[DNSOP] Re: Deployment tests for "probe.resolver.arpa"

Ben Schwartz <bemasc@meta.com> Wed, 28 May 2025 15:18 UTC

From: Ben Schwartz <bemasc@meta.com>
To: Michael De Roover <ietf@nixmagic.com>, Paul Wouters <paul@nohats.ca>, DNSOP WG <dnsop@ietf.org>
Thread-Topic: [DNSOP] Re: Deployment tests for "probe.resolver.arpa"
Thread-Index: AQHbyOKy9F1pQQrR00KAPMY1iwjIW7PcHOsAgAAzBD+ABEe6gIAAJG+AgAd09V4=
Date: Wed, 28 May 2025 15:17:45 +0000
Message-ID: <SA1PR15MB4370EB72F60180A1F1B8B068B367A@SA1PR15MB4370.namprd15.prod.outlook.com>
References: <SA1PR15MB4370984AE1604666FFA470E2B39CA@SA1PR15MB4370.namprd15.prod.outlook.com> <SA1PR15MB43703D41CFC32A24930D7FBDB39EA@SA1PR15MB4370.namprd15.prod.outlook.com> <296bc609-01cd-ad89-90c2-332dc6d6ca69@nohats.ca> <2433620.iX9r2QQqgv@workstation.vm.ideapad.lan>
In-Reply-To: <2433620.iX9r2QQqgv@workstation.vm.ideapad.lan>
Accept-Language: en-US
Content-Language: en-US
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR15MB4370:EE_|CH3PR15MB5914:EE_
x-ms-office365-filtering-correlation-id: 6da557de-7ae1-4f23-3173-08dd9dfaccbd
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|10070799003|1800799024|366016|376014|38070700018|8096899003|7053199007;
x-microsoft-antispam-message-info: X9JQX5fpoKvgfnXBciExUMPAlNQmK6V8g4MhZ49Zy+ZeKAejKCGS0+2lsoUGJs3nPAeA96tvwwi8g+Wmo5tdb+XgaOov3EKL3LUn6PEudf3MdLj7ZoHuG8GRcrbQxH6A1gL0pYySqrc91RhZ27F9+CDSNZBg3wnNQDXMJxAUMWzdsnHTnMIx0PRXf5CUSxQLAsXj74RtPXchsyWv0SdE/XRo0xtQFxFRyIK8RnFRYA49gbWJWokGQC9XsQPskfh8KVaQUr9oVXt8JYYu4Ucj+bxiU2J1sTMpggsjQOupv5wDJZWJGg0RIxGDhZe+ylu3BaiWOCfoKGgIIDZXDAnOXc0ib+0fk6wcnvQn0vZWmtb4tkDlxWRv8ayoCJ8yYmuBCMK5Z5vJpY4E4ulvBmc/KQGqJhEG18AEfLsps021DXfx07waXfOqLLZc+yoZ5awa7rKVQWz2NuGmXf+grr10uASqZ5RWn+n+NuFEtQRi4NuU18cUb2pTDAhlF+qrRSXmEdC7GBUfXsCJgZRT7Mryu20By12dXWt9X4W4l2JPtr/9uLHHPBa2DBSJQvJKkE2EDjdDVlncA7oDijizF1MKxJLTN5ibaaNQeaThEhuBKpqGikUHO+Omjjm4KfchMa+8QHOL48Z3Xyfsx8M1TE6MZWCz1BehAdcNIJy8NVDdJwKqqfOO68pbifHe3UV58g3+1zOEPrV/yy9UkfUe9jwwMg3naL9IuD/aOSpUNv2Qt5B6BYnUGqyhyt0tpfZ8CPf+KYoGYqkyZes//K0C+Ri9C4KSOyYn18SY83gZ20Z7z98oBYPwQXyx9lD/pA2VoSD/JMHSpscqGZnafw8wiYQNQ5gwEBWG9aD8QCv+4rG6357aK2AcvLzJ+0kPhVTFTuk/7sz14jOzas2Q86VYB9InT6cxomdGiTN1SoOFuEzFlzttviHpAqe1vzcH32SbqJFhtsqLXbbnMWEJDJRt+JQFDfPsTZLBuby6Beis256zVyGzeEEdBYT5IwbuUzuZsKRuh5pTdDktBSnORS/E2CglQICb3l07YBn6Z+oIKMQgMzqnej7CafFFJv+/8F6++0sFEqfnl8EW3QYZiMqNn93HCLlzsOMVNgFcd5gJ68opdc8Qt6kybRHY8TgWcouqeKm9ZaRJtr3q7KaU8xz0px5ZDfh+7fp8ZVe0q5Y/we965c80n0R+97bP0rheNPIcKm5ZhFx/mtFv+jG7k0+tx9p2FqedTyEqhjV9FpgEGFlmDo7lq5/kPdB0otRtPU2Y0FM1E/N+61yKWKpAPKh29dLR728cHefuz5s7Rv2XGrcLI3GERKU5kggbOOZXM4EaAfnWfbxUpERVYIQAHbxBaWwqGC13zR98od63JrlhaHOwtV2B+Be5TnUF0T0gRBD91/Ayk740+K8jJN+gKX6nY2qEmka6CiF+6tlExvWQuKMH3nQ1cT2CRUXYqqyFDeHH/p+WrmMVKSsolM4Vk6K36zc9kZ4MCwflB1jwp+P18YHqSkk=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1PR15MB4370.namprd15.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(10070799003)(1800799024)(366016)(376014)(38070700018)(8096899003)(7053199007);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: z18JoT1mozKGi++f994noB/HntLCOXpGVMm9oL4XO0UMnT0yJbauKNyY4rLh9mFZ62hmD+GTqekrt9nP15AlnbD3W0Vxxlr2NZ+Ad1z9ST2Bw2BPZXZZHb6lmeqU0JJGvxeHPTA4W9BzRF0xjO5nXltHdDveoKIYMufqYV53aR3RE0ymk2QloBdooNB7LX1wctKNeyPrQ3RC6CYgwq+nggZmrXJiEyj5+9GcjHLmYOTMlCCo6FObanDlQdE1XuOQUVYejzeOe1O7ox4gFlAZ3tufXv+RNZIE3sWBZPFlD0AgOHS3PoTag7L86Y1d59+j8tECbpcjdYQ7CBPIC8C0I3hlSJmWt7Bp8AAW25Jrmgj8LJmx1uT7CSV6dw2UZdsxNov/rXBw2K5SD0x4/gpK+CBmXsaeh5j3sxM4BOEZOpJbcfTx9Nt49oTVJOjGneIGTWcbLLuyl8Gc19Klvdc3K58VI+51ljo9C90kUBBCWYlOaYnegQ4OTw12I4u819zYj2sWV6pB1CafSueiVfSefG+kMRUH+BJJTJic8ZQ0FE+fLLPrqBb2E/FvTMdsccYpb+DaiKLZDnCrbSpn20eITiN7xLZ1MGnO8CBunKt0aQ0QBW7kpogP+gKD+TevW/YjhjH3SjoX4ZNQ0OpZ/XQCCjCKFwQRhmAqxp6wgOhtnfworPeRuHUJj++qTpH7G98LUpZhSS3ZNfEYumEzrXpyC7cjTXo1tkA02bu80Bbc/rgGomV56z33Ne9rUoD3SInG/IH2UNBID6gWQmDUF8t9Bhh8RVEW8bZLe1MVzBNQQoupwLBpU27siokQ/FA9UBD3HruoxxEGyXhD38AL/bZBhYkszaf+llQ5QZ02jLnw/L98AjX8LEndJ89NK9pESoLAjaLUqzsIfW0gm+AAYZkMGwwXAiSuePHk6jHvNFaY/2sU4fd18hSqZBJVqWcMv7u4PblOrxNWyvVs2h2y9bep9EVpaJ+Eui5QH+KZC/alsFjZCNLfGKRkPb7C4gwky4PBRT7Y1Co3EA83vx2oyToMJTF+fi/8ND7X4hzmbyI5+T8cIyaouiX47DJVAkvaefJTsD463J/J4UVfyKfOp6ujRjg4uzbO4eW8ja4ELQ1Irdw9ZbSetyaI+Ha/qhi6vVlMKQMuksuvj03VtjyoFTyCmGqMQ11MN0ra26Amrg4snOkpEjyJ36quB8YU6NMRv2Oell2ZHvOeONC8YKg2ur2KPlRsLnkgpQpbEP/M4C8esMjGmS77eAL37Zed7ZVIIzaGwdMhjHdla/79TQGrBGNKv+rmQQHveCxgH1rXqClVOeUNQ660HtC4OVUAYvG0j5GalaUDYS6xuxlUmGuYerjF+v2M2tcw2GHXF9hoT9ld2IYaGLYHfrRNfSDhHxVrccX9tC7ObmMZwA/hNsd+U/cX0iWa2W8FmSjqKb3D75UoSHJJQ2wkWOi9J60+nacYI6RxVM9ghA8r9RoneVOixyAQUIlG0I7Gw07L/lr3d7NEomqSQLhOD8skfXCc0rII6UFHUCNh4dQ1tVY0/sZU0w5L0AFzGEPzF/LaadZy3YJFQSn7zv8UYfsDJUjfsx6wQFOKKUAWnSU9u92zydS5RismnCnCc09oLeGWcVF5JFPoIig=
Content-Type: multipart/alternative; boundary="_000_SA1PR15MB4370EB72F60180A1F1B8B068B367ASA1PR15MB4370namp_"
MIME-Version: 1.0
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR15MB4370.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6da557de-7ae1-4f23-3173-08dd9dfaccbd
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 May 2025 15:17:45.8183 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: /dQpMFpt7f3HC5Tt6VEAMY/CySWIWYHKY6Ga4lwNaymU2OHoy3Gpmo+jue+BgTvA
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH3PR15MB5914
X-Proofpoint-ORIG-GUID: 5wpBi1flFiuIobJJbx1op6Yg6OskCYoc
X-Proofpoint-GUID: 5wpBi1flFiuIobJJbx1op6Yg6OskCYoc
X-Authority-Analysis: v=2.4 cv=KpBN2XWN c=1 sm=1 tr=0 ts=6837291c cx=c_pps a=5IBKRMRyaRRtUKQpU9qwqQ==:117 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=dt9VzEwgFbYA:10 a=npP5kB74AAAA:8 a=ncWo5cr-oPgyLuTpcCYA:9 a=wPNLvfGTeEIA:10 a=NBaejrchtLGakd0IPt8A:9 a=ACrbZk-mbh9mAiEd:21 a=frz4AuCg-hUA:10 a=_W_S_7VecoQA:10 a=G78r-VH0ULvY7SNRRd5L:22
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNTI4MDEzMiBTYWx0ZWRfXznz5pGpaWIMr 6yBakgLc/+A3XZA4Ia7Eh0JRNTopUVsjgE04w/MnFcMcWU5TrNeGGPjmp6VN+0MS0mkGSpRWXNU K6X552YYhcjbPYg2n6W8/dTHWmyp7jpsYRyBPUtWlhnlLfUddlrerE0rdlBXLk+NxIET8gKEQkU 9dRJ/jRVeO2kfm9o7QQlUOgIxZBVWbYlOiyWSZZPTk4kGcy68XF55Nh3nV+JfG4kxKUB/v2V5ME Rn1s1BRvtNb9oYAKy0ylt6e+3cZlt4806x8xzLJvGKEYjHfbWy1WDhzDMA0wvGctF0gsCU1xbOw bHP9vuC9lLvubFda5f8W/PiamGGRi3IbScbIjhOk+WCYbeCLxNOnZ20CbUlTp66T72pQ1QmDGgW yvkMIg58wAYwBAtm60VeexRxkoCH9VJFIOp4H0leD/kp7MMsE61M2xxzhbWu3QhR9QxHYRp4
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-05-28_07,2025-05-27_01,2025-03-28_01
Message-ID-Hash: XBOZQJAFOWRZI7RRIV45OU6OTOR7CL6P
X-Message-ID-Hash: XBOZQJAFOWRZI7RRIV45OU6OTOR7CL6P
X-MailFrom: prvs=22433d4d48=bemasc@meta.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Deployment tests for "probe.resolver.arpa"
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/KSXl8zVabugGWh2viv70sM7NM-0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>


