IETF Logo Mail Archive

[DNSOP] draft-ietf-dnsop-no-response-issue-03

Edward Lewis <edward.lewis@icann.org> Thu, 18 August 2016 14:34 UTC

Return-Path: <edward.lewis@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B971312DD66 for <dnsop@ietfa.amsl.com>; Thu, 18 Aug 2016 07:34:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.448
X-Spam-Level:
X-Spam-Status: No, score=-5.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.247, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UZUB2SJH0CpV for <dnsop@ietfa.amsl.com>; Thu, 18 Aug 2016 07:34:58 -0700 (PDT)
Received: from out.west.pexch112.icann.org (pfe112-ca-2.pexch112.icann.org [64.78.40.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B7E812D983 for <dnsop@ietf.org>; Thu, 18 Aug 2016 07:34:58 -0700 (PDT)
Received: from PMBX112-W1-CA-1.pexch112.icann.org (64.78.40.21) by PMBX112-W1-CA-2.pexch112.icann.org (64.78.40.23) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Thu, 18 Aug 2016 07:34:55 -0700
Received: from PMBX112-W1-CA-1.pexch112.icann.org ([64.78.40.21]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([64.78.40.21]) with mapi id 15.00.1178.000; Thu, 18 Aug 2016 07:34:54 -0700
From: Edward Lewis <edward.lewis@icann.org>
To: dnsop <dnsop@ietf.org>
Thread-Topic: draft-ietf-dnsop-no-response-issue-03
Thread-Index: AQHR+V2vNwwRt0Lsk0uySpJ2cAoJzw==
Date: Thu, 18 Aug 2016 14:34:54 +0000
Message-ID: <BC3FCB73-3ECA-4374-8AD5-845A452B6835@icann.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.18.0.160709
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.0.47.234]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="B_3554361294_203519420"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7_kFW9_2xV4CwoEBOpGf1hzwY5g>
Subject: [DNSOP] draft-ietf-dnsop-no-response-issue-03
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Aug 2016 14:35:00 -0000

##   A Common Operational Problem in DNS Servers - Failure To Respond.
##                 draft-ietf-dnsop-no-response-issue-03

I have a lot of high-level concerns with this document.

##1.  Introduction
##
##   The DNS [RFC1034], [RFC1035] is a query / response protocol.  Failure
##   to respond to queries or to respond incorrectly causes both immediate
##   operational problems and long term problems with protocol
##   development.

While the latter is true, operationally the DNS is not strictly query -
response.  It's more like "query - if I want to respond".  I was
"enlightened" during a project 10-15 years ago when I realized that some
DNS implementations choose silence when deciding how to respond.

Based on this premise, the prescriptive language in sections 3 and 10
are very problematic in my opinion.

##2.  Common queries kinds that result in non-responses.

This section is not built on data or a document study, making it seem
flimsy, to wit:

##   Some servers fail to respond to ...

This doesn't establish a need to react to the situation.  "Some" might be
one operator's code, etc.

##3.  Remediating

This section steers far from the purpose of defining interoperability of the
protocol.  This section gets too specific regarding the current business
of DNS registration (registry and registrars) for technical needs.  I don't
think this section belongs in an IETF document.

##7.  Response Code Selection
##
##   NOERROR (no data) are the expected response codes.  A server is not
##   supposed to serve a zone which contains unsupported types ([RFC1034])
##   so the only thing left is return if the QNAME exists or not.  NOTIMP

But we have "Handling of Unknown DNS Resource Record (RR) Types" which
contradicts that "not supposed to".  This is the closest I'll come to a "nit."

##10.  IANA Considerations
##
##   IANA / ICANN needs to consider what tests, if any, from above that it
##   should add to the zone maintenance procedures for zones under its
##   control including pre-delegation checks.  Otherwise this document has
##   no actions for IANA.

There is a lot wrong with that paragraph.  (As in, I'm not sure where to
start.)  The IANA functions operator manages according to community defined
processes, there is no internal consideration of what to test.  Further,
only delegations from the root zone are considered, not anything lower in
the tree.  (I.e., most of the issues observed wouldn't be touched.)

This document would be more useful if it clarified the use of RCODEs in the
face of queries described here, in the vein of "Negative Caching of DNS
Queries (DNS NCACHE)".  We lack any document describing the circumstances
in which RCODE values are returned and what the appropriate reaction to them
is.  As the document stands, it is unspecific regarding issues, particularly
the operational scale, and ventures into policy instead of technical
directions regarding operations.

As an afterthought - Perhaps a whitepaper (non-IETF) can be produced to describe testing methodology and results observed would be an avenue to publicize the situation seen here.

v2.23.0 | Report a Bug | By Email