[DNSOP] Comments on draft-ietf-dnsop-extended-error version 10

Mats Dufberg <mats.dufberg@internetstiftelsen.se> Mon, 30 September 2019 12:46 UTC

Return-Path: <mats.dufberg@internetstiftelsen.se>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 51F0A120858 for <dnsop@ietfa.amsl.com>; Mon, 30 Sep 2019 05:46:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=internetstiftelsen.se
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Y7iZw4Xe8szy for <dnsop@ietfa.amsl.com>; Mon, 30 Sep 2019 05:46:49 -0700 (PDT)
Received: from relay2.iis.se (relay2.iis.se [IPv6:2001:67c:124c:2007::38]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10DEF12084E for <dnsop@ietf.org>; Mon, 30 Sep 2019 05:46:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=internetstiftelsen.se; s=iis2015; h=mime-version:content-type:x-originating-ip: x-ms-exchange-transport-fromentityheader: x-ms-exchange-messagesentrepresentingtype:user-agent:x-ms-tnef-correlator: x-ms-has-attach:content-language:accept-language:message-id:date:thread-index: thread-topic:subject:to:from:received:received:received:from; bh=tCW2LpKWVtxTlvUsPEutU6dP0pjVwB9ilWLtJdpSrcE=; b=HVeRBpPseUyfBMQ9Iwo10gnMV6cFugc1w7aCKtd3TrC8eJjHxvixzk+sGTXSRhY5mxja7dGYrUvMg yUKAWYYvxGhvgsvfyl9ynvCHEd2mPMmrcoZiFbssRam3FaZeVkkKAzYoz43Ry84vIn+Zu0TtQu8JUq GL8khea+Q16gMbH8=
Received: from exchange01.office.nic.se (unknown [2001:67c:124c:100e::20]) by relay2.iis.se (Halon) with ESMTPS id 58fa6425-e380-11e9-8740-00505682e997; Mon, 30 Sep 2019 12:46:39 +0000 (UTC)
Received: from exchange02.office.nic.se (2001:67c:124c:2043::25) by exchange01.office.nic.se (2001:67c:124c:100e::20) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 30 Sep 2019 14:46:39 +0200
Received: from exchange02.office.nic.se ([fe80::681b:9cef:675b:d880]) by exchange02.office.nic.se ([fe80::681b:9cef:675b:d880%14]) with mapi id 15.00.1473.004; Mon, 30 Sep 2019 14:46:39 +0200
From: Mats Dufberg <mats.dufberg@internetstiftelsen.se>
To: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: Comments on draft-ietf-dnsop-extended-error version 10
Thread-Index: AQHVd40at96PvqcMd0KxK88/lkWIPw==
Date: Mon, 30 Sep 2019 12:46:39 +0000
Message-ID: <1BBB6AC2-263F-42A9-99FC-48BAC3B4AF7E@iis.se>
Accept-Language: en-US, sv-SE
Content-Language: en-GB
user-agent: Microsoft-MacOutlook/10.1d.0.190908
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [2001:67c:124c:5024::1257]
Content-Type: multipart/alternative; boundary="_000_1BBB6AC2263F42A999FC48BAC3B4AF7Eiisse_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/BNA5F0knAQV7p9T6W39H6Q7eT_U>
Subject: [DNSOP] Comments on draft-ietf-dnsop-extended-error version 10
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Sep 2019 12:46:59 -0000

Section 1 ends with "Receivers MUST NOT change the processing of RCODEs in messages based on extended error codes" but it is not fully clear what that statement means in the light of the description in the beginning of the same section where the motivation for extended error codes is that the resolver cannot know what specific error that is behind, e.g., REFUSED and there does not know what the best next step is.

Both section 3.18 (filtered) and section 3.19 (prohibited) has code 17. In the registry table (4.2) it is code 17 and 18, respectively.

Both 3.14 (Cached error) and 3.20 (Stale NXDOMAIN answer) reports that the RCODE returned was taken from cached. In 3.20 it is described in detail what the resolver has done before the answer is returned, whereas in 3.14 there are not details at all.

3.14 needs more specification of when to use cached SERVFAIL.

I think that the last sentence in 3.20 ("This is typically caused [...] result of a DoS attack against another network") does not belong to a standard document.

In 3.22 it would be better to say that the operation or query is not supported ("Not supported"). As the text is now it is unclear by whom it is deprecated.

I suggest that the sentence "This may occur because its most recent zone is too old, or has expired, for example" is removed from 3.25 since there could be multiple reasons and it is not needed to give an example in a standard document.

Mats Dufberg
DNS Specialist
Internetstiftelsen (The Swedish Internet Foundation)
Mobile: +46 73 065 3899