pletterpet.nl> In-Reply-To: <87d7d127-20cc-8044-277a-d31b1a546219@pletterpet.nl> From: =?UTF-8?B?56We5piO6YGU5ZOJ?= Date: Thu, 25 Apr 2019 11:34:32 -0700 Message-ID: To: Matthijs Mekking Cc: "dnsop@ietf.org" Content-Type: multipart/alternative; boundary="00000000000064b31705875f1213" Archived-At: Subject: Re: [DNSOP] ANAME precedence [issue #58] X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Apr 2019 18:34:48 -0000 --00000000000064b31705875f1213 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable At Wed, 24 Apr 2019 11:44:37 +0200, Matthijs Mekking wrote: > I would like to start separate threads on the remaining issues of the > ANAME draft. One issue that remains to be solved is whether having an A > or AAAA record next to the ANAME should take precedence or not. > > Draft: https://datatracker.ietf.org/doc/draft-ietf-dnsop-aname/ > Issue: https://github.com/each/draft-aname/issues/58 [...] > Jan V=C4=8Del=C3=A1k mentioned that at least NS1 uses a different order o= f > priority: If an sibling address record exists next to the ANAME it takes > precedence and no target lookup is done for that address record type. Is this choice #2 of the github issue #58? >> sibling address records take precedence, don't to a target lookup for an address type next to the ANAME. I'm not sure what this means...if this approach is taken and an authoritative server has these for an example.com zone: a.example.com. ANAME another.example.org. a.example.com. AAAA 2001:db8::1 then, does it always just return the AAAA RRset to a query for a.example.com/AAAA, regardless of any possible changes to another.example.org/AAAA? How is that AAAA created in the first place? (Is it taken from another.example.org/AAAA or completely up to the example.com maintainer?). Also, especially if both AAAA and A sibling records are available, what's the purpose of ANAME in the first place if it's (effectively) not used? I'm sure I'm just confused and don't understand the expected usage, but I can't figure it out from the available descriptions. Could you clarify it? -- JINMEI, Tatuya --00000000000064b31705875f1213 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
At Wed, 24 Apr 2019 11:4= 4:37 +0200,
Matthijs Mekking <matthijs@pletterpet.nl> wrote:

> I wo= uld like to start separate threads on the remaining issues of the
> A= NAME draft. One issue that remains to be solved is whether having an A
&= gt; or AAAA record next to the ANAME should take precedence or not.
>=
>=C2=A0=C2=A0 Draft: https://datatracker.ietf.org/doc/d= raft-ietf-dnsop-aname/
>=C2=A0=C2=A0 Issue: https://github.com/e= ach/draft-aname/issues/58
[...]
> Jan V=C4=8Del=C3=A1k mention= ed that at least NS1 uses a different order of
> priority: If an sibl= ing address record exists next to the ANAME it takes
> precedence and= no target lookup is done for that address record type.

Is this choi= ce #2 of the github issue #58?

>> sibling address records take= precedence, don't to a target lookup for an address type next to the A= NAME.

I'm not sure what this means...if this approach is taken a= nd an
authoritative server has these for an example.com zone:

a.example.com. ANAME another.example.org.
a.example.com. AAAA 2001:db8::1

then, does it always just re= turn the AAAA RRset to a query for
a.example.com/AAAA, regardless of any possible chang= es to
anot= her.example.org/AAAA?

How is that AAAA created in the first plac= e?=C2=A0 (Is it taken from
another.example.org/AAAA or completely up to the example.com
maintainer?)= .

Also, especially if both AAAA and A sibling records are available,=
what's the purpose of ANAME in the first place if it's (effecti= vely)
not used?

I'm sure I'm just confused and don't = understand the expected usage,
but I can't figure it out from the av= ailable descriptions.=C2=A0 Could you
clarify it?

--
JINMEI, T= atuya
--00000000000064b31705875f1213-- From nobody Thu Apr 25 11:41:33 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6363A1200F9 for ; Thu, 25 Apr 2019 11:41:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dnsimple.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oWrlAYDsLuge for ; Thu, 25 Apr 2019 11:41:29 -0700 (PDT) Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA6F51200EA for ; Thu, 25 Apr 2019 11:41:28 -0700 (PDT) Received: by mail-wr1-x431.google.com with SMTP id s18so835000wrp.0 for ; Thu, 25 Apr 2019 11:41:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dnsimple.com; s=mail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nX373zoD1KjM+SUCqOJfZdeHhCKq6/P6yRRtdPw2zSE=; b=dcMRGTQaurpyFeFIAaJQ+7l1NRS3ntfXWqtVnvqEpsv78iHG1BXFG1ds35gp1KaHvy Ju9i7ZOW6XezFL5zI5rFu/8A74QKfe+PWd2M6rqM6p9SkVjj49iSttMCA0SZcMN6/Qly fmpoND/R+a3GMpPfv4VLUjjdP6IQERtdmPskc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nX373zoD1KjM+SUCqOJfZdeHhCKq6/P6yRRtdPw2zSE=; b=MmxMdBBPnEncIRqf79sC43D0o3McjiiS5ZA9IC/UPUNSMltExHMK7F5txw6756shgx kpigS3siDgVEyEh5W+oLXXWZ3NwlA7SSnIqqQvHHoo7EFZgKOuWqy1OkktnoSHuRuG4K byyG2VMS9b4Ws8ShiLjorINkKdcGyqaFU+97KBMDfgqhklcOtiVrpw5jjIjuTAjFI67m 6EZmibK5Y46e/ut/Qn/fiFiml/D77Ub9FCNhm4LwwilWg0zhArDFn1k5oHexLbFigjJ6 tHOuiQot3pmEe+1aVr2xQRFlRUs1R1LbR3ev1uqjVYGUL2oBBEL6CpSv1FaCT925VHOo AhgA== X-Gm-Message-State: APjAAAU5cwUd0B0nBBrTvo0PF6h9J7gbd3274Cy3Z3nBuNkzpAEXc7QJ dTPA7dtNv2q4MJTnkUiDO3v/Zu8TXcV6tAx8/XU7yg== X-Google-Smtp-Source: APXvYqzBpDvkHAyLcEHnS1zFo1P33KSii0TK8vZu15+GeO1yYL46axw5nkQ5huz/VQ9kHut5tSlVfMbYtM6FHgP8BVQ= X-Received: by 2002:a05:6000:110a:: with SMTP id z10mr10983279wrw.86.1556217687372; Thu, 25 Apr 2019 11:41:27 -0700 (PDT) MIME-Version: 1.0 References: <87d7d127-20cc-8044-277a-d31b1a546219@pletterpet.nl> In-Reply-To: <87d7d127-20cc-8044-277a-d31b1a546219@pletterpet.nl> From: Anthony Eden Date: Thu, 25 Apr 2019 14:41:16 -0400 Message-ID: To: Matthijs Mekking Cc: "dnsop@ietf.org" Content-Type: multipart/alternative; boundary="0000000000007310ce05875f2aee" Archived-At: Subject: Re: [DNSOP] ANAME precedence [issue #58] X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Apr 2019 18:41:32 -0000 --0000000000007310ce05875f2aee Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I've commented on the GH issue directly. -Anthony P.S. To everyone involved, thank you for continuing your hard work on this specification. On Wed, Apr 24, 2019 at 5:45 AM Matthijs Mekking wrote: > Hi, > > I would like to start separate threads on the remaining issues of the > ANAME draft. One issue that remains to be solved is whether having an A > or AAAA record next to the ANAME should take precedence or not. > > Draft: https://datatracker.ietf.org/doc/draft-ietf-dnsop-aname/ > Issue: https://github.com/each/draft-aname/issues/58 > > This was discussed face to face during IETF 101 and at that time the > conclusion was that the correct behavior is that ANAME takes precedence: > If you implement ANAME, the target lookup for A and AAAA will always be > made. If the lookup succeeds, the sibling address records are replaced > with the target address records. If the lookup fails, the sibling > address records remain in the zone. > > Jan V=C4=8Del=C3=A1k mentioned that at least NS1 uses a different order o= f > priority: If an sibling address record exists next to the ANAME it takes > precedence and no target lookup is done for that address record type. > > In order to provide identical behavior between providers (make ANAME > work in the multi-provider model) we should agree on the priority order. > > To me, it makes much more sense to use the sibling address record as a > default, and the ANAME target lookup can replace the sibling address > records. The target address records will improve the answer. > > If you place an override, adding an address record next to ANAME, you > can achieve the same thing by not placing the ANAME record in your zone > at all. > > But when the sibling address records take precedence, it has the > property that you can set up ANAME for only one address type, for > example ANAME for A but not for AAAA. I would like to know if there is a > good use case for having this property. > > I would like to hear an opinion from the working group (preferably from > ANAME providers). Specifically do you have a preference of priority > order? Do you think having the "set up ANAME for one address type" > property is worth having? > > > Thanks, > > Matthijs > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > --=20 DNSimple.com http://dnsimple.com/ Twitter: @dnsimple --0000000000007310ce05875f2aee Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I've commented on the GH issue directly.

