IETF Logo Mail Archive

Re: [DNSOP] Barry Leiba's Yes on draft-ietf-dnsop-qname-minimisation-08: (with COMMENT)

Olafur Gudmundsson <ogud@ogud.com> Mon, 28 December 2015 14:43 UTC

Return-Path: <ogud@ogud.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 496CB1A010C for <dnsop@ietfa.amsl.com>; Mon, 28 Dec 2015 06:43:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.799
X-Spam-Level:
X-Spam-Status: No, score=0.799 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NYJ_bDQtf06W for <dnsop@ietfa.amsl.com>; Mon, 28 Dec 2015 06:43:04 -0800 (PST)
Received: from smtp93.iad3a.emailsrvr.com (smtp93.iad3a.emailsrvr.com [173.203.187.93]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F6C01A00E6 for <dnsop@ietf.org>; Mon, 28 Dec 2015 06:43:04 -0800 (PST)
Received: from smtp20.relay.iad3a.emailsrvr.com (localhost.localdomain [127.0.0.1]) by smtp20.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 4ADDD1806A7; Mon, 28 Dec 2015 09:43:03 -0500 (EST)
X-Auth-ID: ogud@ogud.com
Received: by smtp20.relay.iad3a.emailsrvr.com (Authenticated sender: ogud-AT-ogud.com) with ESMTPSA id 05222180771; Mon, 28 Dec 2015 09:43:02 -0500 (EST)
X-Sender-Id: ogud@ogud.com
Received: from [192.168.1.32] (96-37-31-188.dhcp.gnvl.sc.charter.com [96.37.31.188]) (using TLSv1 with cipher DHE-RSA-AES256-SHA) by 0.0.0.0:587 (trex/5.5.4); Mon, 28 Dec 2015 09:43:03 -0500
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Olafur Gudmundsson <ogud@ogud.com>
In-Reply-To: <20151228044020.48378.qmail@ary.lan>
Date: Mon, 28 Dec 2015 09:43:01 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <A82E8E5B-4295-439D-9293-0C7C8941D863@ogud.com>
References: <20151228044020.48378.qmail@ary.lan>
To: John Levine <johnl@taugh.com>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/-Ap9k2UWVIA5XtseYhYXzWYukxQ>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Barry Leiba's Yes on draft-ietf-dnsop-qname-minimisation-08: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Dec 2015 14:43:05 -0000

> On Dec 27, 2015, at 11:40 PM, John Levine <johnl@taugh.com> wrote:
> 
>>> NEW
>>>   For instance, some authoritative name servers embedded in load
>>>   balancers reply properly to A queries but send REFUSED to NS queries.
>>>   This behaviour violates the DNS protocol (see Section ??? of [RFC??],
>>>   and improvements to the DNS are impeded if we accept such behaviour
>>>   as normal.
>>> END
>> 
>> Does anyone has an idea of the reference to use to replace the "???"
> 
> Given that it doesn't seem to be a protocol violation, I'd suggest this:
> 
>    For instance, some authoritative name servers embedded in load
>    balancers reply properly to A queries but send REFUSED to NS queries.
>    This behavior causes a variety of problems, such as invalid negative
>    answers, that are so severe that it is unreasonable to expect clients
>    to interoperate with them reliably and so there is no point in trying to
>    work around them.
> 
> R's,
> John
> 

For the longest time in the DNS world there have been different  standards of conduct for the different functional elements.
Publishers can get a away with gross misconduct, while resolvers are expected to find the answer at all cost. 

I agree with your statement as the first step in calling out authorities that if they are “not nice” there is no need to try to return the answer.
In 1999 or 2000 we started seeing LoadBalancers that returned NXDOMAIN for any query other than A for a name. 
At the time the bind-9 team argued about what to do, I still think that the behavior selected was the wrong one i.e. ignore NXDOMAN for AAAA query and ask for A. 

IMHO a resolver that does not like the answers it is getting from a authority has full right to stop trying to find the answer and return SERVFAIL. 
I understand that operators of said resolver will get complaints that important cat pictures are unavailable,……

I think for all practical purposes this situation is a great example of the “Prisoners Dilemma” as there is no way to educate the people writing the crap software as they are insulated by multiple layers of protection. 

Olafur

v2.23.0 | Report a Bug | By Email