IETF Logo Mail Archive

[DNSOP] CloudFlare policy on ANY records changing

"Wessels, Duane" <dwessels@verisign.com> Tue, 10 March 2015 22:20 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DDCD1A9037 for <dnsop@ietfa.amsl.com>; Tue, 10 Mar 2015 15:20:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UibEacDXB3Tj for <dnsop@ietfa.amsl.com>; Tue, 10 Mar 2015 15:20:25 -0700 (PDT)
Received: from mail-qg0-f99.google.com (mail-qg0-f99.google.com [209.85.192.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 793AD1A904B for <dnsop@ietf.org>; Tue, 10 Mar 2015 15:20:23 -0700 (PDT)
Received: by qgdq107 with SMTP id q107so535305qgd.2 for <dnsop@ietf.org>; Tue, 10 Mar 2015 15:20:22 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:thread-topic:thread-index:date :message-id:references:in-reply-to:accept-language:content-language :content-type:mime-version; bh=XtJpM5mFnDm628vOLEaTWxncIUQI0V4tQfPVkWAi0QA=; b=mhSu6I/U9DsFHmu3jbh8q96hnWhuUp5KInYs4qwglo4wQnAFQWtueER99jlLcQ09Ru HLS553kRyGo5ksXZemriDEgowkqiiPHgiONHSWtY4zWui4m0KUg8fuUsqi6mvLAMxDDL QYWUyXDoiKKjjdcuvxvzsI+nCJ+cYq2jMwi1cIIdCUNIPUs/YWdH0qwhn9cpQXmnheb4 qJARRMw1R/XQv9suZr3WLUZQcDvnHJ/BNj/KeGzE2HtLv//wwJzvKa7gWkLqNC8dqJZz g69Ndcp5kFvm9XUUn+7qa4orWbdC6NaLuoh3WJtwlCAAkMN4nEpjEE5t4IyJh9TMji02 iZog==
X-Gm-Message-State: ALoCoQnL7lJx9BTxLpHh1onfItg66Kf+dJgnb5maXWOq53Eoy08BLXMbycPBcX0eEU78O3sj5k8DmqlKS8AIq69fjh5i2ePITQ==
X-Received: by 10.55.42.137 with SMTP id q9mr55378953qkq.14.1426026022682; Tue, 10 Mar 2015 15:20:22 -0700 (PDT)
Received: from brn1lxmailout01.verisign.com (brn1lxmailout01.verisign.com. [72.13.63.41]) by mx.google.com with ESMTPS id cd6sm604927qcb.2.2015.03.10.15.20.22 for <dnsop@ietf.org> (version=TLSv1 cipher=RC4-SHA bits=128/128); Tue, 10 Mar 2015 15:20:22 -0700 (PDT)
X-Relaying-Domain: verisign.com
Received: from BRN1WNEXCHM01.vcorp.ad.vrsn.com (brn1wnexchm01 [10.173.152.255]) by brn1lxmailout01.verisign.com (8.13.8/8.13.8) with ESMTP id t2AMKM0Q019319 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <dnsop@ietf.org>; Tue, 10 Mar 2015 18:20:22 -0400
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by BRN1WNEXCHM01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Tue, 10 Mar 2015 18:20:20 -0400
From: "Wessels, Duane" <dwessels@verisign.com>
To: dnsop <dnsop@ietf.org>
Thread-Topic: CloudFlare policy on ANY records changing
Thread-Index: AQHQW4Bk5v2xx91fRkSuzMP5GZWVqw==
Date: Tue, 10 Mar 2015 22:19:55 +0000
Message-ID: <0A8D7AE0-B6FF-4B85-A42B-4EBF93A17873@verisign.com>
References: <D420BEA5-A121-48B8-9C6E-A22AE33A2AA7@ogud.com> <CAEKtLiQoXY411_Jb7B432r3H1P=iA_4n5s1D0tr4RCPq+kQaAg@mail.gmail.com> <24C3FB68-BF57-4D9F-9F71-E04467A8D9F3@ogud.com> <35E6FB76-9751-41A4-BF6B-38A8F0BFF82E@puck.nether.net> <54F9FBB7.6080109@redbarn.org> <CAGmQtQJrpx_XG_OJTShsW5YqAeFKZwdMa16XW7iry9PR0_FT+A@mail.gmail.com> <20150310025859.8A04D2B21054@rock.dv.isc.org> <CAGmQtQJta4EXRD4pLOk=xVH0dGirHeb=edkPTMWLmKXBcBVK0Q@mail.gmail.com> <5B445B49-BA18-493A-A1EA-DC90C7C6D7AE@vpnc.org> <21759.4545.472775.866594@tale.kendall.corp.akamai.com> <F6A39307-6C8F-4FD5-8CAD-97775C5276A9@vpnc.org>
In-Reply-To: <F6A39307-6C8F-4FD5-8CAD-97775C5276A9@vpnc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.152.4]
Content-Type: multipart/signed; boundary="Apple-Mail=_90701DA6-3C98-42E9-85B0-C37221F09879"; protocol="application/pgp-signature"; micalg="pgp-sha1"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/8d0AEKSnY416rEV8gwQL25tPYsA>
Subject: [DNSOP] CloudFlare policy on ANY records changing
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2015 22:20:31 -0000

On Mar 10, 2015, at 9:34 AM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:

> On Mar 10, 2015, at 8:46 AM, David C Lawrence <tale@akamai.com> wrote:
>> 
>> Paul Hoffman writes:
>>> On Mar 10, 2015, at 6:25 AM, Yunhong Gu <guu@google.com> wrote:
>>>> So the problem is, why NOTIMP? REFUSED sounds like a better choice. 
>>> 
>>> +1. "REFUSED" exactly describes what is going on.
>> 
>> One down side there, however, is that REFUSED as understood by
>> resolvers commonly has the semantic currently that the name is not
>> hosted by the server at all.  What used to be root referrals for lame
>> delegations is now REFUSED to minimize response size.
> 
> If a resolver is sending an ANY before it sends its actual request, that could be a problem. However, they shouldn't be doing that.
> 
> It is likely that any response we think of (even no response at all) will cause some deployed resolvers to get the wrong idea. Having said that, it is perfectly reasonable for an operator to not want to reply to an ANY, given the unclarity of what it is expected to send back and the opportunity for malicious intelligence gathering. So us saying "if you want to do this, use that" at least will cause future versions of things that relied on ANY to know what they are getting.
> 
> Also: this should probably one of the three threads on dnsop@ietf.org...


As Paul suggests, I'll attempt to redirect the conversation to dnsop.

Does it make sense to define an Extended RCODE for additional signaling?
e.g.  "REFUSED_BECAUSE_QTYPE_ANY"

If you want to respond to ANY with NOTIMP/REFUSED, would you also
be willing to include an OPT RR in your response (when appropriate)?

DW

v2.23.0 | Report a Bug | By Email