Re: [DNSOP] I-D Action: draft-ietf-dnsop-refuse-any-04.txt

Tony Finch <dot@dotat.at> Mon, 13 February 2017 22:30 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00B0F12998C for <dnsop@ietfa.amsl.com>; Mon, 13 Feb 2017 14:30:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.618
X-Spam-Level:
X-Spam-Status: No, score=-2.618 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id flZhPJXW9xUs for <dnsop@ietfa.amsl.com>; Mon, 13 Feb 2017 14:29:59 -0800 (PST)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30E1112946E for <dnsop@ietf.org>; Mon, 13 Feb 2017 14:29:59 -0800 (PST)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 97962208D7; Mon, 13 Feb 2017 17:29:58 -0500 (EST)
Received: from web1 ([10.202.2.211]) by compute4.internal (MEProxy); Mon, 13 Feb 2017 17:29:58 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=smtpout; bh=ls Fsaooh8ceV0bxQ6uqZpQ/vtPc=; b=d0nId0GJiI+XtdGmzs4bKNt2/k4GXEB8Df Ccy46EpE2+S3UWcqMnA8RPypIdJCyN1VMMUy+myaw24z0HeM8NbpOVGVvuGr0g4X kpaF/uFtg2hGQSXO+jctaHRM+nd/V1hMubLr/NIcLkDhlqQapYTR0ODTAfcTxF+T zD+8CrYa4=
X-ME-Sender: <xms:ZjOiWK3KlheeyjwawtimtAx-p1Wsd44wvosNzDeMkSnsXAO-TAhfyg>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id 6D0BEAA6C5; Mon, 13 Feb 2017 17:29:58 -0500 (EST)
Message-Id: <1487024998.1521302.879922640.52B598B0@webmail.messagingengine.com>
From: Tony Finch <dot@dotat.at>
To: Mark Andrews <marka@isc.org>, "Wessels, Duane" <dwessels@verisign.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary="_----------=_148702499815213021"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-3dff962b
In-Reply-To: <20170213222150.436CF6397520@rock.dv.isc.org>
Date: Mon, 13 Feb 2017 22:29:58 +0000
References: <148661979638.4286.4234665114055399732.idtracker@ietfa.amsl.com> <CAC94RYZM+KMS2c3CVx=8Q005XYGQqNRv--23H7_aTpuY05tEMQ@mail.gmail.com> <CAN6NTqy9_jKXT4Fc9KhmcW7Fq6DTiU2HmzBoWn+YA1fALOh5zA@mail.gmail.com> <CAC94RYYhV0ye252bLNSGPmqQhdZ772AkaJ7us86X1j4nppsWDg@mail.gmail.com> <alpine.DEB.2.11.1702131258580.23062@grey.csi.cam.ac.uk> <CAC94RYbSkp2h_jOBgmrP3oZouSigPp9xPVxoKxkYft55qMyiZQ@mail.gmail.com> <alpine.DEB.2.11.1702131642360.23062@grey.csi.cam.ac.uk> <CAC94RYZSLzv=SDMxXTh2ZWZJUbG0AtMhmO62ynCpg-WO8XJcYg@mail.gmail.com> <20170213173801.j7dpxzjy5morksg5@mycre.ws> <CAC94RYYTZa0nXT8zdb_LFgKxpAx3Dc4kHZpE68-oh_DSbZxd4Q@mail.gmail.com> <49D21A98-86D6-4A91-8456-B64C4F54DB6F@verisign.com> <CAC94RYaUhcYA-M+fY2MUp1nVzsc7jK7yWx0xwbycS3x3FeuXpg@mail.gmail.com> <AF58E101-549E-4B47-8756-A7F07E78C886@verisign.com> <20170213222150.436CF6397520@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/C3MDQvWkrZZXpnn6JTvSpFylBXY>
Cc: =?utf-8?Q?=C3=93lafur=20Gu=C3=B0mundsson?= <olafur@cloudflare.com>, Robert Edmonds <edmonds@mycre.ws>, dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-refuse-any-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2017 22:30:01 -0000


Mark Andrews <marka@isc.org> wrote:

>

> We don't need any new signalling.  If the answer is truncated you

> set tc=1.  This works with all existing clients.



One of the points of minimal-any is that the answer is not truncated
because you do not want clients to automatically retry over TCP. This is
to handle situations where many third-party recursive servers are under
attack using one of your names, so the recursive servers are hitting
your authoritative servers hard. RRL does not work in this case, because
the clients are legitimate recursive servers. You want to give them an
answer asap, that they can cache without hitting TCP.


Tony.

--

f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/  -  I xn--
  zr8h punycode