Re: [DNSOP] Status of draft-ietf-dnsop-dns-error-reporting

Petr Špaček <> Fri, 12 November 2021 13:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C00E73A08F3; Fri, 12 Nov 2021 05:24:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.429
X-Spam-Status: No, score=-5.429 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-3.33, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key) header.b=UYc5Qa6B; dkim=pass (1024-bit key) header.b=IXCs4x05
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nwqcitmS3R1E; Fri, 12 Nov 2021 05:24:33 -0800 (PST)
Received: from ( [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1DB183A08FA; Fri, 12 Nov 2021 05:24:33 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPS id 682FC433F33; Fri, 12 Nov 2021 13:24:30 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=ostpay; t=1636723470; bh=CSgSq16+PtEeWx40LYMYIz2a2DxHk/eOV+Mwkxb/5as=; h=Date:To:Cc:References:From:Subject:In-Reply-To; b=UYc5Qa6BrRS1SlApMUDoPPY3ORX2nRztYP0wOn5c7ZRD/hXLIQyHyT3DF5S0wE/EL qiWv6hffJ9rL/oe3zIB8H+A+We1Ftc6w/BIPCUQDHbPPpK9yaJzN8eK7SG1BEVp8sQ z7PzJo6A4kAY5+Eu1UWrPA8L/+FpzScuFBgRGmvo=
Received: from (localhost.localdomain []) by (Postfix) with ESMTPS id 57EB9F063FA; Fri, 12 Nov 2021 13:24:30 +0000 (UTC)
Received: from localhost (localhost.localdomain []) by (Postfix) with ESMTP id 19E20F063F7; Fri, 12 Nov 2021 13:24:30 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 19E20F063F7
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1636723470; bh=KVpGOWb6prp4Z+3Aga/0A+RuzjTwrBwrNuB17gBD2fw=; h=Message-ID:Date:MIME-Version:To:From; b=IXCs4x056XUKlveZeHU8+6+gfZz92+7Xq+W4Jy+nuOww2vxJ7YVfQ0JGebGw8NjHb WE5XKFU7V4Zq7hamLQ1h4FQSIdC8oGtyo0aVA4pLaxEVLmxbcCLDlTV8wJ2emHUyK5 67GVMhqQPLYbiHgHJQJ0yfEhmpqMqlITb6qFoxLk=
Received: from ([]) by localhost ( []) (amavisd-new, port 10026) with ESMTP id BT-seFFRDFLB; Fri, 12 Nov 2021 13:24:30 +0000 (UTC)
Received: from [] ( []) by (Postfix) with ESMTPSA id E9FDEF063F6; Fri, 12 Nov 2021 13:24:28 +0000 (UTC)
Message-ID: <>
Date: Fri, 12 Nov 2021 14:24:26 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.3.0
Content-Language: en-US
To: Manu Bretelle <>, Roy Arends <>
Cc: dnsop <>, dnsop-chairs <>, Matt Larson <>
References: <> <>
From: Petr Špaček <>
In-Reply-To: <>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [DNSOP] Status of draft-ietf-dnsop-dns-error-reporting
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 12 Nov 2021 13:24:38 -0000

On 12. 11. 21 7:42, Manu Bretelle wrote:
> Hi Roy,
> I like the idea of an out-of-band error reporting and therefore I like 
> the proposition of this draft.
> One of the things I have a hard time visualizing though is how this 
> could be used for more than reporting DNSSEC specific errors. With the 
> option not being signed in the first place, it does not seem that DNSSEC 
> is a requirement to be able to leverage this functionality, hence it 
> would be great to think how we can make this work for more than 
> DNSSEC-only errors.

E.g. it can conceivably report errors like "resolver had to fallback to 
Nth server because the first one we tried times out". Is that a 
sufficient example?

> As it is, the requirement for the EDNS0 option to be in the response, 
> while it does offer some properties such as controlling sampling rate…, 
> essentially will prevent any report of answers which are not properly 
> formatted in the first place, or never received like when a resolver is 
> not able to reach any authorities for a given name, when resolver start 
> falling back on staled data, and possibly in the future, failing to 
> reach over an advertised encrypted channel… There is likely value for an 
> authoritative resolver operator to be able to get report for those 
> issues too.

While I agree with the sentiment that reporting other issues would be 
also useful, I think that _for now_ we should keep the scope limited to 
situations which do not require any extra state in resolvers.

That is, reporting "no server is reachable" requires prior information 
stored or reachable somewhere else, which is IMHO order of magnitude 
more complex task. Let's get experience with simple error reporting 
first and only then move forward to more complex tasks...

> The title of the draft: "DNS Error Reporting" would let one believe that 
> it is a somewhat generic mechanism, but I don't think it is as is. 

I disagree here. It is a generic mechanism, see the first response 
paragraph in this e-mail.

> Actually, while DNSSEC is not named in the title/abstract, the examples 
> in the abstract are DNSSEC specific, the wording in the rest of the 
> document refers for the most part to "validating resolvers". Should this 
> be a "DNSSEC Error Reporting" draft? or a "DNS Error Reporting" draft, 
> but then the function of "validating" itself should be less emphasized? 
> While a validating resolver can report more type of errors than a 
> non-validating resolvers, validation is not a requirement to be able to 
> report.

Agreed, but I really don't feel the problem as severe. Would it be 
sufficient to add more examples of non-DNSSEC errors?

> On Tue, Nov 9, 2021 at 3:07 PM Roy Arends < 
> <>> wrote:
>     Dear WG,
>     Change 3) There as a lot of descriptive text what implementations
>     should and shouldn’t do, and what configurations should and
>     shouldn’t do. This was found to be overly descriptive and pedantic,
>     and has now been removed.
> I see that the security consideration about not reporting errors from an 
> encrypted channel (over a supposedly unencrypted channel) has been 
> removed. Wouldn’t it make sense to leave it in order to avoid leaking 
> traffic for queries that were not previously visible on the network? 
> Possibly requiring than an encrypted channel (equal or stronger, for 
> whatever definition that may be) is used to send such reports if needed? 
> This would also make sure the mechanism is going to work once the ADo* 
> mechanisms are ironed out.

AFAIK it was removed because the only things we could place there were 
extremely vague and probably not implementable anyway.

Reason: There is _no such thing_ as 1:1 mapping between client queries 
and outgoing answers, which makes it super hard to define anything sensible.

A simple example:

1. Client A asks for
over plain UDP (and is now waiting for resolver's answer).

2. Resolver starts recursing and eventually sends query for NS over UDP (client sent query over plain UDP, 
right?). At this point the query was sent but answer was not received yet

3. Client B asks for
over TLS

4. Resolver deduplicates the query for NS, i.e. 
queries (1) and (3) are now waiting for the same packet - delegation 
from to

5. If this deduplicated query for NS failed and came 
back with error reporting option, what should the resolver do now? We 
have two clients waiting for it. Is the query considered "secret" or 
not? If the client B (packet in step 3.) arrived couple ms later it 
would not be secret?

In short: This way madness lies.

The only sane way to implement "never leak queries to plaintext" policy 
is to operate TLS-only resolver and do not permit non-TLS 
clients/queries. Then you can disable the error reporting feature 
completely ...

Having said that, we can have _some_ text in Security considerations 
section, but someone needs to write a sensible description - which I'm 
not capable of.

Have a great day.
Petr Špaček

> Thanks,
> Manu
>     There was a request to put the markdown version of the document in
>     GitHub. This has now been placed here:
>     <>
>     New version:
>     <>
>     Diffs:
>     <>
>     Warm regards,
>     Roy Arends