Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-serve-stale-03.txt

Tony Finch <dot@dotat.at> Wed, 06 March 2019 13:03 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0303130EDC for <dnsop@ietfa.amsl.com>; Wed, 6 Mar 2019 05:03:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ctiuYigfA0_U for <dnsop@ietfa.amsl.com>; Wed, 6 Mar 2019 05:03:32 -0800 (PST)
Received: from ppsw-30.csi.cam.ac.uk (ppsw-30.csi.cam.ac.uk [131.111.8.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14F971292F1 for <dnsop@ietf.org>; Wed, 6 Mar 2019 05:03:32 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:38806) by ppsw-30.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1h1WCm-000sd9-ej (Exim 4.91) (return-path <dot@dotat.at>); Wed, 06 Mar 2019 13:03:28 +0000
Date: Wed, 06 Mar 2019 13:03:28 +0000
From: Tony Finch <dot@dotat.at>
To: Dave Lawrence <tale@dd.org>
cc: dnsop <dnsop@ietf.org>
In-Reply-To: <23679.9798.678631.923122@gro.dd.org>
Message-ID: <alpine.DEB.2.20.1903061237440.17454@grey.csi.cam.ac.uk>
References: <155094804613.28045.8648150477440044197@ietfa.amsl.com> <CA+9_gVscCzr0S8A0Z23q0V1B+BZeLtDoZRSKyEJDPZ3P=KT-tw@mail.gmail.com> <CAL9jLaYo5JH6vf+djEn0O=YGhLV2AkytMg_eKQmWn=Pma5yBFQ@mail.gmail.com> <4253851.Zqd2zPpPcC@linux-9daj> <92355508-D5AC-46DC-8FF5-C1C4155601D8@isc.org> <alpine.LRH.2.21.1903042240330.32161@bofh.nohats.ca> <23678.40176.492174.37630@gro.dd.org> <3E7AF476-0989-4FA8-8186-F5AAFC87317A@icann.org> <alpine.LRH.2.21.1903051202360.1124@bofh.nohats.ca> <23679.9798.678631.923122@gro.dd.org>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/0o2aRekdR6ziC7YeZSfFnzONrW4>
Subject: Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-serve-stale-03.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2019 13:03:35 -0000

Dave Lawrence <tale@dd.org> wrote:

> REFUSED is slightly murkier as to its exact meaning, thanks to
> overloading, but in its most commonly seen usage for lameness
> indicates a clear problem with the delegation.  Even in its other use
> cases, notably an EDNS Client Subnet error or an actual "I am
> authoritative for the name but administratively denying your
> resolution of it", I submit that if the resolver has a stale answer
> then serving it is reasonable.

This sounds like it will lead to stale answers being given instead of
re-trying other potentially working servers. I think this is wrong, and
it's inconsistent with your other reply, so I am confused.

https://mailarchive.ietf.org/arch/msg/dnsop/HIUK2ME8uHbA-cwztnrNVYRtqLc

I think serve-stale should only cover cases where servers are unreachable
or unresponsive.

If all a zone's servers start to reply REFUSED, that's a deliberate
decision to disable the zone, and resolvers should not try to keep it
alive beyond its TTL. (This is important for the take-down situations that
Paul Vixie is concerned about.)

I'm more ambivalent about the SERVFAIL case but it seems simpler to treat
it the same as REFUSED, i.e. server is working but not for this zone.

There's a big difference between the RFC 4697 (Observed DNS Resolution
Misbehavior) section 2.2 (Repeated Queries to Lame Servers) lame server
cache time of 30 minutes and the serve-stale retry time of 30 seconds,
which makes me think the serve-stale spec should explicitly update RFC
4697.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Lyme Regis to Lands End including the Isles of Scilly: South, veering west or
northwest 5 to 7, occasionally gale 8 later. Moderate or rough, becoming very
rough for a time in far west. Thundery showers. Good, occasionally poor.