Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-serve-stale-03.txt

Mark Andrews <> Tue, 05 March 2019 04:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 30548130F29 for <>; Mon, 4 Mar 2019 20:34:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vPTvEP-tgYU5 for <>; Mon, 4 Mar 2019 20:34:35 -0800 (PST)
Received: from ( [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B4D86130F26 for <>; Mon, 4 Mar 2019 20:34:35 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1A3323AB045; Tue, 5 Mar 2019 04:34:34 +0000 (UTC)
Received: from (localhost []) by (Postfix) with ESMTPS id F174216006D; Tue, 5 Mar 2019 04:34:33 +0000 (UTC)
Received: from localhost (localhost []) by (Postfix) with ESMTP id DBD06160075; Tue, 5 Mar 2019 04:34:33 +0000 (UTC)
Received: from ([]) by localhost ( []) (amavisd-new, port 10026) with ESMTP id 0M2339FUzfcA; Tue, 5 Mar 2019 04:34:33 +0000 (UTC)
Received: from [] ( []) by (Postfix) with ESMTPSA id 63D9E16006D; Tue, 5 Mar 2019 04:34:14 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Mark Andrews <>
In-Reply-To: <>
Date: Tue, 5 Mar 2019 15:33:47 +1100
Cc: dnsop <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <4253851.Zqd2zPpPcC@linux-9daj> <> <>
To: Paul Wouters <>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <>
Subject: Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-serve-stale-03.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 05 Mar 2019 04:34:38 -0000

> On 5 Mar 2019, at 2:59 pm, Paul Wouters <> wrote:
> On Tue, 5 Mar 2019, Mark Andrews wrote:
>>> On Tuesday, 5 March 2019 02:21:42 UTC Christopher Morrow wrote:
>>>> can I ask, what happens when a domain is intentionally down though? For
>>>> instance, take .eg... ~4yrs back? (maybe 5?) Someone requested that the
>>>> master/shadow NS go down, hard. All public auth servers eventually (in a
>>>> day or so) went dark too.
> 	"If the recursive server is unable to contact the
>         authoritative servers for a query "
> So make the DNS server reachable, but return ServFail or NXDOMAIN. If
> the owner doesn't cooperate and there is legal standing, talk to the
> parent to do this for the delegation.
> I don't think this draft stops a domain from being brought down
> intentionally.
>>> i already raised that question, very far up-thread. got no answer.
>>>> If someone is 'ordered' to make a zone dark, there may be reasons for that
>>>> action, and real penalties if the request is not honored.
>>>> Is this draft suggesting that the DNS operations folk go against the wishes
>>>> of the domain owner by keeping a domain alive after the auth servers have
>>>> become unreachable? How would a recursive resolver know that the auth is
>>>> down: "By mistake" vs: "By design" ?
> The DNS resolvers who want to accomodate their governments need to
> manually override their resolvers anyway with new (forged) data. This
> draft does not change that.
> If the owner itself wants to bring the domain down, they just need to
> make its auth servers reachable.
> If the DNS hoster wants to bring it down, they just need to modify the
> data it serves resulting in NXDOMAIN, ServFail or A records.
>>> this the essence of the argument against utility for this entire proposal. no
>>> data should be served beyond its TTL unless some new leasing protocol is first
>>> defined, to obtain permission and to provide a cache invalidation method.
> I don't really follow this reasoning. Are you saying that:
> 1) if the domain owner wants their domain to be reachable
> 2) and they have lost their auth servers due to a DDOS attack
> 3) they might prefer to be down over extending the TTL a bit
> In the non-DDOS case, the auth server is reachable and none of the data
> is getting additional TTL added:
>   Answers from authoritative servers that have a DNS Response Code of
>   either 0 (NOERROR) or 3 (NXDOMAIN) MUST be considered to have
>   refreshed the data at the resolver.  In particular, this means that
>   this method is not meant to protect against operator error at the
>   authoritative server that turns a name that is intended to be valid
>   into one that is non-existent, because there is no way for a resolver
>   to know intent.
> Although perhaps it should also explicitely state this regarding
> ServFail ?
>> And one can to that if we add 2 TTLs to each DNS record. One for total time to
>> live and one for freshness (old client get this).  It will require EDNS to signal
>> that multiple TTLs are desired and are present in the response and may require
>> using the last DNS flag bit to move the OPT record to in front of the question
>> section to make parsing easier (no trial and error).
>> Yes, this is radical but it will work and is incrementally deployable.
> See above. It seems a bit overkill for a strange corner case. But even
> so, one could specify the maximum ever allowed TTL to be like 3 days? Which
> I think is kind of enforced by most DNS resolvers anyway?
> Adding more TTLs would just make this more complicated and more error
> prone and not lead to reduced outage times which is the goal of this
> draft.

For those with long existing TTLs it would allow them to refresh the records
earlier allowing them to exist in caches longer during the DoS event.

For those with short existing TTLs it would allow them to control how long
the records exist past reachability of the DNS servers.  Most of the time
short lived TTLs are there “just in case we need to change them" or they
are doing short term load balancing between a set of servers which are
actually at stable addresses.  This would allow those functions to continue
but keep the addresses in caches longer under error conditions.

> I don't think the "4 years" is a realistic problem case.
> I can see how people want to get a few hours or a few days of usage
> beyond the TTL to accomodate for errors. Although, it is likely that
> moving up the error this way will also delay the error from being
> detected before the extra time has expired, and we are just moving
> the goal post with no effective gain. But in the case of a DDOS
> attack, the draft's feature is surely useful.

Monitoring will detect problems.

> Paul
> _______________________________________________
> DNSOP mailing list

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: