Re: [DNSOP] Clarifying referrals (#35)

Paul Vixie <> Mon, 13 November 2017 20:14 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 63056129B5E for <>; Mon, 13 Nov 2017 12:14:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JtzRR0lIHVoW for <>; Mon, 13 Nov 2017 12:14:48 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6E2D1129436 for <>; Mon, 13 Nov 2017 12:14:48 -0800 (PST)
Received: from [IPv6:2001:559:8000:c9:dc3:59e3:1fa5:69dc] (unknown [IPv6:2001:559:8000:c9:dc3:59e3:1fa5:69dc]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 5637C61FA2; Mon, 13 Nov 2017 20:14:48 +0000 (UTC)
Message-ID: <>
Date: Mon, 13 Nov 2017 12:14:47 -0800
From: Paul Vixie <>
User-Agent: Postbox 5.0.20 (Windows/20171012)
MIME-Version: 1.0
To: Matthew Pounsett <>
CC:, "" <>, Andrew Sullivan <>
References: <> <> <> <> <> <> <> <20171113085235.2fddd72a@p50.localdomain> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] Clarifying referrals (#35)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Nov 2017 20:14:49 -0000

Matthew Pounsett wrote:
> ... I have seen no similar discussion of REFUSED-generated chaos in
> recursive servers.   If someone is seeing such brokenness, they
> haven't brought it to dnsop@, or dns-operations@, or an OARC or NANOG
> meeting.  If someone is seeing such brokenness, hopefully they'll
> speak up so that we can advise the authoritative
> implementations to change their behaviour again.

are you sure they'd be here listening, and that they would even 
understand the errors they are experiencing and connect those errors to 
this protocol change?

> ... but it does seem to be the consensus among the
> authoritative implementors that REFUSED is the correct response.

are you sure they aren't just copying BIND's behaviour? do you remember 
when BIND only included one RR per message in outbound AXFR, and that 
there were some AXFR initiators that depended on this behaviour since 
they had never witnessed any other behaviour and hadn't read the spec?

and how do you know about that consensus -- or do you mean a consensus 
among those present on this mailing list who have chosen to speak up?

> ... It wouldn't be the first time that a majority of implementations
> settled on a behaviour that didn't strictly follow the specification
> because it was necessary for good inter-operation.

i have seen no discussion, here or anywhere else, about necessity, or 
good interoperation, regarding this apparent departure from the spec. 
can you include a URI where i can study further? in other words, who 
argues for this, and on what basis?

when we change a protocol on an existing signal path, we have a burden 
of do-no-harm to existing implementations who will never be changed. 
this burden is even higher when re-purposing existing signalling. if 
it's possible to have interpreted the old signal in some way, then we 
have to treat our change as "bearing a cost".

> ... Perhaps someone who was present for an implementer's internal
> discussion about replacing upward referrals could comment on the
> reasoning, and what (if any) collaboration occurred between the
> authoritative and recursive implementations at the time.

i'd hope to see not only this, but someone currently participating in 
this discussion who can explain why an upward referral is a good signal. 
no query initiator should follow such a referral, but some may, which 
i'd view as a calamity. if the goal is some initiator reaction that is 
not what they would do if they heard SERVFAIL, then what is that goal?

P Vixie