IETF Logo Mail Archive

Re: [DNSOP] Clarifying referrals (#35)

Evan Hunt <each@isc.org> Tue, 14 November 2017 08:06 UTC

Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 365E6128DF6 for <dnsop@ietfa.amsl.com>; Tue, 14 Nov 2017 00:06:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vM2emdSQbqpK for <dnsop@ietfa.amsl.com>; Tue, 14 Nov 2017 00:06:42 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2AEC124234 for <dnsop@ietf.org>; Tue, 14 Nov 2017 00:06:42 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [149.20.48.19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 250C93B1174; Tue, 14 Nov 2017 08:06:38 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id 10F2D216C1C; Tue, 14 Nov 2017 08:06:38 +0000 (UTC)
Date: Tue, 14 Nov 2017 08:06:38 +0000
From: Evan Hunt <each@isc.org>
To: Paul Vixie <paul@redbarn.org>
Cc: Andrew Sullivan <ajs@anvilwalrusden.com>, dnsop@ietf.org
Message-ID: <20171114080638.GA41253@isc.org>
References: <20171112075445.tf2ut5dxzhhnqe7l@mx4.yitter.info> <20171112131831.GA32208@laperouse.bortzmeyer.org> <20171113014445.ncldrwnuuvluecx7@mx4.yitter.info> <5A08FD96.8030907@redbarn.org> <20171113020736.ga7rzgst2hurb56h@mx4.yitter.info> <5A09068A.3030206@redbarn.org> <20171113032640.tbn7icsllm6jeeny@mx4.yitter.info> <5A09C4D6.6080202@redbarn.org> <20171114063209.gjubqyovnwcrl33a@mx4.yitter.info> <5A0A952F.1060001@redbarn.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <5A0A952F.1060001@redbarn.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/87_XKMdA9fHo3gqjoTRGhh9_iLo>
Subject: Re: [DNSOP] Clarifying referrals (#35)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Nov 2017 08:06:44 -0000

On Mon, Nov 13, 2017 at 11:03:11PM -0800, Paul Vixie wrote:
> while specific guidance was not given as to resolver action in response 
> to each possible authority RCODE, i have both witnessed and implemented 
> full resolvers which treated REFUSED as a permanent failure whereas 
> SERVFAIL was a temporary failure.

What do you mean by "permanent" in this context?

As far as I know, BIND treats REFUSED as persistent during the resolution
process -- i.e., it won't bother to retry the same server with the same
query immediately.  It would go to the next delegated name server, and if
all servers refused, eventually it would return SERVFAIL to the client.

It might add the address to a bad server cache; I'm not actually sure
whether it does that in this scenario, I'd have to check.  If it does, that
would keep it from retrying the server for 30 minutes, which is a
reasonable recovery time for the "haven't caught up with my inbox"
class of error.

> treating "i don't have the zone configured" as a REFUSED condition, 
> while treating "i can't write the secondary zone" or "i can't read the 
> primary zone" as SERVFAIL conditions, adds no value, but does subtract 
> it.

I'm not seeing the value subtracted.  In those two cases, your server knows
that it's *supposed* to be authoritative for the zone in question, and that
there's a problem preventing it from answering.  This fits the definition
of SERVFAIL, "unable to process this query due to a problem with the name
server", and the other case doesn't.

> usually when i don't have a zone configured that is delegated to me, 
> it's because i have not caught up with my inbox, or i have FUBAR'd my 
> configuration file using "git" or similar. in those cases, the name 
> being looked up _might exist_ and retrying later _might succeed_.

Or, very likely, the parent zone is misconfigured or out of date, in which
case the name doesn't exist and retrying later won't sucseed.  Perhaps you
run a secondary name service and your customer hasn't paid the bill, or
they're in the process of switching to a new provider, or they just put in
the wrong glue.  Your server isn't failing; it's just being asked for a
name it never heard of.

> i have heard a number of folks argue that this logic is common, but i 
> have heard noone argue that it is superior to known alternatives. can we 
> hear someone who is in favour of this for reasons beyond "five million 
> frenchmen cannot be wrong"?

I wish NOTAUTH had been defined in 1035. Since it wasn't, there are only
three answers that make any sense: NOERROR with upward referral, SERVFAIL,
REFUSED.  We already disposed of upward referral.  SERVFAIL gets you
spurious retries.  REFUSED makes the querant go away for a sensible amount
of time; we have ten years of operational experience with it.  I don't see
the problem.

-- 
Evan Hunt -- each@isc.org
Internet Systems Consortium, Inc.

v2.23.0 | Report a Bug | By Email