From: dns-privacy <[email protected]> On Behalf Of Ben Schwartz Sent: Monday, May 3, 2021 5:07 PM To: Peter van Dijk <[email protected]> Cc: DNS Privacy Working Group <[email protected]> Subject: [EXTERNAL] Re: [dns-privacy] Common Features for Encrypted Recursive to Authoritative DNS Thanks for this draft; I think it's clear and could be a helpful introduction. > If the cache has no positive or negative answers for any DNS SVCB record for any of a zone's authoritative servers, the resolver needs to send queries for the DNS SVCB records for some or all of the zone's authoritative servers. I think it would be worth rephrasing the words "needs to" here. To me, this sounds like a normative requirement to perform these queries, but I suspect that's not what you mean. > Because some authoritative servers or middleboxes are misconfigured, requests for unknown RRtypes might be ignored by them. Resolvers should be ready to deal with timeouts or other bad responses to their SVCB queries. This sounds a bit pessimistic. Ralf Weber recently published some figures showing a ~0.03% failure rate. For security (in the authenticated case), any mitigations here are very delicate, and I'm a bit concerned about the brief treatment here. (The SVCB draft has an extensive discussion: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https#section-3.1<https://secure-web.cisco.com/1KnxioJRTsf2uU1VW48qiLA_fHonJvyIlr7lqXBxF6-KQR8Euua8L4CgmpRZkuoe3cS_yTHaQPg9FD3nkj_RHY-7yCOcDuoR0vc6wkDa4uosV1tNCYOe3JcJGQw4KVsb_RRkzvTdQzxZbbHaeKPNC-UoXqfqMnCJOBub4XxG4JGbTo9MgdOEOKuLYS5gLGHiTqG9dVKWxkkqoBQ-9y8O0rUmFU45Xz9IAIBDvgTzxMUs3l2voDFu2pMpIcyVBnHF2/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-dnsop-svcb-https%23section-3.1>.) > DNS SVCB records act as advisory information for resolvers about the encrypted protocols that are supported. They can be thought of as similar to NS records on the parent side of a zone cut: advisory enough to act on, but not authoritative. Given this, authoritative servers that know the DNS SCVB records associated with NS records for any child zones MAY include those DNS SCVB records in the Additional section of responses to queries to a parent authoritative server. This sounds like a restatement of the definition of "glue". Can we simply declare that these records are "glue"? [SAH] …and does this imply that we need to extend EPP to populate these records? Scott
_______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