-Anthony

P.S. To everyone involved, thank you = for continuing your hard work on this specification.

<= div class=3D"gmail_quote">
On Wed, Apr= 24, 2019 at 5:45 AM Matthijs Mekking <matthijs@pletterpet.nl> wrote:
Hi,

I would like to start separate threads on the remaining issues of the
ANAME draft. One issue that remains to be solved is whether having an A
or AAAA record next to the ANAME should take precedence or not.

=C2=A0 Draft: https://datatracker.ietf.org/d= oc/draft-ietf-dnsop-aname/
=C2=A0 Issue: https://github.com/each/draft-aname/issue= s/58

This was discussed face to face during IETF 101 and at that time the
conclusion was that the correct behavior is that ANAME takes precedence: If you implement ANAME, the target lookup for A and AAAA will always be
made. If the lookup succeeds, the sibling address records are replaced
with the target address records. If the lookup fails, the sibling
address records remain in the zone.

Jan V=C4=8Del=C3=A1k mentioned that at least NS1 uses a different order of<= br> priority: If an sibling address record exists next to the ANAME it takes precedence and no target lookup is done for that address record type.

In order to provide identical behavior between providers (make ANAME
work in the multi-provider model) we should agree on the priority order.
To me, it makes much more sense to use the sibling address record as a
default, and the ANAME target lookup can replace the sibling address
records. The target address records will improve the answer.

If you place an override, adding an address record next to ANAME, you
can achieve the same thing by not placing the ANAME record in your zone
at all.

But when the sibling address records take precedence, it has the
property that you can set up ANAME for only one address type, for
example ANAME for A but not for AAAA. I would like to know if there is a good use case for having this property.

I would like to hear an opinion from the working group (preferably from
ANAME providers). Specifically do you have a preference of priority
order? Do you think having the "set up ANAME for one address type"= ;
property is worth having?


