Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-error-reporting-05.txt
Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 11 July 2023 00:11 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4268C16B5A9 for <dnsop@ietfa.amsl.com>; Mon, 10 Jul 2023 17:11:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wyNTe64Mm502 for <dnsop@ietfa.amsl.com>; Mon, 10 Jul 2023 17:11:27 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD14EC15108F for <dnsop@ietf.org>; Mon, 10 Jul 2023 17:11:26 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id E0B7612F586; Mon, 10 Jul 2023 20:11:25 -0400 (EDT)
Date: Mon, 10 Jul 2023 20:11:25 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dnsop@ietf.org
Message-ID: <ZKyeLXqCqJVrJnv5@straasha.imrryr.org>
Reply-To: dnsop@ietf.org
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1583409F-8F04-4172-B9A1-94D9900402AB@dnss.ec> <ZKyHyo4Mb8I34rZI@straasha.imrryr.org> <168902931398.48962.5453408558755410157@ietfa.amsl.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/6p5kzSnvL1-wVyKKYuvKR58leqQ>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-error-reporting-05.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jul 2023 00:11:30 -0000
On Mon, Jul 10, 2023 at 03:48:34PM -0700, internet-drafts@ietf.org wrote: > A New Internet-Draft is available from the on-line Internet-Drafts > directories. This Internet-Draft is a work item of the Domain Name > System Operations (DNSOP) WG of the IETF. > > Title : DNS Error Reporting > Authors : Roy Arends > Matt Larson > Filename : draft-ietf-dnsop-dns-error-reporting-05.txt > Pages : 11 > Date : 2023-07-10 Some comments on on the -05 update. * Spelling: s/unsollicited/unsolicited/ * Substance: The new text suggests using TCP **and** cookies: Resolvers that send error reports SHOULD send these over TCP [RFC7766] and SHOULD use DNS COOKIEs [RFC7873]. This makes it hard to falsify the source address. The monitoring agent SHOULD respond to queries received over UDP with the truncation bit (TC bit) set to challenge the resolver to re-query over TCP. I don't believe it is at all common to combine TCP with cookies, typically cookies are used over UDP, with fallback to TCP (sans cookies) if the server's cookie is missing or invalid. So above should be "either TCP **or** COOKIES". If error reports are infrequent no recent cookies will be cached for the monitoring agent, and obtaining a cookie will require a round trip. So perhaps simplest to just use TCP. I don't yet see any text about rate-limiting of reports beyond per qname/qtype/info-code caching. And yet the resolver has significant additional context: - The IP address of the problem nameserver. * It can rate-limit the frequency of reports per nameserver IP. - The server zone. * It can rate-limit the frequency of reports per zone. The per IP limit can be significantly more "generous", than the per-zone limit, because some nameservers serve O(1M) zones, of which a few thousand might exhibit a problem, while the server's overall health is fine. Reports for many different qnames in the same zone are likely to be substantially redundant. -- Viktor.
- [DNSOP] Working Group Last call for draft-ietf-dn… Benno Overeinder
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] DNSOPWorking Group Last call for draf… Wes Hardaker
- Re: [DNSOP] Working Group Last call for draft-iet… Benno Overeinder
- Re: [DNSOP] DNSOPWorking Group Last call for draf… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
- Re: [DNSOP] Working Group Last call for draft-iet… Willem Toorop
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
- Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
- Re: [DNSOP] Working Group Last call for draft-iet… Dick Franks
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Paul Wouters
- Re: [DNSOP] DNSOPWorking Group Last call for draf… Wes Hardaker
- Re: [DNSOP] Working Group Last call for draft-iet… Ben Schwartz
- Re: [DNSOP] Working Group Last call for draft-iet… Viktor Dukhovni
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Viktor Dukhovni
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Ben Schwartz
- Re: [DNSOP] Working Group Last call for draft-iet… Roy Arends
- Re: [DNSOP] Working Group Last call for draft-iet… Viktor Dukhovni
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Viktor Dukhovni
- Re: [DNSOP] Working Group Last call for draft-iet… Benno Overeinder
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Roy Arends