Re: [DNSOP] Status of draft-ietf-dnsop-dns-error-reporting

Roy Arends <> Wed, 10 November 2021 10:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3E7B93A0CC7 for <>; Wed, 10 Nov 2021 02:21:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id D0brFOnVX78H for <>; Wed, 10 Nov 2021 02:21:09 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::82d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CDF943A0CC6 for <>; Wed, 10 Nov 2021 02:21:08 -0800 (PST)
Received: by with SMTP id t11so1639125qtw.3 for <>; Wed, 10 Nov 2021 02:21:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=sGRXSJjDDHHHXW0L6Qis0HUbxtoWtzzDSJ9+5OjXGi0=; b=MSFr251yg6nGKCCkSfGM5LOAsKD9spXaSnnztMrI5D6zHKeupX2pt/AuOV3teB3Dr+ uC+JWopFHj/DTmmJjNha49knbLmJ2leWS/fXpl1yM17gtRhJjuF0PuJbuHnfZeV2V5hk kXXlruN21kC5Qd6rL1GqEmNPZrWq83k2YLeWA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=sGRXSJjDDHHHXW0L6Qis0HUbxtoWtzzDSJ9+5OjXGi0=; b=KOrX+r7jga5ImgAHZVUzbKR7WsNiJUAfnPp2eMvcidc5sa2VClQZYbyKVLr92ze0aD Lc581UQ361abDo4FZCR8ZeWKDcjtIhbWLG8y6tFofvIZb/vJxBcNeUTnoEFUvAPh2JII LhsFHuj3yeZM8L9BNuBYfRy60So1a54cWZGszekFz18w1em/tf/DzzQ6DLs4kIVAQBx5 iuz+cG4cPRtILU9nf2bLcxOUsyRAwJ8ZlhnI80LnnHUlhE7dfIQgEbSybVJySUrqvxEx Nov4O5HxcgROg74raj1crk7aGb8Bo0+rLcEPBnsILi/I/StIlfmutisEP2Zte+Xwy3VS Njrg==
X-Gm-Message-State: AOAM531Xu6Bqk6qBPX5dT4f4DUxyhEaCsRJ8CXbLtCMsUgV2SNrAS0xr sXvchm3naepsHCfsSXeMc9OT1g==
X-Google-Smtp-Source: ABdhPJwoQk6YKtVo2RFw/0PX8limCuT0mAS8fWdVOp+xqkP4Ntwg4qF15JeqMDYLgTSh3/yLxow9jA==
X-Received: by 2002:a05:622a:54f:: with SMTP id m15mr16178940qtx.365.1636539666956; Wed, 10 Nov 2021 02:21:06 -0800 (PST)
Received: from ([]) by with ESMTPSA id l2sm546542qtk.41.2021. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 10 Nov 2021 02:21:06 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
From: Roy Arends <>
In-Reply-To: <>
Date: Wed, 10 Nov 2021 10:21:03 +0000
Cc: dnsop <>, Matt Larson <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <>
To: "libor.peltan" <>
X-Mailer: Apple Mail (2.3654.
Archived-At: <>
Subject: Re: [DNSOP] Status of draft-ietf-dnsop-dns-error-reporting
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 10 Nov 2021 10:21:14 -0000

> On 10 Nov 2021, at 09:35, libor.peltan <> wrote:
> Hi Roy,
>> Change 2) There was an observation by developers that some authoritative servers do not parse (unknown) EDNS0 options correctly, leading to an additional roundtrip by the resolver. It was suggested that authoritative servers could return the new EDNS0 option “unsolicited”. This is already the case for Extended DNS errors. We have adopted this suggestion. It was also pointed out that this kind of unsolicited behaviour can be surveyed. We believe that one such effort is underway.
> Let me express my personal opinion here.

Thanks! I really appreciate feedback on this! Keep it coming!

> While sending unsolicited EDE seems fine for me as it's just few bytes, the error-reporting address might be usually roughly 100 bytes long,

Why would that be 100 bytes long? An error-reporting domain should be kept rather short.

> so sending it with very every response may lead to perceptible increase in traffic, including increase in TCP fallbacks.

Would it help to require the authoritative server to only add this option when there is space to do so?

> This may be tolerable, if there were some better reason for it. But I don't like argumenting with broken implementations. Always dodging broken implementation only leads to more broken implementations (see DNS Flag Day etc). In ideal case, we should aim for the state where broken implementation are failing constantly.

This is not that! If we were sending new EDNS0 options to authoritative servers, it will lead to additional round-trips to dodge broken servers. This is the way of “dodging broken implementations”. It won’t get these implementations fixed, and this additional resolver code to route around brokenness in the field will eventually end up at flag-day. 

Consider the current method of returning unsolicited new options in responses: A resolver may not handle unsolicited new EDNS0 options. They will either be fixed or not be used. This is not a negotiation, unless the resolver falls back to send a query without EDNS0. I have been told by developers that there are more broken authoritative server software out there than broken resolver software.

Field tests are taking place to measure impact.

Hope this helps!