Thanks,

Matthijs

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


--
DNSimple.com
http://dnsimple.com/
Twitter: @dnsimple
--0000000000007310ce05875f2aee-- From nobody Fri Apr 26 00:17:11 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54DF712019F for ; Fri, 26 Apr 2019 00:17:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T03XeGaBOfBW for ; Fri, 26 Apr 2019 00:17:07 -0700 (PDT) Received: from lb1-smtp-cloud8.xs4all.net (lb1-smtp-cloud8.xs4all.net [194.109.24.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45AB912008C for ; Fri, 26 Apr 2019 00:17:06 -0700 (PDT) Received: from [IPv6:2001:980:4eb1:1:9815:2abb:4706:f55d] ([IPv6:2001:980:4eb1:1:9815:2abb:4706:f55d]) by smtp-cloud8.xs4all.net with ESMTPSA id Jv6QhXrAqb8gSJv6RhqPm2; Fri, 26 Apr 2019 09:17:04 +0200 To: dnsop@ietf.org References: <87d7d127-20cc-8044-277a-d31b1a546219@pletterpet.nl> From: Matthijs Mekking Message-ID: <0dafbeaa-acc0-c5fc-d917-b3f8cd88e0a5@pletterpet.nl> Date: Fri, 26 Apr 2019 09:16:58 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-CMAE-Envelope: MS4wfFBUJ4uQONjXTi6m58ALyMfHxBUIX9UofpM8XPGaXUclge/ph/BUkYK4hkUU7NeVAkk8T0ai4TvjoXOpWJeNp7OLErfuxNjQ5EFLjfQWXtZHD+/UppPG 16ODL1GoCtat8lLZ+kj6mzMP7E2rwS0xMPlVQEJZvjNQfGPFoHT1mxuG2NAhAAhDNdXLBq+MaNYYI8/mYfI1gCYmAUmTIFLgO+0ahXVRcJ57wwt3yz6wyPJ8 wGxEsNLsJ0MyrInLCu3XlK+1lltivU6aau4VW9C4xyc= Archived-At: Subject: Re: [DNSOP] ANAME precedence [issue #58] X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Apr 2019 07:17:10 -0000 On 4/25/19 8:34 PM, 神明達哉 wrote: > At Wed, 24 Apr 2019 11:44:37 +0200, > Matthijs Mekking > wrote: > >> I would like to start separate threads on the remaining issues of the >> ANAME draft. One issue that remains to be solved is whether having an A >> or AAAA record next to the ANAME should take precedence or not. >> >>   Draft: https://datatracker.ietf.org/doc/draft-ietf-dnsop-aname/ >>   Issue: https://github.com/each/draft-aname/issues/58 > [...] >> Jan Včelák mentioned that at least NS1 uses a different order of >> priority: If an sibling address record exists next to the ANAME it takes >> precedence and no target lookup is done for that address record type. > > Is this choice #2 of the github issue #58? Correct. >>> sibling address records take precedence, don't to a target lookup for > an address type next to the ANAME. > > I'm not sure what this means...if this approach is taken and an > authoritative server has these for an example.com zone: > > a.example.com . ANAME another.example.org > . > a.example.com . AAAA 2001:db8::1 > > then, does it always just return the AAAA RRset to a query for > a.example.com/AAAA , regardless of any > possible changes to > another.example.org/AAAA ? That is exactly what choice #2 does. But it can do a target lookup for the A RRset. > How is that AAAA created in the first place?  (Is it taken from > another.example.org/AAAA or completely > up to the example.com > maintainer?).. The AAAA record may initially be added to the example.com zone by the zone operator. With choice #2 it is not updated by the ANAME (with choice #1 it is). > Also, especially if both AAAA and A sibling records are available, > what's the purpose of ANAME in the first place if it's (effectively) > not used? > > I'm sure I'm just confused and don't understand the expected usage, > but I can't figure it out from the available descriptions.  Could you > clarify it? Personally I agree that the purpose of ANAME becomes less useful with choice #2. The difference is that you can set up ANAME for example for AAAA only, or for A only. I don't know what the expected usage of that is, and that is why I am asking on the list. If it turns out there is no useful case, I think we should put text in the draft that says ANAME takes precedence over sibling A and AAAA records. Best regards, Matthijs > > -- > JINMEI, Tatuya > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > From nobody Fri Apr 26 02:23:32 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 891B01202F0; Fri, 26 Apr 2019 02:23:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cis-india.org Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KK3h4bw9Mldf; Fri, 26 Apr 2019 02:23:29 -0700 (PDT) Received: from smarthost1.greenhost.nl (smarthost1.greenhost.nl [195.190.28.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A3BF1201C8; Fri, 26 Apr 2019 02:23:28 -0700 (PDT) Received: from smtp.greenhost.nl ([213.108.110.112]) by smarthost1.greenhost.nl with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from ) id 1hJx4m-0007p0-0M; Fri, 26 Apr 2019 11:23:24 +0200 DKIM-Filter: OpenDKIM Filter v2.10.3 mail.cis-india.org 3C304580B7B59 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cis-india.org; s=6F901CFA-19A8-11E9-98F1-CB07954443DB; t=1556270538; bh=6xpGEGsKgcygvK1PXJXDn07lxMHiIWydnkfGHYUAGME=; h=Mime-Version:From:Date:Message-Id:To; b=jZ4bq/d3DXvplSAyCTBklO0dT2fgJq4oRZ1DqRWrabMq5ugbMPQZKwmR0MGdpt9LD e6TOZ07cSbu/W+PKWf30f4bmszNmpsstx3eiQLewhZ64xCUZ5nA+aHRTzfKJHLMj9o 7amUyYIAi0eKs5jfeARBtiD4oL9vmRq4bKjdEau/dggfsZcKXEtVaUnWGFKRaCAQ5u 2xBlrfk1oFwJ9YKjodqc9lRO1I6AemA9h5BOoPBTBkdnRrk/pDyQ1sci+hQ/XN3ZYc mxQYgm7Vlr5v35Ax7TIofadgsVWTHtMSGRRpnoQmwnFwuS1aAe8YqXfIDsgRNyANVg ckTLH9Hs88GdA== Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\)) From: Karan Saini In-Reply-To: Date: Fri, 26 Apr 2019 14:53:10 +0530 Cc: internet-drafts@ietf.org, dnsop , i-d-announce@ietf.org Content-Transfer-Encoding: quoted-printable Message-Id: <4AD81AC2-0192-42A8-94CE-EB5DD1EE2FD6@cis-india.org> References: <155543713754.24998.8934172511539336013@ietfa.amsl.com> To: Davey Song X-Mailer: Apple Mail (2.3445.104.8) X-Virus-Scanned: by clamav at smarthost1.samage.net X-Scan-Signature: a9e4b997d6a751f3e45cb47a3c2b1d2c Archived-At: Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-serve-stale-05.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Apr 2019 09:23:31 -0000 Hi, Comment is in-line. > On 18-Apr-2019, at 4:34 PM, Davey Song wrote: >=20 > > =20 > Some concerns and comments: > =20 > 1) It sounds to me that the primary targeted outage described in this = draft is on the authoritative server during DDOS attack especially. = Think about a case of outage of resolver due to a failure in its network = path to the authoritative server. Normally end user have more than one = configured resolvers. If only one resolver experience the outage and = serve the stale data, could the user tell which resolver have more = refreshed data ? If not, it may impact users experience if they have to = accept stale data during the period when they still have the choice for = refreshed ones. As I mentioned the first time I read it, I dislike the = fact of concealing using of stale data from end users.=20 > =20 > 2) I notice it is proposed as a stand track document. If more people = here think its benefit outweighs its impacts, I prefer it published as = informational document, because it is based on implementation and = operation experience. There is no need to change the protocol and the = definition of TTL. I prefer to take the serve-stale behavior as a local = policy and a side channel in case of resolver's cache-miss. I agree with Davey, perhaps publishing this as an experimental or = informational document may be beneficial for the purpose that is trying = to be fulfilled. > =20 > 3) A minor concern: in an thread in dns-operation mailing list last = week, it is said that the behavior of serve stale in some ISPs is abused = for reason of traffic hijack/tampering/spoofing. I'm afraid it will be = encouraged by this document. > =20 > Best regards, > Davey >=20 > On Wed, 17 Apr 2019 at 01:52, wrote: >=20 > A New Internet-Draft is available from the on-line Internet-Drafts = directories. > This draft is a work item of the Domain Name System Operations WG of = the IETF. >=20 > Title : Serving Stale Data to Improve DNS Resiliency > Authors : David C Lawrence > Warren "Ace" Kumari > Puneet Sood > Filename : draft-ietf-dnsop-serve-stale-05.txt > Pages : 12 > Date : 2019-04-16 >=20 > Abstract: > This draft defines a method (serve-stale) for recursive resolvers = to > use stale DNS data to avoid outages when authoritative nameservers > cannot be reached to refresh expired data. It updates the = definition > of TTL from [RFC1034], [RFC1035], and [RFC2181] to make it clear = that > data can be kept in the cache beyond the TTL expiry and used for > responses when a refreshed answer is not readily available. One of > the motivations for serve-stale is to make the DNS more resilient = to > DoS attacks, and thereby make them less attractive as an attack > vector. >=20 >=20 > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-serve-stale/ >=20 > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-dnsop-serve-stale-05 > https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-serve-stale-05 >=20 > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-dnsop-serve-stale-05 >=20 >=20 > Please note that it may take a couple of minutes from the time of = submission > until the htmlized version and diff are available at tools.ietf.org. >=20 > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ >=20 > _______________________________________________ > I-D-Announce mailing list > I-D-Announce@ietf.org > https://www.ietf.org/mailman/listinfo/i-d-announce > Internet-Draft directories: http://www.ietf.org/shadow.html > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop From nobody Fri Apr 26 11:30:16 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4383120174 for ; Fri, 26 Apr 2019 11:30:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.669 X-Spam-Level: X-Spam-Status: No, score=-0.669 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, FROM_EXCESS_BASE64=0.979, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FZbTTZaPVGJB for ; Fri, 26 Apr 2019 11:30:13 -0700 (PDT) Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com [209.85.221.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D73EA120046 for ; Fri, 26 Apr 2019 11:30:12 -0700 (PDT) Received: by mail-wr1-f44.google.com with SMTP id v16so3288801wrp.1 for ; Fri, 26 Apr 2019 11:30:12 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NFRLIs9EhBft7SW0xt9L/XXfeyaev/icw+Atf2RKaoA=; b=Db6cGPAcj8G1ZZyZKw0d9MY/dRKeRoXexCgJMdPGaIVXs19mP+uRPEOKKmA0C0gTLX m+ho+PTiC7skVwQNPbDCXnF2xrXixvCgNZHU5HsxDZvkldrAlecSLRBk9ggqHAN0koS3 jYjxAZ4EWDMEt+3hEFARp3hsOf87jhLCN1o8K3mU+2i7Uh230sF82nbA35PQ0y8fy8iz za/fP2dvguI2EKSfufd7kNTaIrv0XFWPsdDC3YJc3kZEljWL71KSi4x4gpFQ01gi1F7X YW+MzV5CVqbG3Oz7jlIhHNJAh0WX6FkeWDaCuaFJJ2IBvzyTPLF33qxZLZ/+NLrGIAML rRMQ== X-Gm-Message-State: APjAAAUxALbfcdPEKm7kVuqo3EX4/QIMK5Lha/QwKiYn4FlKNevGUcW1 wdWt6ag2EGWFPbtErb1c+/W/wjgu9TRA28mBfNYfMgO4 X-Google-Smtp-Source: APXvYqzW9ZYbHDU1b2F2Zfs7k0vdRKsjSKEBq5XGkZOf8b3KKaZH6BBaeVrmgWOxzEpqBun7zkNxxVxBtTxOtnsrfP4= X-Received: by 2002:adf:b68d:: with SMTP id j13mr33793263wre.50.1556303411069; Fri, 26 Apr 2019 11:30:11 -0700 (PDT) MIME-Version: 1.0 References: <87d7d127-20cc-8044-277a-d31b1a546219@pletterpet.nl> <0dafbeaa-acc0-c5fc-d917-b3f8cd88e0a5@pletterpet.nl> In-Reply-To: <0dafbeaa-acc0-c5fc-d917-b3f8cd88e0a5@pletterpet.nl> From: =?UTF-8?B?56We5piO6YGU5ZOJ?= Date: Fri, 26 Apr 2019 11:29:59 -0700 Message-ID: To: Matthijs Mekking Cc: dnsop Content-Type: multipart/alternative; boundary="000000000000fac6ec0587731f65" Archived-At: Subject: Re: [DNSOP] ANAME precedence [issue #58] X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Apr 2019 18:30:15 -0000 --000000000000fac6ec0587731f65 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable At Fri, 26 Apr 2019 09:16:58 +0200, Matthijs Mekking wrote: > > Also, especially if both AAAA and A sibling records are available, > > what's the purpose of ANAME in the first place if it's (effectively) > > not used? > > > > I'm sure I'm just confused and don't understand the expected usage, > > but I can't figure it out from the available descriptions. Could you > > clarify it? > > Personally I agree that the purpose of ANAME becomes less useful with > choice #2. The difference is that you can set up ANAME for example for > AAAA only, or for A only. I don't know what the expected usage of that > is, and that is why I am asking on the list. If it turns out there is no > useful case, I think we should put text in the draft that says ANAME > takes precedence over sibling A and AAAA records. Okay. In that case I agree we should go for choice #1 (ANAME should be preferred) unless the expected usage for choice #2 is clarified and convinces us (the wg). Choice #2 looks awkward to me especially if we consider the case where both AAAA and A siblings exist. According to your original message choice #2 was derived from the behavior of a particular implementation: > Jan V=C4=8Del=C3=A1k mentioned that at least NS1 uses a different order o= f > priority: If an sibling address record exists next to the ANAME it takes > precedence and no target lookup is done for that address record type. if there's a specific use case where this behavior is important, either the developer or user of this implementation should be able to clarify that. At least until we know that I don't see the point of considering this choice. -- JINMEI, Tatuya --000000000000fac6ec0587731f65 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
At Fri, 26 Apr 2019 09:1= 6:58 +0200,
Matthijs Mekking <matthijs@pletterpet.nl> wrote:

> > Also, especially = if both AAAA and A sibling records are available,
> > what's t= he purpose of ANAME in the first place if it's (effectively)
> &g= t; not used?
> >
> > I'm sure I'm just confused = and don't understand the expected usage,
> > but I can't f= igure it out from the available descriptions.=C2=A0 Could you
> > = clarify it?
>
> Personally I agree that the purpose of ANAME b= ecomes less useful with
> choice #2.=C2=A0 The difference is that you= can set up ANAME for example for
> AAAA only, or for A only. I don&#= 39;t know what the expected usage of that
> is, and that is why I am = asking on the list. If it turns out there is no
> useful case, I thin= k we should put text in the draft that says ANAME
> takes precedence = over sibling A and AAAA records.

