Re: [DNSOP] draft-ietf-dnsop-refuse-any - why not NOTIMP?

Paul Vixie <> Mon, 07 August 2017 17:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 02E641324F5 for <>; Mon, 7 Aug 2017 10:26:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IbSaRq2UNw6Q for <>; Mon, 7 Aug 2017 10:26:11 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DBB31131EA2 for <>; Mon, 7 Aug 2017 10:26:11 -0700 (PDT)
Received: from [IPv6:2001:559:8000:c9:ed0a:9ec7:e266:79e4] (unknown [IPv6:2001:559:8000:c9:ed0a:9ec7:e266:79e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 3134561FF3; Mon, 7 Aug 2017 17:26:11 +0000 (UTC)
Message-ID: <>
Date: Mon, 07 Aug 2017 10:26:05 -0700
From: Paul Vixie <>
User-Agent: Postbox 5.0.16 (Windows/20170718)
MIME-Version: 1.0
To: Ray Bellis <>
CC: dnsop <>
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] draft-ietf-dnsop-refuse-any - why not NOTIMP?
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 07 Aug 2017 17:26:13 -0000

Ray Bellis wrote:
> ... returning NOTIMP for ANY queries, ...
> ...
> My reading of RFC 1035 is that it would be a perfectly appropriate
> response from a server that doesn't support ANY.

the RFC was treated as a general guideline by most implementers, and 
once the code for some client or server appeared to work, it was 
shipped. it is that code which constraints our work now, not the RFC.

> Unfortunately the retry semantics of DNS are not well specified and
> therefore implementation differences may occur.  If as a result NOTIMP
> is really not usable then IMHO this should also be documented.

i think you'll find that NOTIMP causes try-next-server for many clients, 
but without poisoning, so if all servers return NOTIMP, then all those 
same servers will be tried again, without delay.

sometimes, withholding a response is the only way to keep the client out 
of this bombardment-mode. sometimes returning something poisonous like 
ANCOUNT=0 is nec'y. again, our guide today is how to get clients to do 
something constructive, ideally constructive for both them and us. it 
doesn't have to be true, and it doesn't have to be documented in an 
older RFC.

i agree that writing a new RFC whenever something like this is found to 
be necessary, and putting into that RFC more specific advice to client 
implementers so that the future might possibly improve, is a great idea.

P Vixie