Re: [DNSOP] New draft: Compact Lies/Denial of Existence in DNSSEC

[Paul Vixie]

Florian Obser wrote on 2023-03-01 22:42:


I might not be caffeinated enough yet, but I think the next domain name
in section 5 should be \000.ent1.example.net:

   ent1.example.net.  3600 IN NSEC \000.ent1.example.net. RRSIG NSEC ENT

In section 6, calling getaddrinfo() return values exit codes is a bit
odd, maybe this will do?

Address lookup functions typically invoked by applications won't see
a practical impact from this indistinguishability.  For a non-
existent name, the getaddrinfo() function for example will return a
value of EAI_NODATA rather than EAI_NONAME.  But either way the
effect on the caller is the same: it will obtain a response with a
non-zero return value and no available addresses.


that's just not true, no matter how it's worded.

if i get NODATA i might try other record types (for example,  after 
A, A after , or both  and A after MX).


if i get NXDOMAIN, i won't.

there's also a huge impact on operational security.

indistinguishability would a huge problem.

please outlaw it.

--
P Vixie

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] New draft: Compact Lies/Denial of Existence in DNSSEC

[Florian Obser]

I might not be caffeinated enough yet, but I think the next domain name
in section 5 should be \000.ent1.example.net:

  ent1.example.net.  3600 IN NSEC \000.ent1.example.net. RRSIG NSEC ENT

In section 6, calling getaddrinfo() return values exit codes is a bit
odd, maybe this will do?

   Address lookup functions typically invoked by applications won't see
   a practical impact from this indistinguishability.  For a non-
   existent name, the getaddrinfo() function for example will return a
   value of EAI_NODATA rather than EAI_NONAME.  But either way the
   effect on the caller is the same: it will obtain a response with a
   non-zero return value and no available addresses.

-- 
In my defence, I have been left unsupervised.

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] New draft: Compact Lies/Denial of Existence in DNSSEC

[Paul Ebersman]

gih> for what its worth I would like to chime in and support George's
gih> view. The technique is NOT a lie per se.

I'll "me too" this with George and Geoff.

Figuring out a more efficient way to do what is ultimately wanted
(crypographically provable denial of existence) that works better than
the original conception is a good thing. And using "lie" was cute but
George is right here too; clarity/consistency to not confuse the world
is more useful than yet another "in" joke in DNS.

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] New draft: Compact Lies/Denial of Existence in DNSSEC

[Joe Abley]

Hi George,

On Wed, Mar 1, 2023 at 17:40, George Michaelson  wrote:

> My opposition is philosophical and practical.
>
> the philosophical part, is that this is a SIGNED ASSERTION by the zone
> authority. I don't think anything the zone authority says under a
> signature should be called a lie, because the basis of verification is
> that its exactly what was intended to be said about the state of the
> zone.

I agree with this.

We are talking about an assertion by those responsible for the zone contents 
about things that do not exist. There are many different truthful assertions of 
that kind that can be made. The interesting thing about this particular choice 
is that it's a minimal assertion.

We are not talking about lies. Referring to these kinds of negative responses 
as lies is confusing and unhelpful. They are signed responses, and the point of 
signing them is that they are verifiably true.

I think "lies" refers to an assumption that a single NSEC makes a maximal 
assertion about what does not exist and that either side of that expanse of 
empty sand lies a soothing oasis of existence. However the protocol doesn't 
require that to be the case. A single NSEC can cover a single grain of sand, 
and the mystery of the desert can remain substantially intact.

Joe___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] New draft: Compact Lies/Denial of Existence in DNSSEC

[Geoff Huston]

for what its worth I would like to chime in and support George’s 
view. The technique is NOT a lie per se. It's a stretch (well
its the opposite of “stretch” - its a “compression”) of the
intended contents of the denial of existence response, but it is not 
a lie as I see it. I would be far more comfortable as well
with Shumon’s “Compact Denial of Existence” as a more accurate
description of the technique.