Okay.=C2=A0 In that case I agree we= should go for choice #1 (ANAME should
be preferred) unless the expected= usage for choice #2 is clarified and
convinces us (the wg).=C2=A0 Choic= e #2 looks awkward to me especially if we
consider the case where both A= AAA and A siblings exist.

According to your original message choice = #2 was derived from the
behavior of a particular implementation:

= > Jan V=C4=8Del=C3=A1k mentioned that at least NS1 uses a different orde= r of
> priority: If an sibling address record exists next to the ANAM= E it takes
> precedence and no target lookup is done for that address= record type.

if there= 's a specific use case where this behavior is important,
either the = developer or user of this implementation should be able to
clarify that.= =C2=A0 At least until we know that I don't see the point of
consider= ing this choice.

--
JINMEI, Tatuya
--000000000000fac6ec0587731f65-- From nobody Mon Apr 29 17:00:41 2019 Return-Path: X-Original-To: dnsop@ietf.org Delivered-To: dnsop@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A23AF1201EA; Mon, 29 Apr 2019 17:00:38 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: dnsop@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.95.1 Auto-Submitted: auto-generated Precedence: bulk Reply-To: dnsop@ietf.org Message-ID: <155658243855.16316.18029354473288109146@ietfa.amsl.com> Date: Mon, 29 Apr 2019 17:00:38 -0700 Archived-At: Subject: [DNSOP] I-D Action: draft-hoffman-dns-terminology-ter-01.txt X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Apr 2019 00:00:39 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : Terminology for DNS Transports and Location Author : Paul Hoffman Filename : draft-hoffman-dns-terminology-ter-01.txt Pages : 3 Date : 2019-04-29 Abstract: This document adds terms and abbreviations to "DNS Terminology" (RFC 8499) that relate to DNS running over various transports, as well as terms and abbreviations for DNS resolution at traditional and non- traditional locations. [[ This is an early attempt at these terms. They will probably be improved over time. ]] The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-hoffman-dns-terminology-ter/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-hoffman-dns-terminology-ter-01 https://datatracker.ietf.org/doc/html/draft-hoffman-dns-terminology-ter-01 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-hoffman-dns-terminology-ter-01 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Tue Apr 30 02:56:31 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FC1B12028A for ; Tue, 30 Apr 2019 02:56:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.022 X-Spam-Level: X-Spam-Status: No, score=-1.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fcelda.cz Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aF08cFWCLjTu for ; Tue, 30 Apr 2019 02:56:28 -0700 (PDT) Received: from mail-vs1-xe35.google.com (mail-vs1-xe35.google.com [IPv6:2607:f8b0:4864:20::e35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D6B9120125 for ; Tue, 30 Apr 2019 02:56:27 -0700 (PDT) Received: by mail-vs1-xe35.google.com with SMTP id n17so7647859vsr.1 for ; Tue, 30 Apr 2019 02:56:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fcelda.cz; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=d/X9V3BEuM/6446rJ7Refh99+S3wd6gG2sm0XYPTRFc=; b=MzTmmZtkVwgDqXEq0v/1QiKnIQ7Q5sZMAHlODRPk7SeSqECx5Lal8ysVInQjMxbMpu JrgFb4g/U0UFPrgMPzQyaQ8Tvvsw5tpX2Biit/Rd0atGviDCZl6gkhQ9tvN5JsKDTmd5 6CqBPpPFt/RDk+6ZAUsmo9vPYenzUj2AVLaRo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=d/X9V3BEuM/6446rJ7Refh99+S3wd6gG2sm0XYPTRFc=; b=bizHUWzrA8k4liX+V4MzofP2wgJe2Nxnw6QkaR68dTSMT7TsNocwe+NTP+7pARtnjd y5Md6jMDcwIzKS/mAC00L6Uzm/z56rjEiVWRNiyW7dxbs2xeKKUHAsp/WuEMXHQSs9ik HXd9xCvPfDcEhgedP6V1KDcHj1VGUJ3GH6vMqomdw6wOb0B0ovobL9Lg5+ZpXohiSvN/ w79yFbbAOJus2OPbQt9xjhH23ZPN5FHhRMyUiWgdURv5MMxAGPwUDqCUgUNDn1GEEG4g q49+iFIhSRsAgGUGKzu824FPBwRA3S8oEtUozbUyzTzeP0N/O1fkKEHNskSnpmciSKAt dUZA== X-Gm-Message-State: APjAAAWo6P0otYj1eslTotmfA4z+It79u6Ke//mD5RKI1fuuY6ydBeRq 1+VtojyXiiCsjexavXba01hzUhSlFtGlTfzlWBvniHGvymQ3Ng== X-Google-Smtp-Source: APXvYqwTQ3bkWdVTocAr0TkFzJPGi/MBERYZZgINm+pAneiywa/U/p9dTVMY8Z/+VdCBVFuNcRzeoyHv4jWSeweSYCI= X-Received: by 2002:a67:1006:: with SMTP id 6mr8283493vsq.103.1556618186581; Tue, 30 Apr 2019 02:56:26 -0700 (PDT) MIME-Version: 1.0 References: <87d7d127-20cc-8044-277a-d31b1a546219@pletterpet.nl> <0dafbeaa-acc0-c5fc-d917-b3f8cd88e0a5@pletterpet.nl> In-Reply-To: From: =?UTF-8?B?SmFuIFbEjWVsw6Fr?= Date: Tue, 30 Apr 2019 11:56:15 +0200 Message-ID: To: =?UTF-8?B?56We5piO6YGU5ZOJ?= Cc: Matthijs Mekking , dnsop Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Archived-At: Subject: Re: [DNSOP] ANAME precedence [issue #58] X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Apr 2019 09:56:30 -0000 On Fri, Apr 26, 2019 at 8:30 PM =E7=A5=9E=E6=98=8E=E9=81=94=E5=93=89 wrote: > > Jan V=C4=8Del=C3=A1k mentioned that at least NS1 uses a different order= of > > priority: If an sibling address record exists next to the ANAME it take= s > > precedence and no target lookup is done for that address record type. > > if there's a specific use case where this behavior is important, > either the developer or user of this implementation should be able to > clarify that. At least until we know that I don't see the point of > considering this choice. The reason for different processing order in our implementation is merely historical: ALIAS was intended to solve the problem with CNAME in zone apex, our customers were familiar with CNAME processing, and therefore we wanted ALIAS to resemble CNAME closely. CNAME is practically a fallback record as well. I'm not aware of any specific use case where such behavior would be required although it's possible that our customers have developed some use case over the years. It looks like there is an agreement that ANAME should take precedence over A/AAAA. That's fine with me. We will figure it out for our customers. Jan From nobody Tue Apr 30 06:21:27 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 909D512007A for ; Tue, 30 Apr 2019 06:21:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ScvT8fsZuho4 for ; Tue, 30 Apr 2019 06:21:23 -0700 (PDT) Received: from lb2-smtp-cloud8.xs4all.net (lb2-smtp-cloud8.xs4all.net [194.109.24.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20A43120006 for ; Tue, 30 Apr 2019 06:21:22 -0700 (PDT) Received: from [IPv6:2001:980:4eb1:1:1dbb:566d:e94e:6d63] ([IPv6:2001:980:4eb1:1:1dbb:566d:e94e:6d63]) by smtp-cloud8.xs4all.net with ESMTPSA id LShChazkab8gSLShDhHVtZ; Tue, 30 Apr 2019 15:21:20 +0200 To: dnsop References: <87d7d127-20cc-8044-277a-d31b1a546219@pletterpet.nl> <0dafbeaa-acc0-c5fc-d917-b3f8cd88e0a5@pletterpet.nl> From: Matthijs Mekking Message-ID: Date: Tue, 30 Apr 2019 15:21:18 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-CMAE-Envelope: MS4wfKORTCghU2kYSaCLR8qui0mY0i5HxHqn1E3WWALNqXX234u8LduE8l2H5YjAtAfuk0Rz6YCsNW68pGDXNpK9SM5X595f9/vVMOsBHq0NjRYcFmr+7C+U zknuor05LJ7lsWEdIR6g7x7l7j5qm4LOGuIe+C1qNuz1EJlcW5EZdLVzqf5P8U3CEma5P0fYayO/h18IqmPgqKHw+ip9TD/EPYW91gWgJpKzqDqWljGHbET5 0qmG91gSPDx4BglZI0vWdg5BMHL3sbeWK8v5KG8eu58= Archived-At: Subject: Re: [DNSOP] ANAME precedence [issue #58] X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Apr 2019 13:21:26 -0000 Hi, Jan and everyone else, thanks for your feedback. It feels indeed like we should continue with the behavior that ANAME will take precedence over A and AAAA when on the same name. I shall go over the draft and see if the text is correct in that sense. Best regards, Matthijs On 4/30/19 11:56 AM, Jan Včelák wrote: > On Fri, Apr 26, 2019 at 8:30 PM 神明達哉 wrote: >>> Jan Včelák mentioned that at least NS1 uses a different order of >>> priority: If an sibling address record exists next to the ANAME it takes >>> precedence and no target lookup is done for that address record type. >> >> if there's a specific use case where this behavior is important, >> either the developer or user of this implementation should be able to >> clarify that. At least until we know that I don't see the point of >> considering this choice. > > The reason for different processing order in our implementation is > merely historical: ALIAS was intended to solve the problem with CNAME > in zone apex, our customers were familiar with CNAME processing, and > therefore we wanted ALIAS to resemble CNAME closely. CNAME is > practically a fallback record as well. I'm not aware of any specific > use case where such behavior would be required although it's possible > that our customers have developed some use case over the years. > > It looks like there is an agreement that ANAME should take precedence > over A/AAAA. That's fine with me. We will figure it out for our > customers. > > Jan > From nobody Tue Apr 30 14:01:01 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC1331203B0 for ; Tue, 30 Apr 2019 14:00:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WIQJSgejUESS for ; Tue, 30 Apr 2019 14:00:50 -0700 (PDT) Received: from mail.icann.org (out.west.pexch112.icann.org [64.78.40.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A87FB12028A for ; Tue, 30 Apr 2019 14:00:50 -0700 (PDT) Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Tue, 30 Apr 2019 14:00:49 -0700 Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1367.000; Tue, 30 Apr 2019 14:00:49 -0700 From: Paul Hoffman To: dnsop Thread-Topic: New draft, seeking comments: draft-sah-resolver-information Thread-Index: AQHU/5fJ1cV0bqcXoEeF3h3a9uPQDw== Date: Tue, 30 Apr 2019 21:00:48 +0000 Message-ID: <3BCCE28D-17C6-4367-A9C3-D0DCF56AB03A@icann.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [192.0.32.234] Content-Type: text/plain; charset="us-ascii" Content-ID: <704B19B241D42E45912180E73BA087E8@pexch112.icann.org> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: [DNSOP] New draft, seeking comments: draft-sah-resolver-information X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Apr 2019 21:00:59 -0000 Greetings again. Puneet, Roy and I have just published a -00 with an idea f= or how to get information about a recursive resolver from the resolver, if = it wants to give that information. This is an outgrowth of my earlier work = in the DOH WG on draft-ietf-doh-resolver-associated-doh. The discussion on = that latter draft in Prague had a couple of people saying "this should be m= ore general than just DoH" and "what about DoT", which sparked the idea for= draft-sah-resolver-information. Note as you read this document that we have *not* started filling in the ki= nd of information that a resolver might return; we haven't even specified t= he DoH stuff. We wanted to be sure that DNSOP folks thought that the direct= ion here might be viable; if so, I'll write an associated draft for a resol= ver's associated DoH and DoT servers, and some of you might start writing d= rafts for other ideas. Also note that this is explicitly only for resolvers; we might later do a s= econd protocol for authoritative servers who want to give information about= themselves (such as if they do DoT, if that moves forward in DPRIVE). The = reason for the split is that a resolver that doesn't know the protocol here= might pass the query on to the authoritative servers for the root or .arpa= , and the response to the stub would then be ambiguous. We look forward to your bashing and/or support. --Paul Hoffman From nobody Tue Apr 30 14:09:53 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 849EA12003F for ; Tue, 30 Apr 2019 14:09:51 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.201 X-Spam-Level: X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y4cHU9Q1FJAl for ; Tue, 30 Apr 2019 14:09:50 -0700 (PDT) Received: from mail.icann.org (out.west.pexch112.icann.org [64.78.40.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEFF712003E for ; Tue, 30 Apr 2019 14:09:49 -0700 (PDT) Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Tue, 30 Apr 2019 14:09:48 -0700 Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1367.000; Tue, 30 Apr 2019 14:09:48 -0700 From: Paul Hoffman To: dnsop Thread-Topic: New draft, seeking comments: draft-sah-resolver-information Thread-Index: AQHU/5kKD4bVxeHjJUqAfFigSjZ0Mg== Date: Tue, 30 Apr 2019 21:09:47 +0000 Message-ID: <6B112B6B-A8B3-46EA-8DE9-8A0535A7B878@icann.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [192.0.32.234] Content-Type: text/plain; charset="us-ascii" Content-ID: Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: [DNSOP] New draft, seeking comments: draft-sah-resolver-information X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Apr 2019 21:09:52 -0000 [[ GAAAAH. The abstract of the draft says it should be discussed on the ADD= list. That's wrong, it belongs here. ]] [[ GAAAAH2. I didn't include the draft info. Title : DNS Resolver Information Self-publication Authors : Puneet Sood Roy Arends Paul Hoffman Filename : draft-sah-resolver-information-00.txt Pages : 9 Date : 2019-04-30 ]] Greetings again. Puneet, Roy and I have just published a -00 with an idea f= or how to get information about a recursive resolver from the resolver, if = it wants to give that information. This is an outgrowth of my earlier work = in the DOH WG on draft-ietf-doh-resolver-associated-doh. The discussion on = that latter draft in Prague had a couple of people saying "this should be m= ore general than just DoH" and "what about DoT", which sparked the idea for= draft-sah-resolver-information. Note as you read this document that we have *not* started filling in the ki= nd of information that a resolver might return; we haven't even specified t= he DoH stuff. We wanted to be sure that DNSOP folks thought that the direct= ion here might be viable; if so, I'll write an associated draft for a resol= ver's associated DoH and DoT servers, and some of you might start writing d= rafts for other ideas. Also note that this is explicitly only for resolvers; we might later do a s= econd protocol for authoritative servers who want to give information about= themselves (such as if they do DoT, if that moves forward in DPRIVE). The = reason for the split is that a resolver that doesn't know the protocol here= might pass the query on to the authoritative servers for the root or .arpa= , and the response to the stub would then be ambiguous. We look forward to your bashing and/or support. --Paul Hoffman From nobody Tue Apr 30 14:16:44 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D853E12003F for ; Tue, 30 Apr 2019 14:16:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.501 X-Spam-Level: X-Spam-Status: No, score=-0.501 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xTHanLBt0OK7 for ; Tue, 30 Apr 2019 14:16:41 -0700 (PDT) Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74F2C1200FA for ; Tue, 30 Apr 2019 14:16:41 -0700 (PDT) Received: from [10.1.3.47] (unknown [38.95.165.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 6F47D892C6 for ; Tue, 30 Apr 2019 21:16:38 +0000 (UTC) To: dnsop References: <6B112B6B-A8B3-46EA-8DE9-8A0535A7B878@icann.org> From: Paul Vixie Message-ID: <8dbd9ab5-7e4a-8888-2094-ed33d33c3672@redbarn.org> Date: Tue, 30 Apr 2019 14:16:33 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/6.1.15 MIME-Version: 1.0 In-Reply-To: <6B112B6B-A8B3-46EA-8DE9-8A0535A7B878@icann.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [DNSOP] New draft, seeking comments: draft-sah-resolver-information X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Apr 2019 21:16:43 -0000 can dns be like tcp, put into maintainance mode, no new features? From nobody Tue Apr 30 14:17:25 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9048E1200FA for ; Tue, 30 Apr 2019 14:17:23 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.498 X-Spam-Level: X-Spam-Status: No, score=-9.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=loon.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ztSFDnJnaayA for ; Tue, 30 Apr 2019 14:17:19 -0700 (PDT) Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 853D6120129 for ; Tue, 30 Apr 2019 14:17:19 -0700 (PDT) Received: by mail-io1-xd31.google.com with SMTP id a23so13525208iot.4 for ; Tue, 30 Apr 2019 14:17:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=loon.com; s=google; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=Jj3766ofryDOPhNI5CkItziz/sc/PFt+h1A7rzfIMYs=; b=VYJWblyU1k8ntseLgJq05wjrhOWzzth4EnvJcJ671vzR9zclGscctluYHcezsB7bUL UT5UOmtJjUcmeb3rxrockiZ520hFL8Eg7fgoURQmBUO/pgo0vExC/L7sSuIH32crDjqm X6X6KVnBJFohg6sZbBhiMYCPU3+dTrmNDX/ZU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=Jj3766ofryDOPhNI5CkItziz/sc/PFt+h1A7rzfIMYs=; b=Hu9qhXPgZZ4LS2ITu0Uj7Sy+2aToJyGWQ/NdXKv4NQh62tIZzwc4Vk3Hvm8HjD/eDW IAKmp+IsX0MjAO11BMW5XAHJYUjt5NrrLzaOlKFQBLsxcZwjxNmyQRMWtc921rkKiudR mxGmqkHD55zWjIOfpbY+HIQEbNLBzOv5cGW7dbF2IrI6GXJxcuigAjQdUw3u/gB+eJyt jrRDyRiWmDnZ5Ip8afhbkueejyM+XV1tQmbvp0h5oc0Jrtxpu2H6pMW/HttmS8C1if8k 25pr5rs/+79Gjg35DyRLF5KcVnF6SSjsWO9asvGLzIcxGkQM8f/+FeWHyCgukcY7lzv0 5DkA== X-Gm-Message-State: APjAAAVPa4TjlDJwvsFjpBEmgCCLdqWP3WIbrEBTRCO8DQuWom67Eo0v BZufFIXhlw797jyRFjM3pVkfToAu/4yjP0urkyXhMw== X-Google-Smtp-Source: APXvYqwqf+Jk4gBwzGMCrYLr+z9wKLW7CHbKXr/n/bh6BCLTOiaFhRV2xpcLno/oiukL5YxW2jH+tr9tTj6r+xN0Ivw= X-Received: by 2002:a5d:9285:: with SMTP id s5mr2287116iom.16.1556659038351; Tue, 30 Apr 2019 14:17:18 -0700 (PDT) MIME-Version: 1.0 References: <6B112B6B-A8B3-46EA-8DE9-8A0535A7B878@icann.org> In-Reply-To: <6B112B6B-A8B3-46EA-8DE9-8A0535A7B878@icann.org> Reply-To: ek@loon.com From: Erik Kline Date: Tue, 30 Apr 2019 14:17:06 -0700 Message-ID: To: Paul Hoffman Cc: dnsop Content-Type: multipart/alternative; boundary="00000000000004eded0587c5ed89" Archived-At: Subject: Re: [DNSOP] New draft, seeking comments: draft-sah-resolver-information X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Apr 2019 21:17:24 -0000 --00000000000004eded0587c5ed89 Content-Type: text/plain; charset="UTF-8" Can I ask why you went with resolver-info.arpa instead of .{in-addr,ip6}.arpa of the resolver IP to which the query is being issued? I think the temp-field2. trick still works, and maybe we could get DNSSEC validation (IDK about dnssec validation in the rev-ip .arpa space). On Tue, 30 Apr 2019 at 14:10, Paul Hoffman wrote: > [[ GAAAAH. The abstract of the draft says it should be discussed on the > ADD list. That's wrong, it belongs here. ]] > > [[ GAAAAH2. I didn't include the draft info. > Title : DNS Resolver Information Self-publication > Authors : Puneet Sood > Roy Arends > Paul Hoffman > Filename : draft-sah-resolver-information-00.txt > Pages : 9 > Date : 2019-04-30 ]] > > Greetings again. Puneet, Roy and I have just published a -00 with an idea > for how to get information about a recursive resolver from the resolver, if > it wants to give that information. This is an outgrowth of my earlier work > in the DOH WG on draft-ietf-doh-resolver-associated-doh. The discussion on > that latter draft in Prague had a couple of people saying "this should be > more general than just DoH" and "what about DoT", which sparked the idea > for draft-sah-resolver-information. > > Note as you read this document that we have *not* started filling in the > kind of information that a resolver might return; we haven't even specified > the DoH stuff. We wanted to be sure that DNSOP folks thought that the > direction here might be viable; if so, I'll write an associated draft for a > resolver's associated DoH and DoT servers, and some of you might start > writing drafts for other ideas. > > Also note that this is explicitly only for resolvers; we might later do a > second protocol for authoritative servers who want to give information > about themselves (such as if they do DoT, if that moves forward in DPRIVE). > The reason for the split is that a resolver that doesn't know the protocol > here might pass the query on to the authoritative servers for the root or > .arpa, and the response to the stub would then be ambiguous. > > We look forward to your bashing and/or support. > > --Paul Hoffman > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > --00000000000004eded0587c5ed89 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Can I ask why you went with=C2=A0resolver= -info.arpa instead of <rev-ip>.{in-addr,ip6}.arpa of the resolver=C2= =A0IP to which the query is being issued?=C2=A0 I think the temp-field2.<= ;stuff> trick still works, and maybe we could get DNSSEC validation (IDK= about dnssec validation in the rev-ip .arpa space).

