[dnsext] Lame Server responses

Edward Lewis <Ed.Lewis@neustar.biz> Mon, 11 October 2010 14:43 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1FDF13A6A9D; Mon, 11 Oct 2010 07:43:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.302
X-Spam-Level:
X-Spam-Status: No, score=-100.302 tagged_above=-999 required=5 tests=[AWL=-0.117, BAYES_40=-0.185, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SPYi45hSSww1; Mon, 11 Oct 2010 07:43:11 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 2450B3A6A96; Mon, 11 Oct 2010 07:43:11 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1P5JXd-000CHv-JC for namedroppers-data0@psg.com; Mon, 11 Oct 2010 14:39:53 +0000
Received: from stora.ogud.com ([66.92.146.20]) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.72 (FreeBSD)) (envelope-from <Ed.Lewis@neustar.biz>) id 1P5JXa-000CGI-19 for namedroppers@ops.ietf.org; Mon, 11 Oct 2010 14:39:50 +0000
Received: from nkul-lt510.cis.neustar.com (gatt.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id o9BEdenS086450; Mon, 11 Oct 2010 10:39:40 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Received: from [192.168.129.62] by nkul-lt510.cis.neustar.com (PGP Universal service); Mon, 11 Oct 2010 10:39:47 -0400
X-PGP-Universal: processed; by nkul-lt510.cis.neustar.com on Mon, 11 Oct 2010 10:39:47 -0400
Mime-Version: 1.0
Message-Id: <a06240801c8d8cde3e37e@[192.168.129.62]>
Date: Mon, 11 Oct 2010 10:33:36 -0400
To: namedroppers@ops.ietf.org
From: Edward Lewis <Ed.Lewis@neustar.biz>
Subject: [dnsext] Lame Server responses
Cc: ed.lewis@neustar.biz
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
X-Scanned-By: MIMEDefang 2.68 on 10.20.30.4
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>

It used to be that the response from a name server, in particular 
BIND, when it determined it was lame was to send a referral to the 
root.  In response to a network event a few years ago, this was 
thought to be a bad thing because it was being used to amplify the 
traffic volume for some apparently malicious intent.

At that time some software developers choose suspend the referral to 
the root response.  Today, ISC's BIND returns a response code of 
REFUSED.  UltraDNS code returns SERVFAIL.  There's no specification 
for this.

One of our customers asked us what we returned when lame and we told 
them SERVFAIL.  Paraphrasing the response "but BIND returns REFUSED".

A question to the group.  Is either SERVFAIL or REFUSED acceptable? 
I am not pushing for one-or-the-other (because no one wants to change 
code unnecessarily), nor am I wanting to debate whether one response 
is better than the other.  I'll note that UltraDNS internally did 
discuss this a long time ago and we went with SERVFAIL because we 
felt it was the most apt response, but that doesn't mean there were 
other choices.

The thing is - when we get a query that we are lame for, we want to 
tell the querier something that will stop them from trying again 
(even if just for the current query).  I think both REFUSED and 
SERVFAIL do that.

Does it matter that there is no return code for LAME?  Would an 
iterating resolver need to know this?  (Given lameness can be 
fleeting, it's not a permanent state.)

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Ever get the feeling that someday if you google for your own life story,
you'll find that someone has already written it and it's on sale at Amazon?