________________________________
From: Michael De Roover <ietf@nixmagic.com>
Sent: Friday, May 23, 2025 5:09 PM

...

> So you join the network, get some parameters from DHCP, and that includes a
> local DNS server but the gateway doesn't function for whatever reason. You
> could ask the local DNS server about names it is locally authoritative for,
> and maybe it can respond to some of them (maybe including
> probe.resolver.arpa). But what gives? It responded, not the SOA or anything
> else more conclusive on the path.

Yes, if you get an NXDOMAIN response, you (only) know that the "immediate DNS server" you are talking to is alive and reachable.

> Meanwhile if the network connectivity does work properly, and perhaps the
> local DNS server does not have this hardcoded in an RPZ or such. So it decides
> to forward that query to whatever it is configured to relay to. Where would
> that query end up?

If nothing handling the query implements the resolver.arpa Locally Served Zone (RFC 9462), it will recurse to the .arpa nameservers, which will return NXDOMAIN.

> Should other entities on the path be configured to respond
> to this query like the local resolver would've done otherwise?

Yes, that's already established by RFC 9462.

> What does that
> say about connectivity? What if it's not just Starbucks or Flixbus or whatever
> that's down, what if it's their upstream ISP being under e.g. DDoS attack?
> What meaning does their ability to serve an ISP-local request serve?

It proves connectivity between you and the DNS server that responds.  It doesn't prove that this server is otherwise usable.  "Usable" isn't a binary value: if that server is the recursive resolver, it may be able to resolve some names but not others due to upstream infrastructure problems.

> Don't get me wrong, I do like the idea of a vendor-neutral name -- even if
> that currently means ambiguity on where those requests would be handled. I'd
> imagine solving that to be the purpose of this here WG.

It sounds like you're imagining a "DNS traceroute" for debugging complex failures.  That's something that has been discussed many times, but it's a much bigger challenge.  This draft is more like a simple "DNS ping".

--Ben

[DNSOP] Deployment tests for "probe.resolver.arpa" Ben Schwartz
[DNSOP] Re: [Ext] Deployment tests for "probe.res… Paul Hoffman
[DNSOP] Re: Deployment tests for "probe.resolver.… Michael De Roover
[DNSOP] Re: Deployment tests for "probe.resolver.… Ben Schwartz
[DNSOP] Re: Deployment tests for "probe.resolver.… Michael De Roover
[DNSOP] Re: Deployment tests for "probe.resolver.… Paul Wouters
[DNSOP] Re: Deployment tests for "probe.resolver.… Michael De Roover
[DNSOP] Re: Deployment tests for "probe.resolver.… Ben Schwartz
[DNSOP] Re: Deployment tests for "probe.resolver.… Ben Schwartz
[DNSOP] Re: Deployment tests for "probe.resolver.… Michael De Roover