Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-svcb-https

Thu, 08 Apr 2021 00:55:05 -0700 

On 18. 03. 21 21:53, Tim Wicinski wrote:


This starts a Working Group Last Call for draft-ietf-dnsop-svcb-https

Current versions of the draft is available here:

https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/ 
<https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/>


The Current Intended Status of this document is: Proposed Standard

Please review the draft and offer relevant comments.
If this does not seem appropriate please speak out.

If someone feels the document is *not* ready for publication, please 
speak out with your reasons.



This starts a two week Working Group Last Call process, and ends on:  2 
April 2021


I realize I'm already late, but I think this is worth raising with the WG:

Version -04 contains this:

4.3.  General requirements

   Recursive resolvers SHOULD treat the SvcParams portion of the SVCB RR
   as opaque and SHOULD NOT try to alter their behavior based on its
   contents.
   When responding to a query that includes the DNSSEC OK bit
   ([RFC3225]), DNSSEC-capable recursive and authoritative DNS servers
   MUST accompany each RRSet in the Additional section with the same
   DNSSEC-related records that they would send when providing that RRSet
   as an Answer (e.g.  RRSIG, NSEC, NSEC3).



The catch is that this "SHOULD NOT ... alter behavior" goes against RPZ 
and any other filtering technique employed by the resolver.



As a specific example, operators are already asking resolver vendors to 
treat ipv4hint and ipv6hint the same way as A/AAAA for purposes of the 
"Response IP Address" Trigger in the context of RPZ filters.

(https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-rpz-00#section-4.3)


Does WG want to say anything in the HTTPS draft or leave it to the 
imagination of vendors?



In my eyes, 4.3 "SHOULD NOT ... alter behavior" is unnecessary for 
interoperability, so I think clarification is needed to make it clear 
that local policy on resolver overrides "SHOULD NOT alter" instruction 
in section 4.3. General requirements _if_ resolver operator deems necessary.



Let me be clear:

It would not be very reasonable to believe that HTTPS RR will be in 
practice allowed to work as a loophole to A/AAAA filtering on resolvers, 
so the question is if WG prefers to have it mentioned in the RFC text or 
not.


--
Petr Špaček

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop






















					Reply via email to