Re: [DNSOP] Clarifying referrals (#35)

Matthew Pounsett <> Mon, 13 November 2017 19:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 05B31129601 for <>; Mon, 13 Nov 2017 11:59:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id V8_-qBHwOgT5 for <>; Mon, 13 Nov 2017 11:59:37 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4001:c0b::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2603F1241F3 for <>; Mon, 13 Nov 2017 11:59:36 -0800 (PST)
Received: by with SMTP id m191so7883385itg.1 for <>; Mon, 13 Nov 2017 11:59:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=JYk4zZ1ditQtnNHDa56sUbCiHMCGi+erTpffd/YfjGM=; b=QQE4lEFzMzykbbDT6yeUKPjcPLXQrMXOolqDiIW+83dy8Ycb9biXDEJFJfS2JC240K r7LvthRbgSAPEiViFTnbcMkF8zOnYgDLOsN+2RtYl8LZ7UJLJw0FaSubAC1BPPfLj3i/ yQbb0qbeHTmcSNXOOEzimXFAsaM/oJ1OUPMLKWgen8KK8cQr5UHcnCvNW0qZjetlru6p OTpfEByotpM1GncQ9eQQGSOgcjcht+bUHC5BSIJz5ilj9Vc8qf7Nhv66N5N6BDz+8oZx rEa+oMY+wwdq0L+wUDPUFx92Pqr3s2aOOtQYinqgV6e4dpISoE14JdYPHu5BoHDHdtfb l33w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=JYk4zZ1ditQtnNHDa56sUbCiHMCGi+erTpffd/YfjGM=; b=pKhYJ3yR6MEF0DNk5xUpV1jgUPfaZCdMnwVADvt2Sff5E6a389Nv2wOUzPYFrN1mVA uSDJZg/fySJBcwpmB0D3L/ztco6QpgWhk9jANGgja6HfJcolQEH4GFnAjDO0Dg+qAZjg /rG0ga0/9HrYqOS2RDJYAYXXKWMOeZ3lXOP7IFqX5j5OiRS33nOKM09q6aA05vKUi6O4 Z5QPad99d7BQ0RnplCh8xbEoND54NbPQxXJ2fls3FEfQGnC8g6rSBGyWpoewEPPfPZ17 5gXhxGIkKEA/j2d/w3/ftV+POvzqjsjQIngfl0pVUy68jtXFTQ7ip537FdZi+qAtDMuy xllg==
X-Gm-Message-State: AJaThX4Ju9kSVNPc5nzm5SGLkp0oevlqKi3aUXBsJyYtpaaNK2DTBcZv P/retHNspXQ0oVkng5K2S0vHk7DxMVg4Ah+gvlRMeyoyqxI=
X-Google-Smtp-Source: AGs4zMapQglBa10bg8y/+HY4nTj10D6iKm03EFFqcYh5oFHzcG1C4HapWY/gq3vRh/VeCjwAnxs1BvqxD6SAGnh7PjY=
X-Received: by with SMTP id h198mr7199335ith.95.1510603176318; Mon, 13 Nov 2017 11:59:36 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Mon, 13 Nov 2017 11:59:35 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <20171113085235.2fddd72a@p50.localdomain> <> <> <> <>
From: Matthew Pounsett <>
Date: Mon, 13 Nov 2017 11:59:35 -0800
Message-ID: <>
To: Paul Vixie <>
Cc:, "" <>, Andrew Sullivan <>
Content-Type: multipart/alternative; boundary="001a113f651cb8aad6055de2b501"
Archived-At: <>
Subject: Re: [DNSOP] Clarifying referrals (#35)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Nov 2017 19:59:39 -0000

On 13 November 2017 at 11:28, Paul Vixie <> wrote:

> ... If that were a problem, given BIND's market share, we should be
> seeing widespread brokenness, but I don't think we are–none that's
>> making it from my support department to me or to our hostmaster@
>> accounts, at any rate.
> yikes! you remind me of the guy who said on nanog a few years back that
> since he wasn't seeing spoofed-source ddos attacks any more, we should all
> stop worrying about them.

your lived experience can be cause for concern, but never for complacency.

I don't think that word means what you think it means.  Lack of concern for
a non-problem is not complacency.

The rest of us still see spoofed-source DDoS attacks, and they're a
frequent topic of discussion in the networking and DNS communities, so even
someone who doesn't see them on their network should still be aware that
they happen.  I have seen no similar discussion of REFUSED-generated chaos
in recursive servers.   If someone is seeing such brokenness, they haven't
brought it to dnsop@, or dns-operations@, or an OARC or NANOG meeting.  If
someone is seeing such brokenness, hopefully they'll speak up so that we
can advise the authoritative implementations to change their behaviour

I use the plural there deliberately.  I referenced BIND above because that
was the implementation I was most familiar with at the time the behaviour
changed ... but it does seem to be the consensus among the authoritative
implementors that REFUSED is the correct response.  It wouldn't be the
first time that a majority of implementations settled on a behaviour that
didn't strictly follow the specification because it was necessary for good
inter-operation.    Perhaps someone who was present for an implementer's
internal discussion about replacing upward referrals could comment on the
reasoning, and what (if any) collaboration occurred between the
authoritative and recursive implementations at the time.