Hello Ted and dnsop, I'm trying really hard to find out why we do not understand each other so I dug into to dnsop archives and draft-bellis-dnsop-session-signal-00 to see if my questions were already answered somewhere. Hopefully I have better understanding and will focus on technical questions.
To be absolutely clear: There are parts of session signaling I *do like*, especially the idea to use a new OPCODE to separate "signaling" from "normal traffic". Also, I do not object to DNS-SD and other features built on top of session signaling! On 10.8.2017 14:43, Ted Lemon wrote: > Petr, forgive me for holding your feet to the fire on this, but you make > several statements along the lines of "for me, ... is stretching the > definition too far," "I disgree that this is less significant," et > cetera, but you don't actually raise any technical objections—you just > expressed uneasy feelings, with which I don't think the working group is > competent to help you. I will try my best to make the point even clearer, I promise! My objections are in the end about engineering costs, which was nicely summarized by Paul Vixie in another thread (about SWILD, but applicable to session signaling as well): https://mailarchive.ietf.org/arch/msg/dnsop/xMvOuQqWCWZtql1gqD0UwH354b8 For me the major portion of cost does not come from features (like session management etc.) but from the *framework* needed to build them. This cost increase IMHO stems from fact that the framework (SS aka DNS control plane as you named it) does not build on existing and widely available components. I believe that added complexity is one of serious technical parameters and I was objecting to it 4 months ago already: https://mailarchive.ietf.org/arch/msg/dnsop/XjbQlz5dPblzfGr0OBrr5afKBEg > Your claim that this is a new wire format is > incorrect. What it would mean for this to be a new wire format is that > it is incompatible with the existing wire format. Doing something like > that is an interesting job that is potentially worth working on, but > would have a very long deployment window, if it got deployed at all. > > What we are proposing here is not a new wire format. It is compatible > with, and enhances, the existing wire format. Let's not focus on wording but on the meaning. We can certainly call TLVs "extension" but renaming it does not remove the fundamental problem: TLVs are largely incompatible with the code we already have widely implemented and deployed everywhere in all the DNS implementations and tools. As a consequence, it is increasing engineering cost for all involved parties. Please keep in mind that "involved parties" mean also all the people who are not interested in support for session signaling but happen to work on DNS monitoring, testing, etc. This will get worse if SS gets off is used as "DNS control plane" because at that point everyone will have to support it, with all its costs. > As for whether the working group should in fact undertake some grand > design process for such a format, I don't have a strong opinion, but the > first question I would raise is simply this: do /you/ want to undertake > such an effort? If the answer is yes, can you give me a sense of what > your goals are? The reason I ask is that IETF working groups are > constrained to do work that participants are willing to do, and thus far > we have seen no evidence that you are interested in working on this > document, which has been a working group document for a year. I apologize for taking so long before noticing the draft. To paraphrase: I tried to ignore this draft for a while, but became alarmed after reading about some of the recent development, so I went and read the document. :-) > As for whether this document is in charter, what we are proposing is > certainly in scope for the working group—it's very clearly an > operational enhancement for DNS in streaming protocols. It doesn't > change the way you do DNS queries—it just adds some new capabilities for > new implementations. I think it's very clearly useful—we already have > three use cases for it. If we were to stop work on this document now, > the work that now relies on it would revert to what had been proposed > earlier, which was not as good—dnssd has been hanging fire waiting for > this work to be done because the working group wanted to cooperate with > dnsop in producing something more generally useful, rather than doing a > one-off extension like Apple's DNS Long-Lived Queries, which was never > standardized. > > So if there is something missing from the document, or something > unclear, or you wish we'd thought of ???, or think that !!! is not quite > right and have suggestions, I think that would be really helpful. And > of course the working group chairs are free to agree with your vague > feelings of unease and drop this as a working group document. > > But as for any sort of specific request that the authors or the working > group could act on, I am not hearing anything of that sort in what you > have said. Can you think about this in that context, and see if you > can more clearly articulate what it is that you find lacking in this > proposal, so that the working group can figure out how to fix it? Can > you do it soon? Okay, please let me be even more specific. I believe that WG should seek answers to following questions and add explanatory text to the draft. Looking at version draft-ietf-dnsop-session-signal-03#section-1: In general, as far as I can tell, this document gives no clear justification why it is a good idea to do it this way. What I really want, on the highest level, is to see a justification why it is a good idea *to not reuse and extend existing framework* like EDNS. We have not been told of the practical problems that preclude solutions which are closer to existing code, e.g. EDNS, which would lower the engineering costs for the whole ecosystem. Let me make clear that when I talk about EDNS and other existing stuff, I still think about variant where e.g. EDNS is used in messages with new OPCODE, so the separation is still there. This is in no way proposal to mix SS and non-SS traffic. To avoid all doubts, here is my list of specific high-level problems paragraph-by-paragraph: The existing EDNS(0) Extension Mechanism for DNS [RFC6891] is explicitly defined to only have "per-message" semantics. Whilst EDNS(0) has been used to signal at least one session related parameter (the EDNS(0) TCP Keepalive option [RFC7828]) the result is less than optimal due to the restrictions imposed by the EDNS(0) semantics and the lack of server-initiated signalling. a) What are technical reasons not to use EDNS similarly to what RFC7828 have done? Specifically what is "less than optimal"? What problems of RFC7828 are we trying to avoid? b) What is the technical reason to invent a new thing instead of solving "lack of server-initiated signaling" in EDNS instead? Without justification it seems like we are not reusing code we have and thus increasing costs unnecessarily. This document defines a new Session Signaling OPCODE used to carry persistent "per-session" operations, expressed using type-length- value (TLV) syntax, and defines an initial set of TLVs used to manage session timeouts and termination. c) What were technical reasons to standardize TLV format over something else? What technical criteria were used to design the new format? Again, without justification it seems like we are not reusing code we have and thus increasing costs unnecessarily. With EDNS(0), multiple options may be packed into a single OPT pseudo-RR, and there is no generalized mechanism for a client to be able to tell whether a server has processed or otherwise acted upon each individual option within the combined OPT RR. The specifications for each individual option need to define how each different option is to be acknowledged, if necessary. d) Is it something which is not solved by EDNS capabilities (just an example)? I really need to see a justification why it is better to start from scratch instead of improving existing standards and code. With Session Signaling, in contrast, there is no compelling motivation to pack multiple operations into a single message for efficiency reasons. Each Session Signaling operation is communicated in its own separate DNS message, and the transport protocol can take care of packing separate DNS messages into a single IP packet if appropriate. For example, TCP can pack multiple small DNS messages into a single TCP segment. The RCODE in each response message indicates the success or failure of the operation in question. e) Technically packing multiple messages into one single TCP segment is not a property of session signaling but property of the transport. It would work the same way if we were sending DNS messages with OPT containing one EDNS option at a time. Current EDNS options define how server replies to client, so the client gets a reply according to particular standard. If the option is missing in the answer then it is not supported by server, i.e. the cost of detecting unsupported options is the very same as for session signaling with TLV (one round-trip). In other words, this paragraph does not justify costs for inventing a new thing because the EDNS already can do the same. 4.1.3. EDNS(0) and TSIG Since the ARCOUNT field MUST be zero, a Session Signaling message MUST NOT contain an EDNS(0) option in the additional records section. If functionality provided by current or future EDNS(0) options is desired for Session Signaling messages, a Session Signaling Operation TLV or Modifier TLV needs to be defined to carry the necessary information. For example, the EDNS(0) Padding Option [RFC7830] used for security purposes is not permitted in a Session Signaling message, so if message padding is desired for Session Signaling messages, a Session Signaling Modifier TLV needs to be defined to perform this function. Similarly, a Session Signaling message MUST NOT contain a TSIG record. A TSIG record in a conventional DNS message is added as the last record in the additional records section, and carries a signature computed over the preceding message content. Since Session Signaling data appears after the additional records section, it would not be included in the signature calculation. If use of signatures with Session Signaling messages becomes necessary in the future, an explicit Session Signaling Modifier TLV needs to be defined to perform this function. [snip] This specification explicitly prohibits use of the EDNS(0) TCP Keepalive Option [RFC7828] in _any_ messages sent on a Session Signaling session (because it duplicates the functionality provided by the Session Signaling Keepalive operation), but messages may contain other EDNS(0) options as appropriate. f) Section 4.1.3. shows the problem in full. Approach envisioned by the draft duplicates work and thus leads to unnecessary engineering costs again. Re-inventing things for two incompatible frameworks (EDNS and SS) will cost everyone a lot of effort. Are there technical reasons justifying these costs? The document does not answer this question, which is a significant problem. Can we work together and find answers to there questions? I will be happy to participate in the process. Petr Špaček @ CZ.NIC > > Thanks! > > On Thu, Aug 10, 2017 at 7:28 AM, Petr Špaček <petr.spa...@nic.cz > <mailto:petr.spa...@nic.cz>> wrote: > > Hello Ted and dnsop, > > and sorry for delayed answer (below). Your message forced me to think > more about the draft, this time without focus on the wire format. > > Spoiler alert: I still do not like the proposal in its current form. > Please see below. > > On 21.7.2017 10:22, Ted Lemon wrote: > > I am hearing from a number of people that this is "a new protocol" and > > hence requires careful thought and perhaps a new working group, along > > with the associated delay. I do not _entirely_ disagree with this > > position, although it would be really inconvenient from my perspective. > > > > However, I would like to point out that the objection "it is a new > > protocol" is not a technical objection. Also, the same objection can > > actually much more justly be raised against several other proposals that > > were brought before the working group. For example, the multiple > > RRtypes proposal, the multiple responses proposal, and the extended > > error codes proposal. > > > > All of these define new protocol, in ways that are in, like session > > signaling, backward-compatible with the existing protocol. The other > > proposals are actually much more significant changes than session > > signaling is, in terms of what they actually do, as opposed to what > > their wire format is. > > Okay, I can see what you mean - there surely are various levels of > complexity and protocol changes proposed in the last years for dnsop. > > However I disagree that adding session signalling to DNS is less > significant change than e.g. multi-query/repose proposals. > > As you said, session signalling is a "control plane for DNS", which is a > very new thing. Keeping (IMHO significant) wire format issues aside, > adding a control plane to DNS is in my eyes a significant new > development and should be treated as such. > > > > And as for a new DNS wire format, which I also think would be a good > > idea, this is pretty clearly /not /what session signaling is. How > > would you do a DNS query with session signaling? In what way would it > > be an improvement over the existing query format? It's possible that a > > new wire format can be built on top of session signaling, but session > > signaling doesn't build a new wire format, and if we choose to do > > session signaling, that doesn't preclude doing a different wire format > > for queries later. > > Maybe one of the problems is that the current draft mixes three > things in a single document: > - The new wire format, > - DNS control plane, > - Session signaling functionality over the control plane. > This is probably making things way harder to explain to non-authors than > necessary. > > These really are separate things. I can imagine that control plane > and potentially its wire format can be together in one document (but I'm > still not convinced that the a wire format is necessary), but session > signaling functionality itself should be certainly separate from that. > > > Let's keep discussion about the wire format for later, there is even > more significant issue ahead of us: > > > Session signaling is just a control plane for DNS. It's useful. I > > would like to see it done sooner rather than later. If we are not > > going to do it sooner rather than later, I would like the reason to be > > something more than vague unease about walking backwards into a new wire > > format. > > The problem is that current proposal is creating some generic "control > DNS plane" as by-product of session signaling functionality, as we were > discussion during dnsop session. > (References: "Totally flexible format" & "Concerned with embedding DNS > messages in TLVs" in [2].) > > I believe that we really should not invent such generic mechanisms as > by-products. > > If a WG agrees that a generic DNS control plane is needed, then it needs > to be carefuly designed and described, including problem statement and > analysis related to current and potential new transports. These are > compleretely missing now. > > > Moreover, the dnsop is specifically chartered to subset of possible > changes [1] to the DNS protocol: > > 4. Publish documents to address operational issues with the DNS > protocols by extending or performing protocol maintenance > on them. Act as focal-point for operator discussion and provide > advice to the Ops ADs and other WGs on EDNS0 options, new > RRTYPEs, DNSSEC, record synthesis, or other mechanics of > extending DNS to support other applications. > > 5. Serve as a home for drafts that document the problem space > around existing or new DNS issues. The group, with the advice > and consent of the responsible AD in coordination with other areas, > will then decide whether these issues belong in DNSOP under > the existing charter and, if not, will work with the authors and > appropriate ADs to determine the proper place for the work to be > carried out. > > For me, adding control plane is just stretching this definition too far. > If session signaling is covered by this charter then we must admit > that dnsop can do anything it wants to the DNS protocol. > > [1] > http://mailarchive.ietf.org/arch/msg/dnsop/MOFBFQAaZ2iZUDje3zWNBRn9xKQ > <http://mailarchive.ietf.org/arch/msg/dnsop/MOFBFQAaZ2iZUDje3zWNBRn9xKQ> > > [2] > https://datatracker.ietf.org/meeting/99/materials/minutes-99-dnsop > <https://datatracker.ietf.org/meeting/99/materials/minutes-99-dnsop> > > > Again: > If there is a need for a "DNS control plane" then it should be enginered > as such and not invented as by-product of something else. > > Yes, it is a lot of work. And yes, it should start with problem > statement for control plane (in general) and continue from there. > > > I hope it explains why I still do not like the current proposal. > Thank you for your attention. > > Petr Špaček @ CZ.NIC > > > > > > On Fri, Jul 21, 2017 at 10:02 AM, Petr Špaček <petr.spa...@nic.cz > <mailto:petr.spa...@nic.cz> > > <mailto:petr.spa...@nic.cz <mailto:petr.spa...@nic.cz>>> wrote: > > > > On 20.7.2017 19:09, Andrew Sullivan wrote: > > > On Thu, Jul 20, 2017 at 06:59:42PM +0200, Ondřej Surý wrote: > > >>> But it's certainly another step along the way to DNSbis by > accident. > > >> > > >> Would it be useful to make it not "by accident"? > > > > > > Yes. That was basically the point I was trying to make at the > > > beginning of today's session, about overall analysis. > > > > > > > b) make this draft DNS-SD only, so it can fast forward... > > >> > > > > > > I'm not keen on this. > > > > > > > > >> c) use the changed paradigm to work on DNSbis without the > accident part? > > > > Yes please! > > > > My main opposition comes from fact that current session > signaling draft > > "accidentaly" defines new protocol which is using the old > DNS-RFC1035 as > > "transport". > > > > I would welcome DNSbis effort with clear cut. Here please note > that > > clear cut does not mean that RR format and data, for example, > has to be > > incompatible! > > > > It is still possible to share big chunks of specifications > (like RR > > definitions, namespace, etc.) but define a DNSbis protocol > which is > > clearly distinguishable from the old DNS. > > > > Petr Špaček @ CZ.NIC > > > > > I'm starting to wonder whether a bof is needed. Maybe the IAB's > > > workshop will produce some fruit? _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