On Tue, 30 Apr 20= 19 at 14:10, Paul Hoffman <pau= l.hoffman@icann.org> wrote:
[[ GAAAAH. The abstract of the draft says it should be d= iscussed on the ADD list. That's wrong, it belongs here. ]]

[[ GAAAAH2. I didn't include the draft info.
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Title=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:= DNS Resolver Information Self-publication
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Authors=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0: Pune= et Sood
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 Roy Arends
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 Paul Hoffman
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Filename=C2=A0 =C2=A0 =C2=A0 =C2=A0 : draft-sah= -resolver-information-00.txt
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Pages=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0:= 9
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Date=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 := 2019-04-30=C2=A0 ]]

Greetings again. Puneet, Roy and I have just published a -00 with an idea f= or how to get information about a recursive resolver from the resolver, if = it wants to give that information. This is an outgrowth of my earlier work = in the DOH WG on draft-ietf-doh-resolver-associated-doh. The discussion on = that latter draft in Prague had a couple of people saying "this should= be more general than just DoH" and "what about DoT", which = sparked the idea for draft-sah-resolver-information.

Note as you read this document that we have *not* started filling in the ki= nd of information that a resolver might return; we haven't even specifi= ed the DoH stuff. We wanted to be sure that DNSOP folks thought that the di= rection here might be viable; if so, I'll write an associated draft for= a resolver's associated DoH and DoT servers, and some of you might sta= rt writing drafts for other ideas.

Also note that this is explicitly only for resolvers; we might later do a s= econd protocol for authoritative servers who want to give information about= themselves (such as if they do DoT, if that moves forward in DPRIVE). The = reason for the split is that a resolver that doesn't know the protocol = here might pass the query on to the authoritative servers for the root or .= arpa, and the response to the stub would then be ambiguous.

We look forward to your bashing and/or support.

--Paul Hoffman


_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
--00000000000004eded0587c5ed89-- From nobody Tue Apr 30 14:38:30 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 382B21203D0 for ; Tue, 30 Apr 2019 14:38:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.901 X-Spam-Level: X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R878qyabthTB for ; Tue, 30 Apr 2019 14:38:22 -0700 (PDT) Received: from smtp.guxx.net (nyx.guxx.net [85.10.208.173]) by ietfa.amsl.com (Postfix) with ESMTP id AF6A61203A7 for ; Tue, 30 Apr 2019 14:38:21 -0700 (PDT) Received: by nyx.guxx.net (Postfix, from userid 107) id B7E975F4216A; Tue, 30 Apr 2019 23:38:19 +0200 (CEST) Received: from [172.19.113.239] (unknown [172.58.38.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by nyx.guxx.net (Postfix) with ESMTPSA id 7E5AC5F404B0; Tue, 30 Apr 2019 23:38:18 +0200 (CEST) From: "Ralf Weber" To: "Paul Vixie" Cc: dnsop Date: Tue, 30 Apr 2019 14:26:27 -0700 X-Mailer: MailMate (1.12.4r5594) Message-ID: In-Reply-To: <8dbd9ab5-7e4a-8888-2094-ed33d33c3672@redbarn.org> References: <6B112B6B-A8B3-46EA-8DE9-8A0535A7B878@icann.org> <8dbd9ab5-7e4a-8888-2094-ed33d33c3672@redbarn.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [DNSOP] New draft, seeking comments: draft-sah-resolver-information X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Apr 2019 21:38:28 -0000 Moin! On 30 Apr 2019, at 14:16, Paul Vixie wrote: > can dns be like tcp, put into maintainance mode, no new features? That was the hope I believe when dnsext was closed, but then dnsop extended it’s charter and here we are. While I’m not disagreeing with what you propose I believe that ship has sailed. And I’ll read the document and comment on it later… So long -Ralf —-- Ralf Weber From nobody Tue Apr 30 16:44:24 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8ACD312041E for ; Tue, 30 Apr 2019 16:44:15 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qOj0xoZ5NkD9 for ; Tue, 30 Apr 2019 16:44:12 -0700 (PDT) Received: from mail-qt1-x835.google.com (mail-qt1-x835.google.com [IPv6:2607:f8b0:4864:20::835]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CD6912041D for ; Tue, 30 Apr 2019 16:44:12 -0700 (PDT) Received: by mail-qt1-x835.google.com with SMTP id j6so18508406qtq.1 for ; Tue, 30 Apr 2019 16:44:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iP8r0crQZgYlf2S/DDN6ZvW6nzGZBjiLpvY8IQ9G4B4=; b=Nu20saaSWgOpketX3NtmUGE5PIE81UMwAyvK4dBz5IgNaVup+xzLyCQy/ADOLffLfF Kbv5+uPiDB22PpOxSAQewrs8Qzw6rO73zDgeB5ppO8k/SQqR6NZ2CIqy2/Uln5fE9nLg T9iqP8TzKDZ6UIJ8D2r5DDEaYSRqpgaFQXqIOizFPoN6zJs0euJV+KbiEmld5OPVstjC KGDskJPEE2r7+aPOWCMw7r4wbBqFh26YTw864WiTSLlJhTpGhjiaJppOTuj8GQ6yRk+k ybrUsepkUmotYA38+eb+iW+r4lve9oIolr6IT66NH1HkB2DlTSFPtdaR40LoimZmwa0S +mBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iP8r0crQZgYlf2S/DDN6ZvW6nzGZBjiLpvY8IQ9G4B4=; b=pDJ1ZlQjLQNrMoe1CqDDAvomonJRBTf77LXr2PuGAXoIgbMLvIs3dgkW3P1GanFvUQ 44GwN4TeOt6z8whBNm2LWqUaDi9gwwhT8dT2U1e21TBxomWYFVTyBLsjK/Ki1g9ZbBeZ g6QiTUj5OX1vRv3E4Y+fGn83Kt73+xiL8icKC8oTEZH3KPTgwPnhelb+5CBdfkwZ3pd5 n76wfM/7Ce/9MFtRNCZIUBKflvwWb8SHJRm4RFqJ4VRDmkV2j1O+1LLcoondK6PAIThc om1FsQmeKDxl5F3BEkug91duO+oYd9v5L/eupXtjjWQFCtqejDL5PF0/sZ9NCHbIWTyO n7mA== X-Gm-Message-State: APjAAAUKsRI6Den1ZsJFq5AEB6LkO6eys4UXrfWNJQiPVyNopEYViCJf 8ufWf3Zwg5JFkznhs+SW1GQYTqbKqnnCSoG/fGM= X-Google-Smtp-Source: APXvYqyBZeZM2uJemmC8VG9iuOwR9yHHnAAZvqDhEhBEDSy5uoimAd9LTnbShY6SV5bKheeBDb5fczwArMlScoBwFNg= X-Received: by 2002:aed:2537:: with SMTP id v52mr27208606qtc.351.1556667851581; Tue, 30 Apr 2019 16:44:11 -0700 (PDT) MIME-Version: 1.0 References: <6B112B6B-A8B3-46EA-8DE9-8A0535A7B878@icann.org> In-Reply-To: <6B112B6B-A8B3-46EA-8DE9-8A0535A7B878@icann.org> From: Brian Dickson Date: Tue, 30 Apr 2019 16:44:00 -0700 Message-ID: To: Paul Hoffman Cc: dnsop Content-Type: multipart/alternative; boundary="00000000000053ab2b0587c7fac6" Archived-At: Subject: Re: [DNSOP] New draft, seeking comments: draft-sah-resolver-information X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Apr 2019 23:44:23 -0000 --00000000000053ab2b0587c7fac6 Content-Type: text/plain; charset="UTF-8" > > Also note that this is explicitly only for resolvers; we might later do a > second protocol for authoritative servers who want to give information > about themselves (such as if they do DoT, if that moves forward in DPRIVE). > The reason for the split is that a resolver that doesn't know the protocol > here might pass the query on to the authoritative servers for the root or > .arpa, and the response to the stub would then be ambiguous. > > We look forward to your bashing and/or support. > TL;DR: RFC-1918 potentially messes a lot of things up, including the ability to bypass any forwarders to talk directly to the resolver being used. So, there are some semantic issues that lead to potential problems on naming/addressing (literally) the intended target. The roots of the problem below are that: - A DNS server can't distinguish between a stub client and a client which is a forwarder. - A DNS client can't distinguish between a server which is a resolver, and a server which is a forwarder. - A DNS forwarder can tell nothing about its own downstream or upstream - There is no inherent limit on the depth of a forwarding tree - Add on selective forwarding, and multiple server addresses on any fork, and you end up with arbitrary sized directed graphs (not even guaranteed to be acyclic!). Specifically, regarding the problems that intermediate forwarders can present: - Presume a true "stub" client in the draft - Presume that client from the draft, is pointed at what it believes is a "resolver" - Now consider the possibility that the client's immediate target (resolver) is actually what we call a "forwarder", which - responds to RD=1 queries - possibly implements a cache - generally forwards to one or more other "resolvers": - each of which is itself indistinguishable as being a "true resolver" or another "forwarder" - Now, add more complexity from RFC-1918: - Each "forwarder" or "resolver" can be numbered from RFC-1918 space - Each "forwarder" or "resolver" may be integrated onto a "middle-box", which can include: - Providing DHCP service to clients - Providing DNS service to clients - Being a DHCP client of another entity/network - Forwarding its DNS queries to an upstream DNS "forwarder" or "resolver" - May have conflicting outside/inside RFC-1918 addressing schemes - There may specifically be an address collision between the DNS host IP it serves in DHCP (itself) and some DNS host it uses upstream (direct, or upstream^N) In such a potentially ambiguous and potentially conflicting set of boxes, there are several problems that can arise: - Without a public IP address, global public DNS can't be used (no RFC 1918 allowed) - Without a public IP address, any possible name is at best of limited use, and reliant on the use of the correct DNS resolver to achieve name->IP mapping - Without a public IP address, the private IP address of the intended DNS resolver might not even be directly reachable: - I.e. if the actual resolver (not forwarder) has an IP address, which is in a conflicting RFC-1918 ranges from the perspective of the client. - E.g.: - The client has received a DHCP address of 192.168.0.254/24, - The gateway of 192.168.0.1, which is a "middle-box". - The middle-box is a DHCP client itself, receiving its own address of 192.168.0.127/25 - The middle-box has its own gateway of 192.168.0.1. - Both instances of 192.168.0.1 are DNS servers, with the "closest" one to the client being a forwarder, and the "further" one being a full resolver. - The full resolver cannot be reached. (Also, as a result of these challenges, there may even be some overlap with the "homenet" folks, not that I at all want to open that can of worms. However, any solutions might be applicable in both areas, so it might be worth keeping that use case in mind as well.) It might be possible for any DNS server to establish some unique name (e.g. a UUID or GUID label). A UUID/GUID still presents a challenge for having the ability to use the name, and probably any number of hacks might be needed for being able to establish a connection to the DNS server via the name. Restricting the draft's applicability only to publicly-addressed DNS servers may not be sufficiently useful to warrant pursuit, unfortunately. Ironically, the only type of DNS server guaranteed to have a public IP address, is the authority server for a globally unique domain name. Even if it were possible to stuff the stateful bits of DoT into EDNS things, e.g. added to DNS over UDP, the problem is EDNS is only hop-by-hop, not forwarded. I've kind of run out of wacky ideas on how one might pass Do* through forwarders, to talk to a resolver if there's any RFC-1918 conflict. Maybe it is sufficient to discover the conflict/reachability issue, and have an appropriate error/response with enough information for the user to get the problem fixed? I.e. if there is at least one forwarder, possibly doing NAT, but no RFC-1918 conflict, the resolver should be reachable, and the only issue is one of naming and discovery of the resolver's IP address (and NOT any of the forwarders involved). Maybe that could be added to one of the sections of the draft and worked on? Brian --00000000000053ab2b0587c7fac6 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Also note that this is explicitly only for resolvers; we= might later do a second protocol for authoritative servers who want to giv= e information about themselves (such as if they do DoT, if that moves forwa= rd in DPRIVE). The reason for the split is that a resolver that doesn't= know the protocol here might pass the query on to the authoritative server= s for the root or .arpa, and the response to the stub would then be ambiguo= us.

