Re: [DNSOP] I-D Action: draft-bellis-dnsop-qdcount-is-one-01.txt
Op 29 sep 2023 om 00:09 heeft Robert Edmonds het volgende geschreven: > noticed that Section 4 of the draft states: > > Firewalls that process DNS messages in order to eliminate unwanted > traffic SHOULD treat messages with OPCODE = 0 and QDCOUNT > 1 as > malformed traffic. See Section 4 of [RFC8906] for further guidance. > > However, I couldn't find the guidance in Section 4 of RFC 8906 being > referred to. Most of that section is actually about misbehavior in > firewalls in response to well-formed traffic, not correct behavior in > response to malformed traffic. This text (quite possibly also the text in 8906) is very much Ray's, and I'm going to leave this question for him to answer when he's back from vacation. I could try but Ray would only have to correct me anyway so I'm skipping to the end. Joe ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] I-D Action: draft-bellis-dnsop-qdcount-is-one-01.txt
Hi, I noticed that Section 4 of the draft states: Firewalls that process DNS messages in order to eliminate unwanted traffic SHOULD treat messages with OPCODE = 0 and QDCOUNT > 1 as malformed traffic. See Section 4 of [RFC8906] for further guidance. However, I couldn't find the guidance in Section 4 of RFC 8906 being referred to. Most of that section is actually about misbehavior in firewalls in response to well-formed traffic, not correct behavior in response to malformed traffic. The most relevant text seems to be: Firewalls and load balancers should not drop DNS packets that they don't understand. They should either pass the packets or generate an appropriate error response. […] However, there may be times when a nameserver mishandles messages with a particular flag, EDNS option, EDNS version field, opcode, type or class field, or combination thereof to the point where the integrity of the nameserver is compromised. Firewalls should offer the ability to selectively reject messages using an appropriately constructed response based on all these fields while awaiting a fix from the nameserver vendor. Returning FORMERR or REFUSED are two potential error codes to return. If I understand correctly, the QDCOUNT is a field, not a flag, so it would not be included in the list of "a particular flag, EDNS option, EDNS version field, opcode, type or class field, or combination thereof" described here. Even if QDCOUNT were included in this list, I can't think of an example where QDCOUNT > 1 would compromise the integrity of a nameserver. One could also imagine a *valid*, non-malformed combination of query parameters that could result in the integrity of a nameserver being compromised, so this paragraph isn't solely about malformed traffic. So I'm having difficulty understanding how exactly to apply this section when reading it alongside the draft. If the intention of Section 4 of this draft is to allow firewalls to meddle with OPCODE = 0, QDCOUNT > 1 as a general, ongoing deployment posture rather than as a temporary workaround "while awaiting a fix from the nameserver vendor", it would seem to go a bit beyond the narrow guidance in Section 4 of RFC 8906. Also, I think the phrase "to eliminate unwanted traffic" is vague. How would a firewall eliminate unwanted traffic? May it drop OPCODE = 0, QDCOUNT > 1? May it synthesize a FORMERR response? If it synthesizes a FORMERR response, should those responses be rate-limited in case the sender's source address is spoofed? Thanks! Joe Abley wrote: > Hi all, > > This version mainly incorporates feedback from the room at the last meeting > and relate to document clarity; the advice is unchanged. > > > Joe > > > On 28 Sep 2023, at 15:21, internet-dra...@ietf.org wrote: > > > > Internet-Draft draft-bellis-dnsop-qdcount-is-one-01.txt is now available. > > It > > is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. > > > > Title: In the DNS, QDCOUNT is (usually) One > > Authors: Ray Bellis > >Joe Abley > > Name:draft-bellis-dnsop-qdcount-is-one-01.txt > > Pages: 7 > > Dates: 2023-09-28 > > > > Abstract: > > > > This document clarifies the allowable values of the QDCOUNT parameter > > in DNS messages with OPCODE = 0 (QUERY) and specifies the required > > behaviour when values that are not allowed are encountered. > > > > The IETF datatracker status page for this Internet-Draft is: > > https://datatracker.ietf.org/doc/draft-bellis-dnsop-qdcount-is-one/ > > > > There is also an HTMLized version available at: > > https://datatracker.ietf.org/doc/html/draft-bellis-dnsop-qdcount-is-one-01 > > > > A diff from the previous version is available at: > > https://author-tools.ietf.org/iddiff?url2=draft-bellis-dnsop-qdcount-is-one-01 > > > > Internet-Drafts are also available by rsync at: > > rsync.ietf.org::internet-drafts > > > > > > ___ > > DNSOP mailing list > > DNSOP@ietf.org > > https://www.ietf.org/mailman/listinfo/dnsop > > ___ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Robert Edmonds ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-bellis-dnsop-qdcount-is-one
