IETF Logo Mail Archive

Re: [dnsext] enough is enough

Patrik Fältström <paf@frobbit.se> Mon, 22 December 2014 05:50 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 408F81A8838 for <dnsext@ietfa.amsl.com>; Sun, 21 Dec 2014 21:50:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.261
X-Spam-Level:
X-Spam-Status: No, score=-1.261 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nW-hox6hABpB for <dnsext@ietfa.amsl.com>; Sun, 21 Dec 2014 21:50:37 -0800 (PST)
Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E76AE1A0163 for <dnsext@ietf.org>; Sun, 21 Dec 2014 21:50:36 -0800 (PST)
Received: from [IPv6:2a02:80:3ffc::b0a7:8760:fd77:de4d] (unknown [IPv6:2a02:80:3ffc:0:b0a7:8760:fd77:de4d]) by mail.frobbit.se (Postfix) with ESMTPSA id 93F631FF88; Mon, 22 Dec 2014 06:50:34 +0100 (CET)
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
Content-Type: multipart/signed; boundary="Apple-Mail=_B709CCBC-BC83-4C5B-8CD8-1B12F0F34DBD"; protocol="application/pgp-signature"; micalg="pgp-sha1"
X-Pgp-Agent: GPGMail 2.5b3
From: Patrik Fältström <paf@frobbit.se>
In-Reply-To: <20141221143310.GA28183@xs.powerdns.com>
Date: Mon, 22 Dec 2014 06:50:33 +0100
Message-Id: <5F95A9A0-EC70-4F3E-9527-373640F9BBD4@frobbit.se>
References: <20141220125805.GB20765@xs.powerdns.com> <20141220142506.C7EA12630502@rock.dv.isc.org> <A78F8417-AEA2-42BF-A7D5-96FE99DCBBBE@rfc1035.com> <20141220204337.4F47026313BC@rock.dv.isc.org> <7A31183A-CC1E-4F0A-A2EA-848B10B60A2B@insensate.co.uk> <E732A2F7-E467-4940-8A66-726FC894B4B3@frobbit.se> <20141221094454.GC13389@xs.powerdns.com> <55B7725D-1B11-4D8D-BDA3-43748E8E12A7@frobbit.se> <20141221143310.GA28183@xs.powerdns.com>
To: bert hubert <bert.hubert@netherlabs.nl>
X-Mailer: Apple Mail (2.1993)
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsext/BbMQqcoSbo5m-dUgClMyhlC5gd8
Cc: DNSEXT Group Working <dnsext@ietf.org>
Subject: Re: [dnsext] enough is enough
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Dec 2014 05:50:39 -0000

> On 21 dec 2014, at 15:33, bert hubert <bert.hubert@netherlabs.nl> wrote:
> 
> On Sun, Dec 21, 2014 at 11:33:17AM +0100, Patrik Fältström wrote:
>>> The domain x.y.z fails to resolve using our software, and we have determined
>>> that this is because the software or hardware publishing the DNS details of
>>> x.y.z is not conforming to the DNS standards.
>> As Jim says, your idea is nice as it is, and there is nothing wrong with
>> the email -- but we have no idea what so ever where to send it.
> 
> Actually, as the authors of a resolver, we know exactly where to send it. To
> the people telling me I need to fix my resolver so it works with broken
> domain X.

Ok, good. That is exactly what I claim is the most effective way of solving the issue.

> And in turn, we've found that (together with resolver operators) we can
> quickly find out what broken hardware or software is behind the issue -
> Citrix Netscalers this time round. It helps if large operators (people with
> tens of millions of customers) tell them they need to clean up their act.

Yes.

> The REAL issue right now is that we can't resist fixing a broken domain
> "because it works with Google/Unbound/Bind/Microsoft, so you must fix it".
> 
> What is needed is a pact that none of us will respect that argument on its
> own if a domain actually should be broken.
> 
>> The best path forward is I think still for you to publish clear and crisp
>> information like this on your web page so that it is found when searching
>> for help with Google and other search engines.
>> 
>> I.e. as long as no one have any issues with the brokenness, it will not be fixed.
> 
> Exactly. It should actually break therefore. If you own dodgy equipment or
> use bad software, your domain should receive lots of reports of brokenness.
> 
>> If not even TLDs are hosted correctly, and registry policies are such that
>> it encourages broken DNS configurations, I feel there is not much The
>> Protocol Police can do about it.
> 
> I'm afraid this is true. But if all big implementation decide to no longer
> play the game, the (mostly) load balancer implementations will have to clean
> up their act.
> 
> I also note that quite a lot of problems are AAAA related. This in itself is
> an impediment to IPv6 adoption!

Yes.

   Patrik

v2.23.0 | Report a Bug | By Email