[DNSOP] Publication has been requested for draft-ietf-dnsop-rfc7816bis-09

2021-05-07 Thread Tim Wicinski via Datatracker 
Tim Wicinski has requested publication of draft-ietf-dnsop-rfc7816bis-09 as 
Internet Standard on behalf of the DNSOP working group.

Please verify the document's state at 
https://datatracker.ietf.org/doc/draft-ietf-dnsop-rfc7816bis/


___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Adoption of new EDNS opcode "rrserial"

2021-05-07 Thread Matthew Pounsett 
On Mon, 27 Jan 2020 at 10:09, Hugo Salgado  wrote:
>
> Dear DNSOPers, as an operator I tend to have this need to couple
> an answer for a query to an auth server, with the actual "SOA zone
> version" used. So I think it'll be valuable to have an EDNS option
> for it.

I also missed this the first time around.  Mauricio brought it up
during the OARC workshop last night; I think it's a very good idea,
and the WG should adopt it.  There are many occasions in the past
where this would have been helpful in debugging, and I'm sure there
will be many more in the future.

I haven't read this in detail yet, but I will happily provide reviews
if the WG adopts it.

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Adoption of new EDNS opcode "rrserial"

2021-05-07 Thread Donald Eastlake 
Seems like a good idea to me. I think the WG should adopt it.

Thanks,
Donald
===
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 2386 Panoramic Circle, Apopka, FL 32703 USA
 d3e...@gmail.com

On Mon, Jan 27, 2020 at 10:09 AM Hugo Salgado  wrote:
>
> Dear DNSOPers, as an operator I tend to have this need to couple
> an answer for a query to an auth server, with the actual "SOA zone
> version" used. So I think it'll be valuable to have an EDNS option
> for it.
>
> Here I'm proposing it with this new draft. The 'camel index' for
> its implementation/hack/proof-of-concept is about 37 lines in
> NSD 4.1 (more details in Appendix A).
>
> I've asked some operators and they see value on it. Is there any
> support for adoption in DNSOP?
>
> -
> Name:   draft-salgado-rrserial
> Revision:   01
> Title:  The "RRSERIAL" EDNS option for the SOA serial of a RR's zone
> Document date:  2020-01-27
> Group:  Individual Submission
> Pages:  5
> URL:
> https://www.ietf.org/internet-drafts/draft-salgado-rrserial-01.txt
> Status: https://datatracker.ietf.org/doc/draft-salgado-rrserial/
> Htmlized:   https://tools.ietf.org/html/draft-salgado-rrserial-01
> Htmlized:   https://datatracker.ietf.org/doc/html/draft-salgado-rrserial
> Diff:   https://www.ietf.org/rfcdiff?url2=draft-salgado-rrserial-01
>
> Abstract:
>The "RRSERIAL" EDNS option allows a DNS querier to ask a DNS
>authoritative server to add a EDNS option in the answer of such query
>with the SOA serial number field of the origin zone which contains
>the answered resource record.
>
>This "RRSERIAL" data allows to debug problems and diagnosis by
>helping to recognize the origin of an answer, associating this answer
>with a respective zone version.
> -
>
> Best,
>
> Hugo Salgado
>
> ___
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Adoption of new EDNS opcode "rrserial"

2021-05-07 Thread Brian Dickson 
On Fri, May 7, 2021 at 10:03 AM Joe Abley  wrote:

> Hi Hugo,
>
> On 7 May 2021, at 12:47, Hugo Salgado  wrote:
>
> > I'll upload a new version to revive it, and ask for a slot
> > in IETF111 for further discussion!
>
> Just to add my voice to the chorus, I missed this the first time around so
> thanks, Mauricio, for mentioning it.
>
> I haven't read the draft in detail but I do like the idea and could think
> of many times this would have been useful for data collection, debugging,
> etc.
>
>
I concur with everything Joe wrote. So, very much in favor of this, thanks
for doing this.

Brian
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] Martin Duke's No Objection on draft-ietf-dnsop-nsec-ttl-04: (with COMMENT)

2021-05-07 Thread Martin Duke via Datatracker 
Martin Duke has entered the following ballot position for
draft-ietf-dnsop-nsec-ttl-04: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-nsec-ttl/



--
COMMENT:
--

No need for a response on these:

Please expand TTL and SOA on first use.



___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Adoption of new EDNS opcode "rrserial"

2021-05-07 Thread Joe Abley 
On 7 May 2021, at 13:39, John Levine  wrote:

> It appears that Hugo Salgado   said:
>> -=-=-=-=-=-
>> 
>> I'll upload a new version to revive it, and ask for a slot
>> in IETF111 for further discussion!
> 
> It looks like it's worth considering, but I also wonder how
> relevant it is for DNS servers that don't use AXFR/IXFR and SOA
> serial numbers to keep versions in sync.

SOA serial numbers are definitely useful for the apex SOA/IN queries that are 
prerequisites to zone transfers. However, they're also really useful 
information for any dynamic zone that you're trying to troubleshoot. Successive 
queries are not necessarily going to return matching information.

By analogy, you can send a query to a nameserver and get a troublesome 
response, and debug with a HOSTNAME.BIND/CH/TXT query to see what server it 
was. But for a nameserver provisioned with anycast or as part of a cluster, 
those data points are not necessarily going to match, which is why NSID is good.


Joe

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Adoption of new EDNS opcode "rrserial"

2021-05-07 Thread Frederico A C Neves 
On Fri, May 07, 2021 at 01:39:56PM -0400, John Levine wrote:
> It appears that Hugo Salgado   said:
> >-=-=-=-=-=-
> >
> >I'll upload a new version to revive it, and ask for a slot
> >in IETF111 for further discussion!
> 
> It looks like it's worth considering, but I also wonder how
> relevant it is for DNS servers that don't use AXFR/IXFR and SOA
> serial numbers to keep versions in sync.

In that case not much, but for many that uses in-band zone transfer
mechanisms it is very relevant. Specially in the case that the serial
in a zone is time deterministic.

Fred

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Adoption of new EDNS opcode "rrserial"

2021-05-07 Thread John Levine 
It appears that Hugo Salgado   said:
>-=-=-=-=-=-
>
>I'll upload a new version to revive it, and ask for a slot
>in IETF111 for further discussion!

It looks like it's worth considering, but I also wonder how
relevant it is for DNS servers that don't use AXFR/IXFR and SOA
serial numbers to keep versions in sync.

I put serial numnbers in my zones but in fact my servers use
rsync from a hidden master so the serials don't tell you much.

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Adoption of new EDNS opcode "rrserial"

2021-05-07 Thread Joe Abley 
Hi Hugo,

On 7 May 2021, at 12:47, Hugo Salgado  wrote:

> I'll upload a new version to revive it, and ask for a slot
> in IETF111 for further discussion!

Just to add my voice to the chorus, I missed this the first time around so 
thanks, Mauricio, for mentioning it.

I haven't read the draft in detail but I do like the idea and could think of 
many times this would have been useful for data collection, debugging, etc.


Joe



signature.asc
Description: Message signed with OpenPGP
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Adoption of new EDNS opcode "rrserial"

2021-05-07 Thread Hugo Salgado 
I'll upload a new version to revive it, and ask for a slot
in IETF111 for further discussion!

Thanks,

Hugo

On 22:02 06/05, Mauricio Vergara Ereche wrote:
> Hi Hugo,
> 
> I just want to bring back to life this topic as it solves an issue that
> several operators (like me) seem to be in need to solve while debugging
> issues.
> 
> Mauricio
> 
> On Mon, Jan 27, 2020 at 7:09 AM Hugo Salgado  wrote:
> 
> > Dear DNSOPers, as an operator I tend to have this need to couple
> > an answer for a query to an auth server, with the actual "SOA zone
> > version" used. So I think it'll be valuable to have an EDNS option
> > for it.
> >
> > Here I'm proposing it with this new draft. The 'camel index' for
> > its implementation/hack/proof-of-concept is about 37 lines in
> > NSD 4.1 (more details in Appendix A).
> >
> > I've asked some operators and they see value on it. Is there any
> > support for adoption in DNSOP?
> >
> > -
> > Name:   draft-salgado-rrserial
> > Revision:   01
> > Title:  The "RRSERIAL" EDNS option for the SOA serial of a RR's
> > zone
> > Document date:  2020-01-27
> > Group:  Individual Submission
> > Pages:  5
> > URL:
> > https://www.ietf.org/internet-drafts/draft-salgado-rrserial-01.txt
> > Status: https://datatracker.ietf.org/doc/draft-salgado-rrserial/
> > Htmlized:   https://tools.ietf.org/html/draft-salgado-rrserial-01
> > Htmlized:
> > https://datatracker.ietf.org/doc/html/draft-salgado-rrserial
> > Diff:
> > https://www.ietf.org/rfcdiff?url2=draft-salgado-rrserial-01
> >
> > Abstract:
> >The "RRSERIAL" EDNS option allows a DNS querier to ask a DNS
> >authoritative server to add a EDNS option in the answer of such query
> >with the SOA serial number field of the origin zone which contains
> >the answered resource record.
> >
> >This "RRSERIAL" data allows to debug problems and diagnosis by
> >helping to recognize the origin of an answer, associating this answer
> >with a respective zone version.
> > -
> >
> > Best,
> >
> > Hugo Salgado
> >
> > ___
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
> >
> 
> 
> -- 
> Mauricio Vergara Ereche
> keybase.io/mave


signature.asc
Description: PGP signature
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] Publication has been requested for draft-ietf-dnsop-iana-class-type-yang-02

2021-05-07 Thread Benno Overeinder via Datatracker 
Benno Overeinder has requested publication of 
draft-ietf-dnsop-iana-class-type-yang-02 as Proposed Standard on behalf of the 
DNSOP working group.

Please verify the document's state at 
https://datatracker.ietf.org/doc/draft-ietf-dnsop-iana-class-type-yang/


___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-svcb-https-05.txt

2021-05-07 Thread Paul Hoffman 
On May 7, 2021, at 3:21 AM, Pieter Lexis  wrote:
> For PowerDNS, we treat the parsing of SVCParams as a two-step process.
> First we use the normal rfc1035 character decoder on the full SVCParam
> value, after which we apply the value-list parser. The former parses
> 'foo\\,bar' into 'foo\,bar' that is then parsed to a list of length 1
> with value {'foo,bar'}. So nothing changes from the perspective of the
> rfc 1035 parser.
> 
> I can see how this might be confusing to those writing zone contents and
> would support a solution that either prohibits comma's in SVCParam list
> values or a different value separator that is not allowed to be embedded
> in values.

Pieter has a point here: to parse correctly, you need a two-step (or two-level) 
process. The *only* way to prevent that in the spec would be to say that commas 
are forbidden in  parameter values. However, even if the spec said that, 
someone would mess up and put a comma in a parameter value, and then different 
parsers will yield different values based on whether or not they took that 
shortcut.

Escaping is hard.

--Paul Hoffman

smime.p7s
Description: S/MIME cryptographic signature
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-svcb-https-05.txt

2021-05-07 Thread Tim Wicinski 
I was rethinking my initial concerns, and needed to talk it out with others.
After going back over it with folks smarter than myself, it's more obvious
to me that when the need for escaping inputs will be more of an exception.

My concern is focused not so much on implementers (sorry) but the operators
and engineers who will be the ones inserting these records into zone files.

I do however want to have the presentation format examples be full DNS
records,
and not just RDATA.   In the followinbg section in on failure cases, DNS
records
are used:

example.com.   SVCB   1 foo.example.com. mandatory

The test vectors should be the same.

tim


On Fri, May 7, 2021 at 9:19 AM Dick Franks  wrote:

> On Fri, 7 May 2021 at 11:21, Pieter Lexis 
> wrote:
> >
> >8
> >
> > I can see how this might be confusing to those writing zone contents and
> > would support a solution that either prohibits comma's in SVCParam list
> > values or a different value separator that is not allowed to be embedded
> > in values.
>
> Tim W. pointed out earlier in this thread that "those writing zone
> contents" are the majority stakeholders and rarely familiar with the
> finer points of DNS.
> If we are inflicting confusion on these people by departing from
> standard and well-understood character escapes for no other reason
> than the convenience of developers, then we have our priorities
> seriously wrong.
>
>
> --Dick
>
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-svcb-https-05.txt

2021-05-07 Thread Dick Franks 
On Fri, 7 May 2021 at 11:21, Pieter Lexis  wrote:
>
>8
>
> I can see how this might be confusing to those writing zone contents and
> would support a solution that either prohibits comma's in SVCParam list
> values or a different value separator that is not allowed to be embedded
> in values.

Tim W. pointed out earlier in this thread that "those writing zone
contents" are the majority stakeholders and rarely familiar with the
finer points of DNS.
If we are inflicting confusion on these people by departing from
standard and well-understood character escapes for no other reason
than the convenience of developers, then we have our priorities
seriously wrong.