Hi Tim, On 28 Sep 2023, at 19:01, Tim Wicinski wrote: > This starts a Call for Adoption for draft-bellis-dnsop-qdcount-is-one > > > The draft is available here: > https://datatracker.ietf.org/doc/draft-bellis-dnsop-qdcount-is-one/ > > Please review this draft to see if you think it is suitable for adoption > by DNSOP, and send any comments to the list, clearly stating your view. > > Please also indicate if you are willing to contribute text, review, etc. As a co-author of this document, I am very happy to continue working on it if it is adopted. I am quite sure that Ray feels similarly, although he ought not to be expected to show up and say so since he's on vacation right now, hopefully not the kind of vacation that involves sending e-mail to dnsop. Joe___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-bellis-dnsop-qdcount-is-one
On Thu, Sep 28, 2023 at 1:00 PM Tim Wicinski wrote: > Please review this draft to see if you think it is suitable for adoption > by DNSOP, and send any comments to the list, clearly stating your view. > > Please also indicate if you are willing to contribute text, review, etc. > I've read the draft, agree that it should be adopted, and am happy to read it again if for some reason it's updated, although based on discussion so far I think it's done. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-bellis-dnsop-qdcount-is-one
On Thu, Sep 28, 2023 at 10:00 AM Tim Wicinski wrote: > > We want to thank Joe and Ray for getting this republished with the notes > from the previous meeting. > > Thanks Ted and Eric for their comments today, we will remember them. > I will say that this chair likes the appendix, to remind me what I > have glossed over, as the authors have already corrected me on this week > (thank you). > > > > This starts a Call for Adoption for draft-bellis-dnsop-qdcount-is-one > > > The draft is available here: > https://datatracker.ietf.org/doc/draft-bellis-dnsop-qdcount-is-one/ > > Please review this draft to see if you think it is suitable for adoption > by DNSOP, and send any comments to the list, clearly stating your view. > I support adoption by the WG. I am willing to review and contribute text. Brian > > Please also indicate if you are willing to contribute text, review, etc. > > This call for adoption ends: October 12, 2023 > > Thanks, > For DNSOP co-chairs > tim > > > ___ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] Call for Adoption: draft-bellis-dnsop-qdcount-is-one
We want to thank Joe and Ray for getting this republished with the notes from the previous meeting. Thanks Ted and Eric for their comments today, we will remember them. I will say that this chair likes the appendix, to remind me what I have glossed over, as the authors have already corrected me on this week (thank you). This starts a Call for Adoption for draft-bellis-dnsop-qdcount-is-one The draft is available here: https://datatracker.ietf.org/doc/draft-bellis-dnsop-qdcount-is-one/ Please review this draft to see if you think it is suitable for adoption by DNSOP, and send any comments to the list, clearly stating your view. Please also indicate if you are willing to contribute text, review, etc. This call for adoption ends: October 12, 2023 Thanks, For DNSOP co-chairs tim ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] I-D Action: draft-bellis-dnsop-qdcount-is-one-01.txt
Hi Eric, On 28 Sep 2023, at 18:15, Eric Orth wrote: > Minor remaining complaints (that I'm not going to fight over, so ignore if > you really disagree): > * I think all the stuff now in the appendix would be even better as a > separate Informational draft. In my mind, appendix is acceptable, but still > feels like you feel it is necessary as justification for the standards change. The idea was to anticipate and answer two questions, "isn't this already clear enough in the existing DNS spec?" and "why is this only being specified here for OPCODE 0?" We could provide supporting text for both of those things in a different document, but it's not entirely clear what that would buy us beyond the general cost of producing a document. I can't imagine a situation where someone would want to cite one of those documents but not the other, for example. It's not like the appendix is tremendously long, and now that we have the garnish on the side it doesn't provide much distraction from the main sandwich. We could also forget about the supporting text altogether, but it always seems worthwhile to me to record the motivation for particular clarifications in existing standards, especially when the protocol is foundational and widely-deployed. (I see this as a clarification of the standard, not a change to it.) So I'm inclined to disagree. > * The Introduction still includes a bit of justification discussion about > ambiguity, whereas I would argue that the more pressing justification is > simply ecosystem compatibility. Well, interop and ambiguity are related, so I'm not sure those things are really in opposition. We can certainly add text to make it clearer that the end goal is interoperability if that seems like it makes the purpose of the document clearer. Joe ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] I-D Action: draft-bellis-dnsop-qdcount-is-one-01.txt
