Early Review of draft-ietf-dnsop-cds-consistency-03
review-ietf-dnsop-cds-consistency-03-dnsdir-early-blacka-2023-08-30-00
Request | Review of | draft-ietf-dnsop-cds-consistency |
---|---|---|
Requested revision | No specific revision (document currently at 05) | |
Type | Early Review | |
Team | DNS Directorate (dnsdir) | |
Deadline | 2023-08-31 | |
Requested | 2023-07-23 | |
Requested by | Tim Wicinski | |
Authors | Peter Thomassen | |
I-D last updated | 2023-08-30 | |
Completed reviews |
Dnsdir Early review of -03
by David Blacka
(diff)
Secdir Early review of -04 by Charlie Kaufman (diff) |
|
Assignment | Reviewer | David Blacka |
State | Completed | |
Request | Early review on draft-ietf-dnsop-cds-consistency by DNS Directorate Assigned | |
Posted at | https://mailarchive.ietf.org/arch/msg/dnsdir/fylDZkZJo58eRV_eL7UqxI2fccE | |
Reviewed revision | 03 (document currently at 05) | |
Result | Ready w/issues | |
Completed | 2023-08-30 |
review-ietf-dnsop-cds-consistency-03-dnsdir-early-blacka-2023-08-30-00
This draft is well-written and addresses a real operational concern: the breaking of delegations when processing CDS/CDNSKEY and CSYNC records from an out-of-step nameserver. From a specification-purity point of view, the concept of multiple providers is actually not needed or relevant to this draft. Nameservers could be out of sync for a variety of reasons. This draft could be written without a single mention of multi-provider (multi-homed?) or multi-signer situations and be shorter and perhaps clearer. Although, it might be important to point out that there are more reasons than just being out-of-sync from a single primary source. On the other hand, knowing that multiple provider setups exist is a strong motivator for this specification. Without considering multiple provider setups, we are prone to imagining that all setups are synced from a single source, and all deviation is temporal and temporary. This draft uses the term "multi-homing" in a number of places. I'm not aware of that being a generally understood term in the context of DNS. The draft seems to use "multi-homing" and "multi-provider" interchangeably. "Multi-provider" is more understandable to me from its plain meaning, but it is also not defined. RFC 8901 uses the term "Multi Signer", and does not define any other terms for this class of operational situations. Appendix A.3 of this draft almost defines the term as "Permanent Multi-Signer", although RFC 8901 generally refers to Multi Signer as permanent. If the draft is not recast to just not directly mention multi-homing/multi-provider/multi-signing setups, it should define the term near the start of the draft. I would prefer using "multi-provider" because I believe it is both clearer and less encumbered with other meanings in nearby subjects (like networking), and perhaps covers more situations than "multi-signer". My last major concern is with section 2.2, CSYNC. RFC 7477 has many rules that a parental agent must consider before accepting a CSYNC update. It is unclear how those rules interact with the rules specified in section 2.2. I think what is meant is this: Each parent-side nameserver is queried for the CSYNC RRset and the synced (NS, A, AAAA) RRsets, and that unless all of the CSYNC type map bits and sync data match, syncing must be aborted. I think some discussion of how this interacts with the existing rules is warranted. For example, the type bitmap indicates "A", but the nameservers are not at/below the delegation, so are ignored. Does it matter to the algorithm if the child nameservers have different data for the glue records? I have a few minor language tweaks that I noted while reading this draft. In the abstract: Parent-side entities (e.g. Registries, Registrars) typically discover these records by querying them from the child, and then use them to update the delegation's DS RRset accordingly. Since we are already talking about both CDS/CDNSKEY and CSYNC, we should probably be a little more inclusive here: Parent-side entities (e.g. Registries, Registrars) typically discover these records by querying them from the child, and then use them to update the delegation's DS and/or NS RRset accordingly. Although that also doesn't quite capture everything, either. In section 2, "Processing Requirements" When a response cannot be obtained from a given nameserver, the Parental Agent SHOULD attempt obtaining it at a later time should be: When a response cannot be obtained from a given nameserver, the Parental Agent SHOULD attempt to obtain it at a later time I will point that I noted some concern about the overall approach in the IETF 117 dnsops meeting. I don't entirely recall the details of the concerns, but I think it was about making CDS/et al. more brittle operationally. This would be true if this draft were not clear about how to handle non-responsive nameservers.