We look forward to your bashing and/or support.

TL;DR: RFC-1918 potentially messes a lot of things up, including t= he ability to bypass any forwarders to talk directly to the resolver being = used.

So, there are some semantic issues that = lead to potential problems on naming/addressing (literally) the intended ta= rget.

The roots of the problem below are that:
  • A DNS server can't distinguish between a stub client and= a client which is a forwarder.
  • A DNS client can't distinguish = between a server which is a resolver, and a server which is a forwarder.
  • A DNS forwarder can tell nothing about its own downstream or upstream=
  • There is no inherent limit on the depth of a forwarding tree
    • <= li>Add on selective forwarding, and multiple server addresses on any fork, = and you end up with arbitrary sized directed graphs (not even guaranteed to= be acyclic!).

Specifically, regarding t= he problems that intermediate forwarders can present:
  • Pre= sume a true "stub" client in the draft
  • Presume that clien= t from the draft, is pointed at what it believes is a "resolver"<= /li>
  • Now consider the possibility that the client's immediate target= (resolver) is actually what we call a "forwarder", which=C2=A0
    • responds to RD=3D1 queries
    • possibly implements a cache
    • generally forwards to one or more other "resolvers":
      • <= ul>
    • each of which is itself indistinguishable as being a "true reso= lver" or another "forwarder"
  • Now, add more= complexity from RFC-1918:
    • Each "forwarder" or "= resolver" can be numbered from RFC-1918 space
    • Each "forwa= rder" or "resolver" may be integrated onto a "middle-bo= x", which can include:
      • Providing DHCP service to clients
      • Providing DNS service to clients
      • Being a DHCP client of anot= her entity/network
      • Forwarding its DNS queries to an upstream DNS &q= uot;forwarder" or "resolver"
      • May have conflicting ou= tside/inside RFC-1918 addressing schemes
    • There may specificall= y be an address collision between the DNS host IP it serves in DHCP (itself= ) and some DNS host it uses upstream (direct, or upstream^N)
    <= /ul>
    In such a potentially ambiguous and potentially conflicting set of= boxes, there are several problems that can arise:
    • = Without a public IP address, global public DNS can't be used (no RFC 19= 18 allowed)
    • Without a public IP address, any possible name is at be= st of limited use, and reliant on the use of the correct DNS resolver to ac= hieve name->IP mapping
    • Without a public IP address, the private = IP address of the intended DNS resolver might not even be directly reachabl= e:
      • I.e. if the actual resolver (not forwarder) has an IP addres= s, which is in a conflicting RFC-1918 ranges from the perspective of the cl= ient.
      • E.g.:
        • The client has received a DHCP address of <= a href=3D"http://192.168.0.254/24">192.168.0.254/24,=C2=A0
        • The = gateway of 192.168.0.1, which is a "middle-box".=C2=A0
        • Th= e middle-box is a DHCP client itself, receiving its own address of 192.168.0.127/25
        • The middle-box ha= s its own gateway of 192.168.0.1.=C2=A0
        • Both instances of 192.168.0= .1 are DNS servers, with the "closest" one to the client being a = forwarder, and the "further" one being a full resolver.=C2=A0
        • The full resolver cannot be reached.
    (Al= so, as a result of these challenges, there may even be some overlap with th= e "homenet" folks, not that I at all want to open that can of wor= ms.=C2=A0
    However, any solutions might be applicable in both area= s, so it might be worth keeping that use case in mind as well.)
    <= br>
    It might be possible for any DNS server to establish some uni= que name (e.g. a UUID or GUID label).

    A UUID/GUID = still presents a challenge for having the ability to use the name, and prob= ably any number of hacks might be needed for being able to establish a conn= ection to the DNS server via the name.

    Restricting= the draft's applicability only to publicly-addressed DNS servers may n= ot be sufficiently useful to warrant pursuit, unfortunately.

    =
    Ironically, the only type of DNS server guaranteed to have a pub= lic IP address, is the authority server for a globally unique domain name.<= /div>

    Even if it were possible to stuff the stateful bit= s of DoT into EDNS things, e.g. added to DNS over UDP, the problem is EDNS = is only hop-by-hop, not forwarded.

    I've kind o= f run out of wacky ideas on how one might pass Do* through forwarders, to t= alk to a resolver if there's any RFC-1918 conflict.

    Maybe it is sufficient to discover the conflict/reachability issue, a= nd have an appropriate error/response with enough information for the user = to get the problem fixed?

    I.e. if there is at leas= t one forwarder, possibly doing NAT, but no RFC-1918 conflict, the resolver= should be reachable, and the only issue is one of naming and discovery of = the resolver's IP address (and NOT any of the forwarders involved).

    Maybe that could be added to one of the sections of t= he draft and worked on?

    Brian
    --00000000000053ab2b0587c7fac6-- From nobody Tue Apr 30 18:06:52 2019 Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CB251201CF for ; Tue, 30 Apr 2019 18:06:50 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=kzHDKIrX; dkim=pass (1536-bit key) header.d=taugh.com header.b=U/LppgGs Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PRCkIjxGshuz for ; Tue, 30 Apr 2019 18:06:48 -0700 (PDT) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5B4F1201CC for ; Tue, 30 Apr 2019 18:06:48 -0700 (PDT) Received: (qmail 74096 invoked from network); 1 May 2019 01:06:46 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=1216e.5cc8f126.k1904; i=johnl-iecc.com@submit.iecc.com; bh=ML3tLJBAY+o2gq3GvnHj/wJIsdfJWi/K+YDsF9JqHdc=; b=kzHDKIrXQ8pS15/cXZw/1J2r8+hIJQw4s56TIw+TFiL3XgGoK0Lm/IGytpFeOPQuH+VMCC7oPcvzgBtui3tdoUdmsYhJNjgbl8A5cGNX7nbYF7x/igVzY/4KdBdtoIVsHEJa1BS2mGh56ImryIfmVuz3B8Ey+ve/D3Emlbf4V3J33a2hEibeAg7yWb41LGB274povYquHLaFLTaKp/SkmggYp2fYKMPCRaV2+SAXYgeNKiqnb0ma/MtRUrVxgPB3 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=1216e.5cc8f126.k1904; olt=johnl-iecc.com@submit.iecc.com; bh=ML3tLJBAY+o2gq3GvnHj/wJIsdfJWi/K+YDsF9JqHdc=; b=U/LppgGszGRClH602OlHEzC6ButiJjWBNTg9KTbfxdntXaLZKP9BF+mPFZMI4RGh0rFl/XvvnH9/wiI+Uid3o+1u3/5GW7YisuzbiIozHht38YZCOAuBrCW6F+s/WcMQZRv5csQYDEhP5JkYz0ivaJQ3ohpO/HPkBSZkpthx4oIQ4wT0Wjn45oJvfYj4uG4obs9yYcCUuhtKQsk45k6JH8CMdtXYoOqRjc8icRnvwl2iwzYItlLpST+3T1t3LuEr Received: from ary.qy ([64.246.232.221]) by imap.iecc.com ([64.57.183.75]) with ESMTPSA (TLS1.2 ECDHE-RSA AES-256-GCM AEAD, johnl@iecc.com) via TCP; 01 May 2019 01:06:45 -0000 Received: by ary.qy (Postfix, from userid 501) id 7DA7520132826B; Tue, 30 Apr 2019 21:06:45 -0400 (EDT) Date: 30 Apr 2019 21:06:45 -0400 Message-Id: <20190501010645.7DA7520132826B@ary.qy> From: "John Levine" To: dnsop@ietf.org Cc: ek@loon.com In-Reply-To: Organization: Taughannock Networks X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [DNSOP] New draft, seeking comments: draft-sah-resolver-information X-BeenThere: dnsop@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IETF DNSOP WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 May 2019 01:06:51 -0000 In article you write: >-=-=-=-=-=- > >Can I ask why you went with resolver-info.arpa instead of >.{in-addr,ip6}.arpa of the resolver IP to which the query is being >issued? I think the temp-field2. trick still works, and maybe we >could get DNSSEC validation (IDK about dnssec validation in the rev-ip >.arpa space). in-addr.arpa and ip6.arpa are signed as are the zones delegated to the RIRs. I think that all of the RIRs provide a way to add DS records to delegatd zones. So in principle DNSSEC in the rDNS should work fine. There is the practical issue of how much badly written software would barf with records other than PTR in the rDNS. I've had an MX for a while in my rDNS zone and it seems to work OK. Regards, johnl@18.183.57.64.in-addr.arpa.