I think this generally resolves my main concerns about the previous draft hiding the normative changes behind all the history and justification. Thanks for the update. Minor remaining complaints (that I'm not going to fight over, so ignore if you really disagree): * I think all the stuff now in the appendix would be even better as a separate Informational draft. In my mind, appendix is acceptable, but still feels like you feel it is necessary as justification for the standards change. * The Introduction still includes a bit of justification discussion about ambiguity, whereas I would argue that the more pressing justification is simply ecosystem compatibility. On Thu, Sep 28, 2023 at 9:40 AM Joe Abley wrote: > Hi all, > > This version mainly incorporates feedback from the room at the last > meeting and relate to document clarity; the advice is unchanged. > > > Joe > > > On 28 Sep 2023, at 15:21, internet-dra...@ietf.org wrote: > > > > Internet-Draft draft-bellis-dnsop-qdcount-is-one-01.txt is now > available. It > > is a work item of the Domain Name System Operations (DNSOP) WG of the > IETF. > > > > Title: In the DNS, QDCOUNT is (usually) One > > Authors: Ray Bellis > >Joe Abley > > Name:draft-bellis-dnsop-qdcount-is-one-01.txt > > Pages: 7 > > Dates: 2023-09-28 > > > > Abstract: > > > > This document clarifies the allowable values of the QDCOUNT parameter > > in DNS messages with OPCODE = 0 (QUERY) and specifies the required > > behaviour when values that are not allowed are encountered. > > > > The IETF datatracker status page for this Internet-Draft is: > > https://datatracker.ietf.org/doc/draft-bellis-dnsop-qdcount-is-one/ > > > > There is also an HTMLized version available at: > > > https://datatracker.ietf.org/doc/html/draft-bellis-dnsop-qdcount-is-one-01 > > > > A diff from the previous version is available at: > > > https://author-tools.ietf.org/iddiff?url2=draft-bellis-dnsop-qdcount-is-one-01 > > > > Internet-Drafts are also available by rsync at: > > rsync.ietf.org::internet-drafts > > > > > > ___ > > DNSOP mailing list > > DNSOP@ietf.org > > https://www.ietf.org/mailman/listinfo/dnsop > > ___ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Call for Adoption: draft-thomassen-dnsop-generalized-dns-notify
Hi, The chairs have reviewed the discussion on this draft and find support for adopting it as a Working Group document. Thanks to everyone who commented and especially those who offered to review. Authors, please submit a draft-ietf-dnsop version when you're ready. Thanks, Suzanne & Tim & Benno On Sep 14, 2023, at 10:10 PM, Suzanne Woolf wrote: Dear colleagues, This note starts a Call for Adoption for draft-thomassen-dnsop-generalized-dns-notify. The draft is available here: https://datatracker.ietf.org/doc/draft-thomassen-dnsop-generalized-dns-notify/ Some time in the next two weeks, please review this draft to see if you think it is suitable for adoption by DNSOP, and send any comments to the list, clearly stating your view. Please also indicate if you are willing to contribute text, review, etc. It’s particularly helpful if you can comment on whether you would implement or use this feature. This call for adoption ends: 28 September 2023 Thanks, Suzanne For DNSOP co-chairs ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] I-D Action: draft-bellis-dnsop-qdcount-is-one-01.txt
Thanks Joe for pulling this together. tim On Thu, Sep 28, 2023 at 10:57 AM Ted Lemon wrote: > Thanks for the update. I think this does the job. I could do without the > appendix, but I understand the urge to fully document. :) > > On Thu, Sep 28, 2023 at 9:40 AM Joe Abley wrote: > >> Hi all, >> >> This version mainly incorporates feedback from the room at the last >> meeting and relate to document clarity; the advice is unchanged. >> >> >> Joe >> >> > On 28 Sep 2023, at 15:21, internet-dra...@ietf.org wrote: >> > >> > Internet-Draft draft-bellis-dnsop-qdcount-is-one-01.txt is now >> available. It >> > is a work item of the Domain Name System Operations (DNSOP) WG of the >> IETF. >> > >> > Title: In the DNS, QDCOUNT is (usually) One >> > Authors: Ray Bellis >> >Joe Abley >> > Name:draft-bellis-dnsop-qdcount-is-one-01.txt >> > Pages: 7 >> > Dates: 2023-09-28 >> > >> > Abstract: >> > >> > This document clarifies the allowable values of the QDCOUNT parameter >> > in DNS messages with OPCODE = 0 (QUERY) and specifies the required >> > behaviour when values that are not allowed are encountered. >> > >> > The IETF datatracker status page for this Internet-Draft is: >> > https://datatracker.ietf.org/doc/draft-bellis-dnsop-qdcount-is-one/ >> > >> > There is also an HTMLized version available at: >> > >> https://datatracker.ietf.org/doc/html/draft-bellis-dnsop-qdcount-is-one-01 >> > >> > A diff from the previous version is available at: >> > >> https://author-tools.ietf.org/iddiff?url2=draft-bellis-dnsop-qdcount-is-one-01 >> > >> > Internet-Drafts are also available by rsync at: >> > rsync.ietf.org::internet-drafts >> > >> > >> > ___ >> > DNSOP mailing list >> > DNSOP@ietf.org >> > https://www.ietf.org/mailman/listinfo/dnsop >> >> ___ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop >> > ___ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] I-D Action: draft-bellis-dnsop-qdcount-is-one-01.txt
Thanks for the update. I think this does the job. I could do without the appendix, but I understand the urge to fully document. :) On Thu, Sep 28, 2023 at 9:40 AM Joe Abley wrote: > Hi all, > > This version mainly incorporates feedback from the room at the last > meeting and relate to document clarity; the advice is unchanged. > > > Joe > > > On 28 Sep 2023, at 15:21, internet-dra...@ietf.org wrote: > > > > Internet-Draft draft-bellis-dnsop-qdcount-is-one-01.txt is now > available. It > > is a work item of the Domain Name System Operations (DNSOP) WG of the > IETF. > > > > Title: In the DNS, QDCOUNT is (usually) One > > Authors: Ray Bellis > >Joe Abley > > Name:draft-bellis-dnsop-qdcount-is-one-01.txt > > Pages: 7 > > Dates: 2023-09-28 > > > > Abstract: > > > > This document clarifies the allowable values of the QDCOUNT parameter > > in DNS messages with OPCODE = 0 (QUERY) and specifies the required > > behaviour when values that are not allowed are encountered. > > > > The IETF datatracker status page for this Internet-Draft is: > > https://datatracker.ietf.org/doc/draft-bellis-dnsop-qdcount-is-one/ > > > > There is also an HTMLized version available at: > > > https://datatracker.ietf.org/doc/html/draft-bellis-dnsop-qdcount-is-one-01 > > > > A diff from the previous version is available at: > > > https://author-tools.ietf.org/iddiff?url2=draft-bellis-dnsop-qdcount-is-one-01 > > > > Internet-Drafts are also available by rsync at: > > rsync.ietf.org::internet-drafts > > > > > > ___ > > DNSOP mailing list > > DNSOP@ietf.org > > https://www.ietf.org/mailman/listinfo/dnsop > > ___ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] I-D Action: draft-bellis-dnsop-qdcount-is-one-01.txt
Hi all, This version mainly incorporates feedback from the room at the last meeting and relate to document clarity; the advice is unchanged. Joe > On 28 Sep 2023, at 15:21, internet-dra...@ietf.org wrote: > > Internet-Draft draft-bellis-dnsop-qdcount-is-one-01.txt is now available. It > is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. > > Title: In the DNS, QDCOUNT is (usually) One > Authors: Ray Bellis >Joe Abley > Name:draft-bellis-dnsop-qdcount-is-one-01.txt > Pages: 7 > Dates: 2023-09-28 > > Abstract: > > This document clarifies the allowable values of the QDCOUNT parameter > in DNS messages with OPCODE = 0 (QUERY) and specifies the required > behaviour when values that are not allowed are encountered. > > The IETF datatracker status page for this Internet-Draft is: > https://datatracker.ietf.org/doc/draft-bellis-dnsop-qdcount-is-one/ > > There is also an HTMLized version available at: > https://datatracker.ietf.org/doc/html/draft-bellis-dnsop-qdcount-is-one-01 > > A diff from the previous version is available at: > https://author-tools.ietf.org/iddiff?url2=draft-bellis-dnsop-qdcount-is-one-01 > > Internet-Drafts are also available by rsync at: > rsync.ietf.org::internet-drafts > > > ___ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] I-D Action: draft-bellis-dnsop-qdcount-is-one-01.txt
Internet-Draft draft-bellis-dnsop-qdcount-is-one-01.txt is now available. It is a work item of the Domain Name System Operations (DNSOP) WG of the IETF. Title: In the DNS, QDCOUNT is (usually) One Authors: Ray Bellis Joe Abley Name:draft-bellis-dnsop-qdcount-is-one-01.txt Pages: 7 Dates: 2023-09-28 Abstract: This document clarifies the allowable values of the QDCOUNT parameter in DNS messages with OPCODE = 0 (QUERY) and specifies the required behaviour when values that are not allowed are encountered. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-bellis-dnsop-qdcount-is-one/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-bellis-dnsop-qdcount-is-one-01 A diff from the previous version is available at: https://author-tools.ietf.org/iddiff?url2=draft-bellis-dnsop-qdcount-is-one-01 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
