Re: [DNSOP] comments on draft-bortzmeyer-dnsop-nxdomain-cut-00
Shumon Huque <shuque@gmail.com> Tue, 24 November 2015 10:39 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C1A41B2F60 for <dnsop@ietfa.amsl.com>; Tue, 24 Nov 2015 02:39:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.601
X-Spam-Level:
X-Spam-Status: No, score=0.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MANGLED_TOOL=2.3, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U9w5Mt6r0qvN for <dnsop@ietfa.amsl.com>; Tue, 24 Nov 2015 02:39:05 -0800 (PST)
Received: from mail-qg0-x22b.google.com (mail-qg0-x22b.google.com [IPv6:2607:f8b0:400d:c04::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56E791B2F5D for <dnsop@ietf.org>; Tue, 24 Nov 2015 02:39:05 -0800 (PST)
Received: by qgeb1 with SMTP id b1so7326249qge.1 for <dnsop@ietf.org>; Tue, 24 Nov 2015 02:39:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=eZF0+CZQIunC1xY8ad1PvjOBOH3WfkKyAkUtiIQ3cek=; b=kL3alyMwvCvxIxSdnAFC1U6rXggmZC+AwRd1hrrRi4MjZGOv7SadvMatkn41dYduPm ebt4kzO4Cyf6yY0MHV76Qa2fBC6hkuYgR93cR2QtUgRCnLLCnCbtsD/vNX2ci/WfM4KE tSEXJFbu8t+/aZdRVyVv+dB59Gj4SDFf/AkJxWQENqAjGRPkzVGI+/Nh/6uhhCpAX7gQ 0IOSq8FwNBNmwpFCHLj8a/TS0SGDIB15QMvY1pArMFn38RtjwRZPLsBe0wPP0WdC5qco bpFFjdGM97uulpbuI0fTnHrmIaAmlW+0AXlnIx0QvGspOZ/Vo0u6xKDTpIQTMz6UAY/D LFIQ==
MIME-Version: 1.0
X-Received: by 10.141.3.212 with SMTP id f203mr33657455qhd.98.1448361544480; Tue, 24 Nov 2015 02:39:04 -0800 (PST)
Received: by 10.140.87.117 with HTTP; Tue, 24 Nov 2015 02:39:04 -0800 (PST)
In-Reply-To: <CAJE_bqcZnzAd0iuvfTvberU9LxEfeEHhZhDdpJQQpNb7qaQfdg@mail.gmail.com>
References: <CAJE_bqe98gi0FHAhiug7w9HCrat_m4LpByqDuy=7m9afGiroug@mail.gmail.com> <20151122135234.GA1475@laperouse.bortzmeyer.org> <CAJE_bqcZnzAd0iuvfTvberU9LxEfeEHhZhDdpJQQpNb7qaQfdg@mail.gmail.com>
Date: Tue, 24 Nov 2015 05:39:04 -0500
Message-ID: <CAHPuVdVB2LBfrYMOzZdPPxk6MdQE-ZLq4+M-XcyRrR3_8b2PKg@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
To: 神明達哉 <jinmei@wide.ad.jp>
Content-Type: multipart/alternative; boundary="001a113a94e05d7fd1052546f363"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/DUfOuLolCYl61gHwqFIt4wLeqoI>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] comments on draft-bortzmeyer-dnsop-nxdomain-cut-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2015 10:39:07 -0000
On Mon, Nov 23, 2015 at 1:08 PM, 神明達哉 <jinmei@wide.ad.jp> wrote: > At Sun, 22 Nov 2015 14:52:34 +0100, > Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote: > > > > I've read draft-bortzmeyer-dnsop-nxdomain-cut-00 > > > > Do note that -01 will be out in the next days and there are > > substantial changes. So, readers may prefer to wait 48h :-) > > Okay, I'm now referring to 01. > > > > I suspect this is highly implementation dependent and so the > > > RFC2119 'SHOULD' is not really appropriate. First off, what > > > "delete" means isn't very clear. > > > > It is now defined. ' "Deleted" means that subsequent requests for > > these names will yield NXDOMAIN. ' > > > > > But even if the resolver doesn't really "delete" the memory, it > > > could look as if it did as long as the resolver doesn't use it for > > > subsequent query handling > > > > Correct, but this is a general rule with IETF protocols: we mandate > > the external behavior, not the implementation. > > That was exactly my point, and in that sense I'd say "SHOULD delete" > is redundant (and possibly imposes unnecessary restrictions on > implementations). Yes, I agree. The current description is a bit too implementation specific. > The revised wording in 01 now looks even more > redundant: > > When an iterative caching DNS resolver stores an NXDOMAIN in its > cache, all names and RRsets at or below that node SHOULD be deleted > since they will have become unreachable. "Deleted" means that > subsequent requests for these names will yield NXDOMAIN. > > as it's already covered in the first paragraph: > > When searching downward in its cache, an iterative caching DNS > resolver SHOULD stop searching if it encounters a cached NXDOMAIN. > The response to the triggering query should be NXDOMAIN. > > (Strictly speaking it does not use a 'SHOULD' about returning NXDOMAIN > for these queries, but that should be a natural consequence of the > SHOULD about stopping the search). > > > I suggest stating that more clearly. > > > > Done > > Regarding this topic, I think it should rather refer to > qname-minimization here: > > queries. (It would be better if the SOA record in the NXDOMAIN > response were sufficient to find the non-existing domain but this is > more delicate, see Section 5.) > > than updating the interpretation of SOA. qname-minimization is much > less controversial and will certainly help in this scenario. > Also agree. I think it would be best if this draft remained focussed on correct interpretation of the NXDOMAIN response code, and leave this SOA discussion out. > > > A minor corner case, but I suspect this is not fully accurate if > > > QNAME is the name specified in the question section. > > > > Added. > > Perhaps you might introduce a dedicated terminology such as "NXDOMAIN > name" as used in someone else's comment and use it consistently, > rather than just note this once and keep using QNAME in other places. > > > One additional comment on 01: > > - Section 7 > > The technique described here may help against a denial-of-service > attack named "random qnames" and described in Section 3. > > I suggest "a denial-of-service attack on authoritative servers" for > the same reason as my comment on the "benefits" section of the > previous version. > Yes, this sounds appropriate. -- Shumon Huque
- [DNSOP] comments on draft-bortzmeyer-dnsop-nxdoma… 神明達哉
- Re: [DNSOP] comments on draft-bortzmeyer-dnsop-nx… Stephane Bortzmeyer
- Re: [DNSOP] comments on draft-bortzmeyer-dnsop-nx… 神明達哉
- Re: [DNSOP] comments on draft-bortzmeyer-dnsop-nx… Shumon Huque
- Re: [DNSOP] comments on draft-bortzmeyer-dnsop-nx… Stephane Bortzmeyer
- Re: [DNSOP] comments on draft-bortzmeyer-dnsop-nx… 神明達哉