Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

John Levine wrote on 2023-07-19 14:43: It appears that Paul Wouters said: On Jul 17, 2023, at 22:50, Paul Vixie wrote: ... RFC 4408 was folly. ... The IETF did make a mistake there for sure. I wouldn't disagree, but you can barely see the spots in the dirt where the barn was before

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

It appears that Paul Wouters said: >On Jul 17, 2023, at 22:50, Paul Vixie >wrote: >> >>  >> >>> Agreed, but that horse had already left the barn when we published the >>> first SPF RFC 4408. >> RFC 4408 was folly. TXT in a subdomain (RFC 5507 s3.2) would suit domain >> verification well

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

On Jul 17, 2023, at 22:50, Paul Vixie wrote: > >  > >> Agreed, but that horse had already left the barn when we published the first >> SPF RFC 4408. > RFC 4408 was folly. TXT in a subdomain (RFC 5507 s3.2) would suit domain > verification well (wildcards aren't a factor) and would in no way

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

Dne 17. 07. 23 v 21:41 Brian Dickson napsal(a): TCP traffic is several orders of magnitude more expensive than UDP. This might be true, but it must be carefully considered. Yes, a performant authoritative server is able to answer (for example) 10 Mqps over UDP or 10 kqps over TCP. One

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

John R. Levine wrote on 2023-07-17 18:22: On Mon, 17 Jul 2023, Shumon Huque wrote: ... This is not a new issue. It is the well known record subtyping problem that was advised against in RFC 5507 (IAB; "Design Choices When Expanding the DNS"). That advice was targeted to new RR type design,

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

On Mon, 17 Jul 2023, Shumon Huque wrote: * Verifiers can't query for the specific data they need from the DNS. They need to get a potentially large blob of data and look for what is applicable to them by examining the rdata for each record in the RRset. This is not a new issue. It is the well

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

On Jul 17, 2023, at 20:10, John Levine wrote: > >> I’m sure there are still plenty of tools crafting dns packets or using >> simplistic tools that are not able to do TCP or DNSSEC. > > I'm sure there used to be, but in 2023? Really? An example or two would be > intersting. As most of the

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

You are right. My state mass observation was meant for the prior -1 where Joe referred to udp as a legacy protocol. Apologies for the slop. p vixie On Jul 17, 2023 17:15, David Conrad wrote: Mark, On Jul 17, 2023, at 4:23 PM, Mark Andrews wrote: >> Joe is (correctly, IMHO) pointing

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

Mark, On Jul 17, 2023, at 4:23 PM, Mark Andrews wrote: >> Joe is (correctly, IMHO) pointing out that given there is a need to support >> TCP-based DNS queries (see RFC 7766), prudent engineering would suggest you >> need to prepare for attacks against that infrastructure. As such arguing >>

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

On Mon, Jul 17, 2023 at 7:20 PM Paul Wouters wrote: > On Jul 17, 2023, at 14:12, John R Levine wrote: > > > The only somewhat plausible argument I see against stuffing the apex is > that if people are sloppy, they might invent tokens that could be confused > with each other. > > This is an

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

It appears that Paul Wouters said: >On Jul 17, 2023, at 14:12, John R Levine wrote: >> >>  >> In view of the wide use of DNSSEC and DoT and DoH, I think the argument that >> triggering TCP is bad stopped being persuasive a while ago. >(Don't we hope people sign the DNS responses with the

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

On Jul 17, 2023, at 15:50, Joe Abley wrote: > >  > I see UDP as a legacy transport, required for backwards comparability but > that's about it. I think you will be proven wrong QUICly  Paul ___ DNSOP mailing list DNSOP@ietf.org

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

> On 18 Jul 2023, at 08:10, David Conrad wrote: > > Paul, > > On Jul 17, 2023, at 12:52 PM, Paul Vixie > wrote: >>> If the stability of anybody's infrastructure depends on people choosing a >>> particular transport, I would suggest they might have reason to be worried. >>> Simply hoping

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

On Jul 17, 2023, at 14:12, John R Levine wrote: > >  > In view of the wide use of DNSSEC and DoT and DoH, I think the argument that > triggering TCP is bad stopped being persuasive a while ago. (Don't we hope > people sign the DNS responses with the tokens?) I’m sure there are still plenty

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

Paul, On Jul 17, 2023, at 12:52 PM, Paul Vixie wrote: >> If the stability of anybody's infrastructure depends on people choosing a >> particular transport, I would suggest they might have reason to be worried. >> Simply hoping that people don't start using TCP in a significant way is >>

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

On Mon, 17 Jul 2023, Brian Dickson wrote: The stuffed apex does not only include those tokens, e.g. SPF and friends, which get queried A LOT. I forgot about SPF. Good point. In the absence of the aforementioned draft, there is no specific guidance that would lead ALL token issuers to use 20

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

Joe Abley wrote on 2023-07-17 12:50: On Mon, Jul 17, 2023 at 21:41, Brian Dickson > wrote: TCP traffic is several orders of magnitude more expensive than UDP. Anything that bumps up the proportion of TCP

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

On Mon, Jul 17, 2023 at 21:41, Brian Dickson <[brian.peter.dick...@gmail.com](mailto:On Mon, Jul 17, 2023 at 21:41, Brian Dickson < wrote: > TCP traffic is several orders of magnitude more expensive than UDP. > Anything that bumps up the proportion of TCP traffic in a statistically >

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

On Mon, Jul 17, 2023 at 12:20 PM John R Levine wrote: > Just to be clear, I think it's quite reasonable to encourage people to put > tokens at _name but I still see it as a matter of taste, not a technical > issue. > > On Mon, 17 Jul 2023, Brian Dickson wrote: > > TCP being triggered on

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

Just to be clear, I think it's quite reasonable to encourage people to put tokens at _name but I still see it as a matter of taste, not a technical issue. On Mon, 17 Jul 2023, Brian Dickson wrote: TCP being triggered on resolver-auth is much more of concern, particularly when the underlying

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

On Mon, Jul 17, 2023 at 11:05 AM John R Levine wrote: > >>> TCP, you already have worse problems, like DNSSEC doesn't work. > > > > Triggering TCP is still not good, even if it all works. It is still > > better avoiding by not stuffing the APEX. So I think we still want > > to leave something in

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

TCP, you already have worse problems, like DNSSEC doesn't work. Triggering TCP is still not good, even if it all works. It is still better avoiding by not stuffing the APEX. So I think we still want to leave something in there. In view of the wide use of DNSSEC and DoT and DoH, I think the

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

On Mon, 17 Jul 2023, Florian Obser wrote: The entire discussion of response size seems like a throwback to the 1990s and I would remove it. These days if your DNS doesn't handle yeah, that might be best. TCP, you already have worse problems, like DNSSEC doesn't work. Triggering TCP is

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

On 2023-07-17 12:40 -04, "John Levine" wrote: > It appears that Florian Obser said: >>I gave this a once-over. >>3. Common Pitfalls >>> If the size of the response is large enough that it does not fit into >>> a single DNS UDP packet (UDP being the most common DNS transport >>> today), this

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

It appears that Florian Obser said: >I gave this a once-over. >3. Common Pitfalls >> If the size of the response is large enough that it does not fit into >> a single DNS UDP packet (UDP being the most common DNS transport >> today), this may result in fragmentation > >That's not correct. If

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

I gave this a once-over. 1. Introduction > Generally only one temporary DNS record is sufficient for > proving domain ownership, although sometimes the DNS record must be > kept in the zone to prove continued ownership of the domain. I understand what it's trying to say, but I think "a" instead

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

Thanks and reviews/re-reviews welcome. Note: we've held off on a few of the points that Erik Nygren raised because they require a more involved treatment (detailed discussion of the token/name/account binding process; multi provider/CDN support, etc). I've asked Erik to contribute some text on

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

All Shivan, Shumon and Paul have incorporated feedback from the WG as well as several area reviews, and more. It's a much better document because of that, and we thank everyone. The chairs want to give the WG a 7-10 days to review the changes and confirm there are no issues thanks tim On Mon,

Re: [DNSOP] I-D Action: draft-ietf-dnsop-domain-verification-techniques-02.txt

Hi folks, we received a bunch of feedback over the last couple of months that we've addressed in this draft revision. Some notable things: 1. We now use the term "domain control validation" instead of "domain verification" since that seems to be the industry standard 2. Make the problem