IETF Logo Mail Archive

Re: [DNSOP] Last Call: <draft-ietf-dnsop-no-response-issue-14.txt> (A Common Operational Problem in DNS Servers - Failure To Communicate.) to Best Current Practice

Mark Andrews <marka@isc.org> Tue, 10 March 2020 22:34 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B99363A048D; Tue, 10 Mar 2020 15:34:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4OELerAXWA-m; Tue, 10 Mar 2020 15:34:00 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAEE93A047F; Tue, 10 Mar 2020 15:34:00 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 8B58A3AB092; Tue, 10 Mar 2020 22:34:00 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 6868F160089; Tue, 10 Mar 2020 22:34:00 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 4D358160095; Tue, 10 Mar 2020 22:34:00 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id XqAtwAKrwJRi; Tue, 10 Mar 2020 22:34:00 +0000 (UTC)
Received: from [1.0.0.3] (unknown [49.2.105.120]) by zmx1.isc.org (Postfix) with ESMTPSA id 2484A160089; Tue, 10 Mar 2020 22:33:58 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <CAHw9_iK1ndqiDpR3uTRo5YbYmqWG_mE5Jxx5LS2qU0rSX33FAg@mail.gmail.com>
Date: Wed, 11 Mar 2020 09:33:55 +1100
Cc: draft-ietf-dnsop-no-response-issue@ietf.org, DNSOP-Chairs <dnsop-chairs@ietf.org>, dnsop <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <FBD42C33-448E-4B28-8938-E4CA5431B025@isc.org>
References: <157559763911.16433.13149772616705852561.idtracker@ietfa.amsl.com> <CAHw9_iJusBODpYOgmZ7q7mhED7wz9_PsF2nZSYN+DWyUBSVPRw@mail.gmail.com> <CAHw9_iK1ndqiDpR3uTRo5YbYmqWG_mE5Jxx5LS2qU0rSX33FAg@mail.gmail.com>
To: Warren Kumari <warren@kumari.net>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/DrDcbbsAQ79TZfrpYiZzBXBAK3k>
Subject: Re: [DNSOP] Last Call: <draft-ietf-dnsop-no-response-issue-14.txt> (A Common Operational Problem in DNS Servers - Failure To Communicate.) to Best Current Practice
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2020 22:34:03 -0000


> On 11 Mar 2020, at 00:54, Warren Kumari <warren@kumari.net> wrote:
> 
> On Thu, Dec 19, 2019 at 8:28 PM Warren Kumari <warren@kumari.net> wrote:
>> 
>> [ Note: CC list edited ]
>> 
>> Hi there authors,
>> 
>> During the IETF LC Stephane supported the document (an important
>> document, worthy of publication), but noted that:
>> 1: the document only deals with auth servers and that it should be
>> more explicit and
> 
> So, finally a new version, but from what I can see, you didn't address
> the above, nor did you add an Acknowledgements section.

Because it isn’t authoritative only.  I could add “when test recursive servers
set RD=1 and choose a zone name you know to exist, e.g. the root” for those test that depend
on the SOA record existing in the reply.  There are lots of tests in there that
should give the same result independent of the setting of RD or the QNAME.

Will add

      <t>
        When testing recursive servers set RD=1 and choose a zone
        name that is know to exist and is not being served by the
        recursive server.  The root zone (".") is often a good
        candidate.  RD=1, rather than RD=0, should be present in
        the responses for all test involving the opcode
        QUERY.
      </t>

[beetle:~/DNS-Compliance-Testing] marka% ~/DNS-Compliance-Testing/genreport -Rtf
. localhost
. @::1 (localhost.): dns=ok aa=ok ad=ok cd=ok ra=ok rd=ok tc=ok zflag=ok opcode=ok opcodeflg=ok type666=ok tcp=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok docd=ok edns1do=ok ednsflags=ok optlist=ok,nsid,cookie+badcookie,subnet ednsnsid=ok,nsid ednscookie=ok,cookie+badcookie ednsexpire=ok ednssubnet=ok,subnet edns1nsid=ok edns1cookie=ok edns1expire=ok edns1subnet=ok signed=ok,yes ednstcp=ok A=ok NS=ok MD=ok MF=ok CNAME=ok SOA=ok MB=ok MG=ok MR=ok NULL=ok WKS=ok PTR=ok HINFO=ok MINFO=ok MX=ok TXT=ok RP=ok AFSDB=ok X25=ok ISDN=ok RT=ok NSAP=ok NSAP-PTR=ok SIG=ok KEY=ok PX=ok GPOS=ok AAAA=ok LOC=ok NXT=ok SRV=ok NAPTR=ok KX=ok CERT=ok A6=ok DNAME=ok APL=ok DS=ok SSHFP=ok IPSECKEY=ok RRSIG=ok NSEC=ok DNSKEY=ok DHCID=ok NSEC3=ok NSEC3PARAM=ok TLSA=ok SMIMEA=ok HIP=ok CDS=ok CDNSKEY=ok OPENPGPKEY=ok CSYNC=ok ZONEMD=ok SPF=ok NID=ok L32=ok L64=ok LP=ok EUI48=ok EUI64=ok URI=ok CAA=ok AVC=ok DOA=ok AMTRELAY=ok TA=ok DLV=ok TYPE1000=ok
. @127.0.0.1 (localhost.): dns=ok aa=ok ad=ok cd=ok ra=ok rd=ok tc=ok zflag=ok opcode=ok opcodeflg=ok type666=ok tcp=ok edns=ok edns1=ok edns@512=ok ednsopt=ok edns1opt=ok do=ok docd=ok edns1do=ok ednsflags=ok optlist=ok,nsid,cookie+badcookie,subnet ednsnsid=ok,nsid ednscookie=ok,cookie+badcookie ednsexpire=ok ednssubnet=ok,subnet edns1nsid=ok edns1cookie=ok edns1expire=ok edns1subnet=ok signed=ok,yes ednstcp=ok A=ok NS=ok MD=ok MF=ok CNAME=ok SOA=ok MB=ok MG=ok MR=ok NULL=ok WKS=ok PTR=ok HINFO=ok MINFO=ok MX=ok TXT=ok RP=ok AFSDB=ok X25=ok ISDN=ok RT=ok NSAP=ok NSAP-PTR=ok SIG=ok KEY=ok PX=ok GPOS=ok AAAA=ok LOC=ok NXT=ok SRV=ok NAPTR=ok KX=ok CERT=ok A6=ok DNAME=ok APL=ok DS=ok SSHFP=ok IPSECKEY=ok RRSIG=ok NSEC=ok DNSKEY=ok DHCID=ok NSEC3=ok NSEC3PARAM=ok TLSA=ok SMIMEA=ok HIP=ok CDS=ok CDNSKEY=ok OPENPGPKEY=ok CSYNC=ok ZONEMD=ok SPF=ok NID=ok L32=ok L64=ok LP=ok EUI48=ok EUI64=ok URI=ok CAA=ok AVC=ok DOA=ok AMTRELAY=ok TA=ok DLV=ok TYPE1000=ok
[beetle:~/DNS-Compliance-Testing] marka% 


-R set RD=1.
-t test know types
-f full test set (excludes types)

	
> I'm putting it back in Revised ID needed; please address the comments,
> or I will be forced to send it back to the WG....
> 
> W
> 
>> 2: that Section 3 is confusing, and that Matt had provided some text
>> which helps make this better --
>> https://mailarchive.ietf.org/arch/msg/dnsop/_Nq8PAVOapIVal2BS7P-jlWmnuc
>> 
>> Having reread section 3 (and Matt's suggestions) I agree with Stephane
>> on both of these - I also think that addressing these should be quite
>> easy (I don't think it requires a "restructuring"), especially as Matt
>> has provided suggested text...
>> I'd appreciate if you can address these, and SHOUT LOUDLY once you've
>> had a chance to do so (or let me know how else you'd like to handle
>> this).
>> 
>> I also think that it would be worth adding an Acknowledgements section...
>> 
>> Thanks,
>> W
>> 
>> 
>> 
>> On Thu, Dec 5, 2019 at 9:00 PM The IESG <iesg-secretary@ietf.org> wrote:
>>> 
>>> 
>>> The IESG has received a request from the Domain Name System Operations WG
>>> (dnsop) to consider the following document: - 'A Common Operational Problem
>>> in DNS Servers - Failure To Communicate.'
>>>  <draft-ietf-dnsop-no-response-issue-14.txt> as Best Current Practice
>>> 
>>> The IESG plans to make a decision in the next few weeks, and solicits final
>>> comments on this action. Please send substantive comments to the
>>> last-call@ietf.org mailing lists by 2019-12-19. Exceptionally, comments may
>>> be sent to iesg@ietf.org instead. In either case, please retain the beginning
>>> of the Subject line to allow automated sorting.
>>> 
>>> Abstract
>>> 
>>> 
>>>   The DNS is a query / response protocol.  Failing to respond to
>>>   queries, or responding incorrectly, causes both immediate operational
>>>   problems and long term problems with protocol development.
>>> 
>>>   This document identifies a number of common kinds of queries to which
>>>   some servers either fail to respond or else respond incorrectly.
>>>   This document also suggests procedures for zone operators to apply to
>>>   identify and remediate the problem.
>>> 
>>>   The document does not look at the DNS data itself, just the structure
>>>   of the responses.
>>> 
>>> 
>>> 
>>> 
>>> The file can be obtained via
>>> https://datatracker.ietf.org/doc/draft-ietf-dnsop-no-response-issue/
>>> 
>>> IESG discussion can be tracked via
>>> https://datatracker.ietf.org/doc/draft-ietf-dnsop-no-response-issue/ballot/
>>> 
>>> 
>>> No IPR declarations have been submitted directly on this I-D.
>>> 
>>> 
>>> The document contains these normative downward references.
>>> See RFC 3967 for additional information:
>>>    rfc6840: Clarifications and Implementation Notes for DNS Security (DNSSEC) (Proposed Standard - IETF stream)
>>>    rfc3225: Indicating Resolver Support of DNSSEC (Proposed Standard - IETF stream)
>>>    rfc7766: DNS Transport over TCP - Implementation Requirements (Proposed Standard - IETF stream)
>>>    rfc4035: Protocol Modifications for the DNS Security Extensions (Proposed Standard - IETF stream)
>>> 
>>> 
>>> 
>> 
>> 
>> --
>> I don't think the execution is relevant when it was obviously a bad
>> idea in the first place.
>> This is like putting rabid weasels in your pants, and later expressing
>> regret at having chosen those particular rabid weasels and that pair
>> of pants.
>>   ---maf
> 
> 
> 
> -- 
> I don't think the execution is relevant when it was obviously a bad
> idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair
> of pants.
>   ---maf

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email