IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-error-reporting-05.txt

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 11 July 2023 00:11 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4268C16B5A9 for <dnsop@ietfa.amsl.com>; Mon, 10 Jul 2023 17:11:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wyNTe64Mm502 for <dnsop@ietfa.amsl.com>; Mon, 10 Jul 2023 17:11:27 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD14EC15108F for <dnsop@ietf.org>; Mon, 10 Jul 2023 17:11:26 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id E0B7612F586; Mon, 10 Jul 2023 20:11:25 -0400 (EDT)
Date: Mon, 10 Jul 2023 20:11:25 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dnsop@ietf.org
Message-ID: <ZKyeLXqCqJVrJnv5@straasha.imrryr.org>
Reply-To: dnsop@ietf.org
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1583409F-8F04-4172-B9A1-94D9900402AB@dnss.ec> <ZKyHyo4Mb8I34rZI@straasha.imrryr.org> <168902931398.48962.5453408558755410157@ietfa.amsl.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/6p5kzSnvL1-wVyKKYuvKR58leqQ>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-error-reporting-05.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jul 2023 00:11:30 -0000

On Mon, Jul 10, 2023 at 03:48:34PM -0700, internet-drafts@ietf.org wrote:

> A New Internet-Draft is available from the on-line Internet-Drafts
> directories. This Internet-Draft is a work item of the Domain Name
> System Operations (DNSOP) WG of the IETF.
> 
>    Title           : DNS Error Reporting
>    Authors         : Roy Arends
>                      Matt Larson
>    Filename        : draft-ietf-dnsop-dns-error-reporting-05.txt
>    Pages           : 11
>    Date            : 2023-07-10

Some comments on on the -05 update.

* Spelling:  s/unsollicited/unsolicited/

* Substance: The new text suggests using TCP **and** cookies:

       Resolvers that send error reports SHOULD send these over TCP
       [RFC7766] and SHOULD use DNS COOKIEs [RFC7873].  This makes it
       hard to falsify the source address.  The monitoring agent SHOULD
       respond to queries received over UDP with the truncation bit (TC
       bit) set to challenge the resolver to re-query over TCP.

    I don't believe it is at all common to combine TCP with cookies,
    typically cookies are used over UDP, with fallback to TCP (sans
    cookies) if the server's cookie is missing or invalid.

    So above should be "either TCP **or** COOKIES".  If error reports are
    infrequent no recent cookies will be cached for the monitoring agent,
    and obtaining a cookie will require a round trip.  So perhaps simplest
    to just use TCP.

I don't yet see any text about rate-limiting of reports beyond per
qname/qtype/info-code caching.  And yet the resolver has significant
additional context:

    - The IP address of the problem nameserver.

        * It can rate-limit the frequency of reports per nameserver IP.

    - The server zone.

        * It can rate-limit the frequency of reports per zone.

The per IP limit can be significantly more "generous", than the per-zone
limit, because some nameservers serve O(1M) zones, of which a few
thousand might exhibit a problem, while the server's overall health is
fine.  Reports for many different qnames in the same zone are likely
to be substantially redundant.

-- 
    Viktor.

v2.23.0 | Report a Bug | By Email