Re: [DNSOP] About draft-ietf-dnsop-extended-error
Shane Kerr <shane@time-travellers.org> Tue, 14 November 2017 07:56 UTC
Return-Path: <shane@time-travellers.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 578031292C5 for <dnsop@ietfa.amsl.com>; Mon, 13 Nov 2017 23:56:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HcJxAwxb6I3R for <dnsop@ietfa.amsl.com>; Mon, 13 Nov 2017 23:56:57 -0800 (PST)
Received: from time-travellers.nl.eu.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2831126C23 for <dnsop@ietf.org>; Mon, 13 Nov 2017 23:56:56 -0800 (PST)
Received: from ori.enn.lu ([85.248.227.163] helo=[127.0.0.1]) by time-travellers.nl.eu.org with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <shane@time-travellers.org>) id 1eEW7p-0005Jr-0H for dnsop@ietf.org; Tue, 14 Nov 2017 07:59:17 +0000
To: dnsop@ietf.org
References: <20171112012835.GA16257@laperouse.bortzmeyer.org> <alpine.DEB.2.11.1711131236140.14243@grey.csi.cam.ac.uk> <yblmv3psjmk.fsf@wu.hardakers.net> <20171114073227.GO3322@mournblade.imrryr.org>
From: Shane Kerr <shane@time-travellers.org>
Message-ID: <3b429f8e-1046-e70d-ab9f-0ac4ba735232@time-travellers.org>
Date: Tue, 14 Nov 2017 07:56:00 +0000
MIME-Version: 1.0
In-Reply-To: <20171114073227.GO3322@mournblade.imrryr.org>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/IoY89wvX2oo0GmZGI08z044JZns>
Subject: Re: [DNSOP] About draft-ietf-dnsop-extended-error
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Nov 2017 07:56:58 -0000
Viktor, Viktor Dukhovni: > On Mon, Nov 13, 2017 at 06:02:11PM -0800, Wes Hardaker wrote: > >> Tony Finch <dot@dotat.at> writes: >> >>>> It can be argued that NODATA (pseudo rcode, I know) is an "error" as >>>> well as NXDOMAIN... >>> >>> Or, neither of them are errors :-) >> >> We'll remove the restriction in any wording that says it can only be for >> errors. I think there is clear consensus to do so. > > For the record, I'm with Tony, neither NODATA nor NXDomain are DNS > lookup errors. Lack of answers may (or may not) lead to > application-level errors depending on whether the data sought was > functionally essential, but either way the DNS lookup was successful, > and returned the status of the requested RRset. > > This is, for example, important with opportunistic DANE TLS, where > actual lookup errors are potential downgrade attacks, but NODATA > and NXDomain are not lookup errors. > > And indeed unlike actual errors, there is nothing one could possibly > add in the form extended "error" diagnostics when returning a NODATA > or NXDomain response, these non-error conditions don't require any > additional context to aid problem resolution. Be careful when you say "nothing ... possibly". ;) For example, you could have something like: RCODE: SUCCESS (NODATA) Extended code: ERRBLACKLIST Explanation: "Client blacklisted for IPv6 queries" This could be helpful for a user or operator. (Of course, it also hints that being able to add arbitrary text to an error may be useful, as including a URL with more information in the response might provide further insight. But perhaps having Google is enough that this is not necessary?) Cheers, -- Shane
- [DNSOP] About draft-ietf-dnsop-extended-error Stephane Bortzmeyer
- Re: [DNSOP] About draft-ietf-dnsop-extended-error Tony Finch
- Re: [DNSOP] About draft-ietf-dnsop-extended-error Wes Hardaker
- Re: [DNSOP] About draft-ietf-dnsop-extended-error Shane Kerr
- Re: [DNSOP] About draft-ietf-dnsop-extended-error Viktor Dukhovni
- Re: [DNSOP] About draft-ietf-dnsop-extended-error Joe Abley
- Re: [DNSOP] About draft-ietf-dnsop-extended-error Viktor Dukhovni
- Re: [DNSOP] About draft-ietf-dnsop-extended-error Paul Vixie
- Re: [DNSOP] About draft-ietf-dnsop-extended-error Stephane Bortzmeyer