regards,

Geoff




> On 2 Mar 2023, at 9:40 am, George Michaelson  wrote:
> 
> My opposition is philosophical and practical.
> 
> the philosophical part, is that this is a SIGNED ASSERTION by the zone
> authority. I don't think anything the zone authority says under a
> signature should be called a lie, because the basis of verification is
> that its exactly what was intended to be said about the state of the
> zone.
> 
> its incoherent, its potentially confusing, it needs to be understood,
> sure. but I don't see this as a lie.
> 
> the practical is that I think the IETF/OPS tendency to enjoy "puns"
> causes huge confusion outside the cognoscenti. The re-use of the word
> "peer" for instance has caused significant dismay to people in policy
> or finance space who don't understand that a BGP peer does not mean
> necessarily a peering zero-cost sum arrangement at layer 8 and 9
> (money). -If we use "lie" this freely, then when we want to
> distinguish these signed lies from the intermediary altering payload
> on-the-fly we're going to have a problem of comprehension.
> 
> Having said that, I think I feel like a bit of a party pooper. What in
> Australia would be called a "wowser"
> 
> It's not a big deal btw. I'm not going to go to the AD and complain
> about it or make a fuss at WGLC. I just think.. its the kind of
> language which may not be helpful in the longer term.
> 
> cheers
> 
> George
> 
> On Thu, Mar 2, 2023 at 7:33 AM Shumon Huque  wrote:
>> 
>> Hi folks,
>> 
>> We've posted a new draft describing the former "Black Lies" mechanism
>> for authenticated denial, now renamed as "Compact Lies".
>> 
>>https://datatracker.ietf.org/doc/draft-huque-dnsop-compact-lies/
>> 
>> We are hoping to discuss it here and at IETF116, and see if there is
>> interest in adopting the work and publishing it. We feel that it deserves a
>> stable published specification since it is now one of the dominant forms
>> of authenticated denial deployed amongst the commercial online signers
>> today (notably Cloudflare, NS1, and Amazon Route53).
>> 
>> The draft includes the NXDOMAIN/Empty Non-Terminal distinguisher
>> mechanism I described at IETF 111 ( 
>> https://datatracker.ietf.org/meeting/111/materials/slides-111-dnsop-sessb-black-lies-ent-sentinel-01
>>  ) and currently implemented
>> by NS1.
>> 
>> Christian and I are currently discussing some tweaks to that mechanism
>> which we will broach in a separate email thread shortly. This thread can be
>> used for general comments on the topic of the draft.
>> 
>> George Michaelson, in private email to me, has expressed the view
>> that we shouldn't be calling these mechanisms "Lies" any more (I'm
>> sure he will elaborate if he is inclined). I'm personally okay with that, 
>> and if
>> there is agreement, we could just call this Compact Denial of Existence,
>> and discard the "Lies" meme.
>> 
>> Shumon
>> 
> 
> ___
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] New draft: Compact Lies/Denial of Existence in DNSSEC

[George Michaelson]

My opposition is philosophical and practical.

the philosophical part, is that this is a SIGNED ASSERTION by the zone
authority. I don't think anything the zone authority says under a
signature should be called a lie, because the basis of verification is
that its exactly what was intended to be said about the state of the
zone.

its incoherent, its potentially confusing, it needs to be understood,
sure. but I don't see this as a lie.

the practical is that I think the IETF/OPS tendency to enjoy "puns"
causes huge confusion outside the cognoscenti. The re-use of the word
"peer" for instance has caused significant dismay to people in policy
or finance space who don't understand that a BGP peer does not mean
necessarily a peering zero-cost sum arrangement at layer 8 and 9
(money). -If we use "lie" this freely, then when we want to
distinguish these signed lies from the intermediary altering payload
on-the-fly we're going to have a problem of comprehension.

Having said that, I think I feel like a bit of a party pooper. What in
Australia would be called a "wowser"

It's not a big deal btw. I'm not going to go to the AD and complain
about it or make a fuss at WGLC. I just think.. its the kind of
language which may not be helpful in the longer term.

cheers

George

On Thu, Mar 2, 2023 at 7:33 AM Shumon Huque  wrote:
>
> Hi folks,
>
> We've posted a new draft describing the former "Black Lies" mechanism
> for authenticated denial, now renamed as "Compact Lies".
>
> https://datatracker.ietf.org/doc/draft-huque-dnsop-compact-lies/
>
> We are hoping to discuss it here and at IETF116, and see if there is
> interest in adopting the work and publishing it. We feel that it deserves a
> stable published specification since it is now one of the dominant forms
> of authenticated denial deployed amongst the commercial online signers
> today (notably Cloudflare, NS1, and Amazon Route53).
>
> The draft includes the NXDOMAIN/Empty Non-Terminal distinguisher
> mechanism I described at IETF 111 ( 
> https://datatracker.ietf.org/meeting/111/materials/slides-111-dnsop-sessb-black-lies-ent-sentinel-01
>  ) and currently implemented
> by NS1.
>
> Christian and I are currently discussing some tweaks to that mechanism
> which we will broach in a separate email thread shortly. This thread can be
> used for general comments on the topic of the draft.
>
> George Michaelson, in private email to me, has expressed the view
> that we shouldn't be calling these mechanisms "Lies" any more (I'm
> sure he will elaborate if he is inclined). I'm personally okay with that, and 
> if
> there is agreement, we could just call this Compact Denial of Existence,
> and discard the "Lies" meme.
>
> Shumon
>
> ___
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] IETF 116 Call for Agenda Items DNSOP WG

[Benno Overeinder]

Dear WG,

This is a Call for Agenda Items for the IETF 116 in Yokohama, Japan.

