Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-serve-stale-03.txt

Joe Abley <> Wed, 06 March 2019 14:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 859B4126C87 for <>; Wed, 6 Mar 2019 06:37:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.099
X-Spam-Status: No, score=-0.099 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9W_BpPaSr3ww for <>; Wed, 6 Mar 2019 06:37:38 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8CD96124BA8 for <>; Wed, 6 Mar 2019 06:37:38 -0800 (PST)
Received: by with SMTP id y6so10361713ioq.10 for <>; Wed, 06 Mar 2019 06:37:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=r5Mg9Bx1LjCpWH63SY7XrpqIa5gX10Pu//iK0NrruC4=; b=B9+ycT5Z7ojKPFv+8/RccmN9d/foGaRwFNqixYEpn2YV4XsbuLO3569xd439fCvQ4S 9pVZPtzWWaSbvbvh2FGH5prIhe+HTdRl/NUI88f5galg/XXoWJQ/BlSktUXfWNolRzIk ERRerclLZrOnB1VsLtaav464FqWdTo+y2I+to=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=r5Mg9Bx1LjCpWH63SY7XrpqIa5gX10Pu//iK0NrruC4=; b=uHdviEfkZo//94qrfl39w9/dPnsf2wbQnsGGrP0MmEk73SvrzB6GdzxI0OYUVsl7ZW eFzkxV4e2meybb3fAyQQVkF8P/58doyezDQNK5GJjb9dCXXed6WC4+0un29vM8HrvyGf NUjKFo91HwuEtW9q2g0/Lxquf4B7yJ3TD7iIV8VpgJNO4nmANLdWwtVdwNQEA+sGTQww XN6wqKrPKUDB+PpSExeM5FUkQET1zyj1zS/6+pdadGiRugnaGFIDtYzmdEcrMKet/v0u 5R1/o4QiqcRyzD2OcWKPL+Q2Ueh9pX04357ojSkxEzDxfu8+Yje+WG+Fa/16Vadb5zXt QUlg==
X-Gm-Message-State: APjAAAX6OgYTo6lUaoVIW7wtxGvpwFFeoUombZSpuiHvskdWfJ3o5cpU rEigaQCIVrIPm5R4HOIh3a/3UUid0z+PAQ==
X-Google-Smtp-Source: APXvYqyFuMlCAj/Xnbu86NDzyxLzHBSc1hDOy4oUVQSi6Tah8/IlqcXab2qF62foTIqDrQFSeXPSQQ==
X-Received: by 2002:a5e:8345:: with SMTP id y5mr3113007iom.163.1551883057629; Wed, 06 Mar 2019 06:37:37 -0800 (PST)
Received: from ?IPv6:2607:f2c0:e786:128f:41e5:4c2a:3356:5160? ([2607:f2c0:e786:128f:41e5:4c2a:3356:5160]) by with ESMTPSA id r21sm602508ioj.62.2019. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 06 Mar 2019 06:37:36 -0800 (PST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Joe Abley <>
In-Reply-To: <>
Date: Wed, 6 Mar 2019 09:37:35 -0500
Cc: Dave Lawrence <>, dnsop <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <4253851.Zqd2zPpPcC@linux-9daj> <> <> <> <> <> <> <>
To: Tony Finch <>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <>
Subject: Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-serve-stale-03.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 06 Mar 2019 14:37:41 -0000

On 6 Mar 2019, at 08:03, Tony Finch <> wrote:

> Dave Lawrence <> wrote:
>> REFUSED is slightly murkier as to its exact meaning, thanks to
>> overloading, but in its most commonly seen usage for lameness
>> indicates a clear problem with the delegation.  Even in its other use
>> cases, notably an EDNS Client Subnet error or an actual "I am
>> authoritative for the name but administratively denying your
>> resolution of it", I submit that if the resolver has a stale answer
>> then serving it is reasonable.
> This sounds like it will lead to stale answers being given instead of
> re-trying other potentially working servers. I think this is wrong, and
> it's inconsistent with your other reply, so I am confused.
> I think serve-stale should only cover cases where servers are unreachable
> or unresponsive.

That phrase sounds concise and definitive, but it's not really.

How recently should a server have been checked and found not to respond to conclude that it's unresponsive? What does unresponsive mean? Presumably this involves a timeout; how long? Perhaps these questions are already answered in practice by existing implementations, but I don't know that they are written down anywhere.

If a server responds to some queries but not others (e.g. same QNAME, different QTYPEs) is that unresponsive across the board? Or does responsiveness depend on the precise (QNAME, QCLASS, QTYPE) tuple?

This is not only a pedantic, annoying observation (you're welcome) but I think the last question provides an attack vector; if you can find a set of DNS authority servers that silently discards a particular kind of query, sending such queries through resolvers that are known to support serve-stale might suppress other queries and trigger the serve-stale behaviour even though the authority servers are not actually unresponsive for them.

I think it's a fair observation that such authoritative servers are broken, but I seem to think they exist e.g. due to the ongoing existence of poorly-conceived middleboxes. If I'm mistaken about that last part then I guess we're back to pedantic and annoying.