--Dick

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-svcb-https-05.txt

2021-05-07 Thread Pieter Lexis 
Hi folks,

On 5/6/21 10:16 PM, Dick Franks wrote:
> On Thu, 6 May 2021 at 19:11, Ben Schwartz  wrote:
>> On Thu, May 6, 2021 at 8:50 AM Dick Franks  wrote:
>>> BIND, NSD, and Net::DNS are all able to arrive at implementations of
>>> SVCB using the RFC1035 standard escape conventions, which demonstrates
>>> beyond reasonable doubt that recognising "\\," is not an essential
>>> requirement.
>>
>> I disagree: what you are proposing is a deviation from RFC1035 escape 
>> conventions, and what the draft does is specifically to ensure that no such 
>> deviation is required.
> 
> I am advocating strict adherence to RFC1035 escape conventions.  You
> are the one proposing to deviate.
> 
>> ...  I have now encountered multiple codebases where modifying the RFC1035 
>> char-string parsing in the way that you suggest would be prohibitively 
>> complex, and that complexity will only grow over time as new SvcParamValues 
>> are defined.>
> If the development cost is prohibitive, the obvious solution is to use
> BIND, NSD, or one of the other respectable implementations which are
> certain to be not far behind.  If Google cannot afford the license
> fee, a six line perl Net::DNS script could be used to translate
> RFC1035 compliant SVCB RRs into RFC3597 format at nil cost.
, respectively).
> [...]
> That is no justification at all.   SPF people can do whatever they
> like within the arguments of a TXT record.

For PowerDNS, we treat the parsing of SVCParams as a two-step process.
First we use the normal rfc1035 character decoder on the full SVCParam
value, after which we apply the value-list parser. The former parses
'foo\\,bar' into 'foo\,bar' that is then parsed to a list of length 1
with value {'foo,bar'}. So nothing changes from the perspective of the
rfc 1035 parser.

I can see how this might be confusing to those writing zone contents and
would support a solution that either prohibits comma's in SVCParam list
values or a different value separator that is not allowed to be embedded
in values.

Regards,

Pieter
-- 
Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-svcb-https-05.txt

2021-05-07 Thread Tom 

Hi Dick, Ben,

I'm the (new) developer at NLNet Labs who implemented SVCB in NSD. While 
I have no strong opinion on the double escaping matter, I will pitch in 
that NSD currently adheres to the draft (as far as I'm aware).


Best,
Tom

On 2021-05-06 22:16, Dick Franks wrote:


On Thu, 6 May 2021 at 19:11, Ben Schwartz  wrote:
On Thu, May 6, 2021 at 8:50 AM Dick Franks  wrote: 
But that is precisely what you are NOT doing.

You have assigned a special significance to the character sequence
"\\," contrary to RFC1035.

The language of RFC1035 is crystal clear that an escaped character is
parsed as plain text, independently, without regard to context, and
that any special meaning does not apply.

Strict application of the RFC1035 rules causes string   "...\\,..."
to be equivalent to "...\092,...".

I'm not sure what you're describing.  Those two inputs are universally 
equivalent in zone files under the current draft.  They are both 
reduced to {'\', '"'} by char-string parsing, which is applied 
uniformly and without modification to all SvcParamValues.


... and the '\' without any special meaning fails to protect the comma
from the attention of the argument splitter.

Each SvcParamValue has its own input format.  For some SvcParamValues, 
'\' and ',' may not be allowed characters.  For others, they may be 
ordinary characters to be copied into the output, or they may have 
special significance.

 ... and I might, or might not, have a boiled egg for breakfast!


BIND, NSD, and Net::DNS are all able to arrive at implementations of
SVCB using the RFC1035 standard escape conventions, which demonstrates
beyond reasonable doubt that recognising "\\," is not an essential
requirement.


I disagree: what you are proposing is a deviation from RFC1035 escape 
conventions, and what the draft does is specifically to ensure that no 
such deviation is required.


I am advocating strict adherence to RFC1035 escape conventions.  You
are the one proposing to deviate.

...  I have now encountered multiple codebases where modifying the 
RFC1035 char-string parsing in the way that you suggest would be 
prohibitively complex, and that complexity will only grow over time as 
new SvcParamValues are defined.


If the development cost is prohibitive, the obvious solution is to use
BIND, NSD, or one of the other respectable implementations which are
certain to be not far behind.  If Google cannot afford the license
fee, a six line perl Net::DNS script could be used to translate
RFC1035 compliant SVCB RRs into RFC3597 format at nil cost.

The "value-list" format is a bit like a (much simpler) cousin of the 
SPF macro language (https://tools.ietf.org/html/rfc7208#section-7.1).  
In both cases, the char-string decoder's output contains embedded 
commands that allow the next processing stage to distinguish between 
delimiters (comma and space, respectively) and escaped delimiters ("\," 
and "%_", respectively).


That is no justification at all.   SPF people can do whatever they
like within the arguments of a TXT record.

--Dick

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop