Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-04.txt

Warren Kumari <warren@kumari.net> Thu, 14 February 2019 20:34 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A119E12EB11 for <dnsop@ietfa.amsl.com>; Thu, 14 Feb 2019 12:34:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cUWbx_SMHjX5 for <dnsop@ietfa.amsl.com>; Thu, 14 Feb 2019 12:34:02 -0800 (PST)
Received: from mail-wr1-x430.google.com (mail-wr1-x430.google.com [IPv6:2a00:1450:4864:20::430]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEB6112D4F2 for <dnsop@ietf.org>; Thu, 14 Feb 2019 12:34:01 -0800 (PST)
Received: by mail-wr1-x430.google.com with SMTP id q18so7944259wrx.9 for <dnsop@ietf.org>; Thu, 14 Feb 2019 12:34:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=11FqZ3FftpOwU0X/yVktiodSm0jAP121PB6NVSDkJGg=; b=nP/4M9S1/2BCDlmuvCjZjaNwR9OZF+8psKday4RqBRhS3CJfKwmSFsjU/qjP+y3JgR +7Oi+7FOH8mXO0NhmJffGFIo6P1/dfiWarIb9lZZaGdine61f/JCEZrPyhPVHoEETkDa mcbxtYzpbkwvZtCZ8ASMwOfpRDkNIo4nHWGhc8fCoDVO3+YtOqzS4+xrO0fdSFohyxbc m2tn6uGlOWiPt+iVexAgOiN+hPrB4bxCWmF6UUm+SYXTzbiGim2R0zEZCXq2UUacqWAh Tlcv4u5HyFFIRUWJRvoMR9sY+vUBtAjozgkmUpJ/ZNV4u1T0B5Umf+Eck7Ts1/Er/Dvn Fxtg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=11FqZ3FftpOwU0X/yVktiodSm0jAP121PB6NVSDkJGg=; b=NGh0zAMSpgQ6NiNWc9kcE85X3cO8De47U3ozlRP5jNVc4cRe4r1/d/glsw/OPKiuIC 4uOggLXA0oBdQzN+DpD7iZA1NZ8mvIomcIkYZH2wrXLASltkhOHjrfGOqOdBJ3nWmLn5 Oyuc2gcV0ee/N/06GTLPdf2V/9yXY8AJZB877y0nG94XqTaGqICorgYM7cFvqtIY94Hw kecoiWVz+ssCWp27HrlpH3G+YSXhXbWIai60FOOK1LHti5q/wfEJVJvo23/xI8T9qGQH ngOaG6PNzOU9t+jSt13uRQtjXbYh7+k7xbH37064gmTvFoiagq6TKeYGwiT1nnnpjZs2 vIbg==
X-Gm-Message-State: AHQUAubQ/MTHmQhgVUXrfra3JMl/XBnNKU8i4WsdeLYtMJotvknlHeIZ BGoKQcyVsgXvhVYy6GyKzBCflRbpv0c3Y2AueY4zMw==
X-Google-Smtp-Source: AHgI3IaqpzYDVVzs/h1Twcz/wO48zJwJMZLmynb0YgVBd4gjqcfhyjNE0G983nrVitSgs1pKrvtBdv2z7Y4zQI3zSvo=
X-Received: by 2002:a05:6000:10cf:: with SMTP id b15mr4317523wrx.32.1550176439632; Thu, 14 Feb 2019 12:33:59 -0800 (PST)
MIME-Version: 1.0
References: <154689301066.32204.17312124670782800354@ietfa.amsl.com> <20190214195125.nwbazwpk3rgrgxkf@sources.org>
In-Reply-To: <20190214195125.nwbazwpk3rgrgxkf@sources.org>
From: Warren Kumari <warren@kumari.net>
Date: Thu, 14 Feb 2019 15:33:23 -0500
Message-ID: <CAHw9_iLeAwU8gskbhyd7OMPYEY68eCDocB9k6ezjUxYj=_WHRg@mail.gmail.com>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000061fe10581e09411"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/KzCyusG39d91uBnCDzYv2Y6WMHA>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2019 20:34:06 -0000

On Thu, Feb 14, 2019 at 2:53 PM Stephane Bortzmeyer <bortzmeyer@nic.fr>
wrote:

> On Mon, Jan 07, 2019 at 12:30:10PM -0800,
>  internet-drafts@ietf.org <internet-drafts@ietf.org> wrote
>  a message of 44 lines which said:
>
> >         Title           : Extended DNS Errors
> >         Authors         : Warren Kumari
> >                           Evan Hunt
> >                           Roy Arends
> >                           Wes Hardaker
> >                           David C Lawrence
> >       Filename        : draft-ietf-dnsop-extended-error-04.txt
>
> Some remarks but before, note I think that it is very important that
> we have a way to report more detailed error causes. One of the biggest
> problems of DNSSEC is that there is no easy way for the resolver to
> report to the application about a DNSSEC problem. So, the work on this
> draft is essential.
>
>
Thank you, I / we certainly think so.



> Now, the problems:
>
> It seems to me that this draft is mostly for resolvers, most planned
> extended codes are useless for authoritative servers (except may be
> REFUSED/Lame?).
>
> I suggest to make that clear in the introduction:
>
> These extended error codes are specially useful for resolvers, to
> return to stub resolvers or to downstream resolvers. Authoritative
> servers MAY use them but most error codes would make no sense for
> them.
>

Yup, at the moment the majority of these are resolver errors - I don't
think we necessarily expected / thought that through when starting this.
I'm guessing that the majority of these will be resolver errors on the
future as well, but how about:
"The majority of these extended error codes are primarily useful for
resolvers, to
return to stub resolvers or to downstream resolvers. Authoritative
servers may also use this technique to annotate errors (for example,
REFUSED), but as of publication there are not as many of these defined"
or something?


>
> > Unless a protective transport mechanism (like TSIG [RFC2845] or TLS
> > [RFC8094])
>
> Why 8094, which does not have even one implementation, instead of
> 7858?
>

I believe that that was an oversight / error.


>
> > 4.2.3.  SERVFAIL Extended DNS Error Code 3 - Signature Expired
> >
> >   The resolver attempted to perform DNSSEC validation, but the
> >   signature was expired.
>
> I suggest to replace "the signature was expired" by "a signature in
> the validation chain was expired".
>
> Rationale: which signature? What if a DS at the parent is sign with an
> expired signature?
>
>
LGTM.



> > 4.2.5.  SERVFAIL Extended DNS Error Code 5 - DNSKEY missing
> >
> >   A DS record existed at a parent, but no DNSKEY record could be found
> >   for the child.
>
> I suggest to replace "no DNSKEY record could be found for the child"
> by "no DNSKEY record for this specific key could be found for the
> child".
>
>
LGTM.


> Rationale : the current text seems to imply this code is only when
> there is no DNSKEY at all.
>
> > 4.4.1.  NXDOMAIN Extended DNS Error Code 1 - Blocked
> >
> >   The resolver attempted to perfom a DNS query but the domain is
> >   blacklisted due to a security policy.  The R flag should not be set.
>
> The last sentence is touchy. If a stub is configured with two
> resolvers, and one is fast but known for lying in some cases that you
> disagree with, you may ask a cookie from the other parent (no, resolver).
>

Yup. The R flag is entirely, 100% simply a hint - you are perfectly allowed
to ignore it, and in this case, you may want to (keep reading!)
So, why bother having the flag at all? Primarily it exists so that, if an
implementation gets an extended error code which it doesn't understand (e.g
42), it can choose to take the hint, or not.
If an implementation *does* understand the code, it can decide it knows
better.

Now, in this particular case, I think you are right - unless anyone
objects, I'm a gonna flip that to "the R flag should be set".



>
> > 4.4.1.  NXDOMAIN Extended DNS Error Code 1 - Blocked
> >
> >   The resolver attempted to perfom a DNS query but the domain is
> >   blacklisted due to a security policy.
>
> I tend to think it would be a good idea to separate the case where the
> policy was decided by the resolver and the case where the policy came
> from outside, typically from the local law (see RFC 7725 for a similar
> case with HTTP).
>
> Rationale: in the first case (local policy of the resolver), the user
> may be interested in talking with the resolver admin if he or she
> disagrees with the blocking. In the second case, this would be useless.
>
> Otherwise, I suggest to add an error code:
>
> NOERROR Extended DNS Error Code 3 - Forged answer
>
>    For policy reasons (legal obligation, or malware filtering, for
>    instance), an answer was forged.  The R flag should not be set.
>
> Rationale: there is "NXDOMAIN Extended DNS Error Code 1 - Blocked" but
> policy-aware resolvers (lying resolvers, in plain english) do not
> always forge NXDOMAIN, they can also forge A or AAAA answers.
>
> See also the issue just before, about the need to differentiate
> resolver policy from "upper" policy, law, for instance.
>

Errr... I like the idea / concept, but I'd really like to avoid the word
"Forged" -- while you and I (and probably almost everyone else on the list)
would agree that this is forged, I think that the pejorative nature of the
word would make it that people are forced to forge answers might not be
allowed to tag it as such.
Can anying think of a better word? I was hoping to find something in the
HTTP 451 Error Code page - https://en.wikipedia.org/wiki/HTTP_451, but no
luck.
Fictional answer? Alternative fact? Supposititious answer?

Thank you for your comments and text,
W



>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf