Re: [dane] Behavior in the face of no answer?

Andrew Sullivan <ajs@anvilwalrusden.com> Fri, 04 May 2012 11:20 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1409321F871A for <dane@ietfa.amsl.com>; Fri, 4 May 2012 04:20:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.633
X-Spam-Level:
X-Spam-Status: No, score=-2.633 tagged_above=-999 required=5 tests=[AWL=-0.034, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FAo+hHpHBnSO for <dane@ietfa.amsl.com>; Fri, 4 May 2012 04:20:47 -0700 (PDT)
Received: from mail.yitter.info (mail.yitter.info [208.86.224.201]) by ietfa.amsl.com (Postfix) with ESMTP id 4547E21F86E4 for <dane@ietf.org>; Fri, 4 May 2012 04:20:46 -0700 (PDT)
Received: from mail.yitter.info (69-196-144-227.dsl.teksavvy.com [69.196.144.227]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.yitter.info (Postfix) with ESMTPSA id 960FF1ECB41C for <dane@ietf.org>; Fri, 4 May 2012 11:20:45 +0000 (UTC)
Date: Fri, 4 May 2012 07:20:42 -0400
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dane@ietf.org
Message-ID: <20120504112015.GA4929@mail.yitter.info>
References: <20120504023602.GA4683@mail.yitter.info> <201205040242.q442gDgw023732@fs4113.wdf.sap.corp>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <201205040242.q442gDgw023732@fs4113.wdf.sap.corp>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] Behavior in the face of no answer?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2012 11:20:48 -0000

On Fri, May 04, 2012 at 04:42:13AM +0200, Martin Rex wrote:
> Andrew Sullivan wrote:
> > 
> > Note that there remain _plenty_ of DNS servers deployed in the wild
> > which, if you ask them for an RRTYPE they don't know about, spit up
> > with NOTIMP, SERVFAIL, and all manner of other crappy nonsense.
> 
> You seem to be unaware that returning SERVFAIL and more so NOTIMP
> to requests for unknown RRTYPES is *PERFECTLY* conformant with
> rfc1034/rfc1035.  So if anything is _broken_, its clients who can
> not cope with such responses (as can be seen with the IPv6 dualstack
> in Windows2003).

I'm not unaware of this (although I think there is rather less
consensus about the correctness of those RCODE responses than you seem
to be suggesting).  I just think it's crappy.  RFC 3597 was published
in 2003.  There is no excuse any more for a server of any sort to be
incapable of handling unknown RRTYPEs.  I get the arguments about
provisioning systems, and I think they're real problems.  But by now,
if your _server_ doesn't handle unknown RRTYPEs it is plainly garbage,
and ought to be off the Net.

The fundamental problem, of course, is that people who are told to go
develop a DNS server in a weekend read RFC 1034 and RFC 1035 --
usually selectively, it appears to me -- and nothing else.  I wish I
had a good idea about what to do about this.  (That's all I'll say
about it here, though, because it's plainly off-topic.)

Best,

A

-- 
Andrew Sullivan
ajs@anvilwalrusden.com