Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03
Mark Andrews <marka@isc.org> Thu, 25 August 2016 21:56 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F08F112D0FB for <dnsop@ietfa.amsl.com>; Thu, 25 Aug 2016 14:56:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.449
X-Spam-Level:
X-Spam-Status: No, score=-7.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I4X3_xHmO8CS for <dnsop@ietfa.amsl.com>; Thu, 25 Aug 2016 14:56:45 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC5CC12B02C for <dnsop@ietf.org>; Thu, 25 Aug 2016 14:56:45 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id EB3293494EC; Thu, 25 Aug 2016 21:56:38 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id C155216006A; Thu, 25 Aug 2016 21:56:38 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 9C8361600A1; Thu, 25 Aug 2016 21:56:38 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id UnPuQ32rd_k5; Thu, 25 Aug 2016 21:56:38 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 3AC9C16006A; Thu, 25 Aug 2016 21:56:38 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id B6693523BE94; Fri, 26 Aug 2016 07:56:35 +1000 (EST)
To: william manning <chinese.apricot@gmail.com>
From: Mark Andrews <marka@isc.org>
References: <BC3FCB73-3ECA-4374-8AD5-845A452B6835@icann.org> <20160825043551.GP4670@mournblade.imrryr.org> <20160825072545.36iklvmpcfcpqawg@nic.fr> <CACfw2hjDNQcZo1To2wv=oAhDF1avDwJvA1myG4NgyYjRF95zSg@mail.gmail.com> <alpine.DEB.2.11.1608251203310.14525@grey.csi.cam.ac.uk> <CACfw2hguojqbictc0RvLFQiY=1BVdQ+qA0Ot_ztdZEndHUy+Hg@mail.gmail.com> <alpine.DEB.2.11.1608251719360.2933@grey.csi.cam.ac.uk> <CAC=TB12DFHmAndeb3fJNYr1sdS6U4GOrAoKZHZUcMfh7WXmrJA@mail.gmail.com> <20160825191928.mze4bbzypq2ml2uv@nic.fr>
In-reply-to: Your message of "Thu, 25 Aug 2016 21:19:28 +0200." <20160825191928.mze4bbzypq2ml2uv@nic.fr>
Date: Fri, 26 Aug 2016 07:56:35 +1000
Message-Id: <20160825215635.B6693523BE94@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7Dkvil5-Gxpt4VwcoM8VDGmRb8Y>
Cc: Tony Finch <dot@dotat.at>, dnsop <dnsop@ietf.org>, Marek Vavruša <mvavrusa@cloudflare.com>
Subject: Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2016 21:56:47 -0000
Not answering queries has effects on OTHER servers. Because there are servers out there that don't answer EDNS queries or only answer the first EDNS query resolvers have to ASSUME that no answer to a EDNS quere means "NO EDNS". They then make a plain DNS query and get a answer. Those servers then get marked for a while as not supporting EDNS. This isn't a big issue until those servers are serving a signed zone. Once that server serves a signed zone you have real issues as DNSSEC responses rely on EDNS queries and you stop getting EDNS queries. The client then doesn't get the RRSIGs and can't validate. PMTUD from the server to the client has a similar loss pattern to drop on EDNS, answer on DNS. Do you see the problems caused to others by deciding to drop packets in a query / response protocol. The same thing happens with servers that don't answer EDNS options. The recursive server has to decide is this the EDNS option or EDNS or just packloss. Add in servers that don't like particular options (yes there are servers that don't answer NSID queries but do answer other EDNS options) and the problem for the recursive servers becomes bigger for the recursive server. We already have DNS zones that will not work with BIND 9.10.x and BIND 9.11.x because the servers for those zones drop queries with EDNS options present and the zones are signed. The CORRECT behaviour for a recursive server is to retry the SAME query. No answer means PACKET LOSS, usually for load but sometimes for corruption. It does NOT mean that I don't like the query. We have a rcode for that: REFUSED. When named drops packet (too many queries for the same question) the expected behaviour from the client is to timeout and retry. Its load shedding the same way as a link sheds load by dropping packets. It also isn't based on a EDNS option, EDNS flag, EDNS version, QTYPE, QCLASS, DNS flag, opcode or similar. It purely load based. For completeness named can also be configured to drop queries based on address but is drops all queries so it behaves like a dead server to that client. A nameserver / firewall should not be looking at query content and deciding not to answer based on that content. If you don't want to implement a EDNS than don't implement it. If you don't want to use a EDNS option with some client then just ignore the option. Similarly for EDNS flags. The client is expecting that unsupported options and flags will be ignored not used to decide to drop a query. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 Tim Wicinski
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 Mark Andrews
- [DNSOP] draft-ietf-dnsop-no-response-issue-03 Edward Lewis
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 Stephane Bortzmeyer
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 Viktor Dukhovni
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 Mark Andrews
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 william manning
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 Tony Finch
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 william manning
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 Tony Finch
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 Marek Vavruša
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 Stephane Bortzmeyer
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 Mark Andrews
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 Edward Lewis
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 Mark Andrews