Please email the chairs  with your requests. *Or* 
drop us a pull request 
https://github.com/ietf-wg-dnsop/wg-materials/tree/main/dnsop-ietf116 
look for dnsop-ietf116-agenda-requests.md.


Please Note: Draft Submission Deadline is Monday 13 March 2023.

See https://datatracker.ietf.org/meeting/important-dates/:
2023-03-13	Monday	Internet-Draft submission cut-off (for all 
Internet-Drafts, including -00) by UTC 23:59. Upload using the I-D 
Submission Tool https://datatracker.ietf.org/submit/.



Thanks,

Suzanne
Tim
Benno

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] New draft: Compact Lies/Denial of Existence in DNSSEC

[Shumon Huque]

Hi folks,

We've posted a new draft describing the former "Black Lies" mechanism
for authenticated denial, now renamed as "Compact Lies".

https://datatracker.ietf.org/doc/draft-huque-dnsop-compact-lies/

We are hoping to discuss it here and at IETF116, and see if there is
interest in adopting the work and publishing it. We feel that it deserves a
stable published specification since it is now one of the dominant forms
of authenticated denial deployed amongst the commercial online signers
today (notably Cloudflare, NS1, and Amazon Route53).

The draft includes the NXDOMAIN/Empty Non-Terminal distinguisher
mechanism I described at IETF 111 (
https://datatracker.ietf.org/meeting/111/materials/slides-111-dnsop-sessb-black-lies-ent-sentinel-01
) and currently implemented
by NS1.

Christian and I are currently discussing some tweaks to that mechanism
which we will broach in a separate email thread shortly. This thread can be
used for general comments on the topic of the draft.

George Michaelson, in private email to me, has expressed the view
that we shouldn't be calling these mechanisms "Lies" any more (I'm
sure he will elaborate if he is inclined). I'm personally okay with that,
and if
there is agreement, we could just call this Compact Denial of Existence,
and discard the "Lies" meme.

Shumon
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] draft-ietf-dnsop-glue-is-not-optional-07 vs. sibling glue

[Shumon Huque]

On Tue, Feb 21, 2023 at 5:50 AM Ralf Weber  wrote:

>
> These “rare” cases where the domain is not resolvable when a glue is not
> present are the ones this draft is done for. So did you look how rare
> they were in your dataset? Being able to resolve instead of not resolving
> IMHO has value even if the number is not big.
>
> We all know that a lot of data in the DNS is garbage, that should not
> stop us from using the good data.
>
> So long
> -Ralf
>

The cyclic dependency based sibling glue (Section 2.3) is arguably
a bit of a corner case, and in past discussions some folks have expressed
the view that we shouldn't make accommodations to support it. I
think I can agree with that, but there were opposing views that we also
shouldn't break configurations that currently work. So it was left in.

The case of normal (non-circular) sibling glue, described in Section
2.2 is in my opinion useful though, and also extremely common - where
it isn't necessarily required for resolution but allows resolvers to obviate
additional follow-on queries (to the same servers) to obtain the sibling
glue.
Previous lengthy discussions on this topic indicate a consensus to
retain them, but not mandate their inclusion (or set TC=1 if message
size limits are exceeded).

Note that this document does not place any requirements on DNS
resolvers, so if a resolver implementer chooses to, they can ignore
sibling glue in referral responses, and/or explicitly fetch them.

As far as bad data, I agree with Ralph. It shouldn't prevent us from
being able to use the good data. My employer has tons of domains that
use (working) sibling glue.

There was extensive discussion previously about incorrect glue,
and other types of issues ("orphaned glue"), and what could be
said to get registries/registrants to cleanup referral data in
zones. But we were strongly advised by folks deeply familiar with
TLD operations to not try to tackle that can of worms here. The
draft does make the following suggestion though: "The IETF may
want to consider a separate update to the requirements for including
glue in zone data, beyond those given in [RFC1034] and [RFC1035]."

Shumon.
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop