Re: [DNSOP] draft-jabley-dnsop-ordered-answers
Mark Andrews <marka@isc.org> Fri, 27 November 2015 22:32 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19CEE1B2D01 for <dnsop@ietfa.amsl.com>; Fri, 27 Nov 2015 14:32:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.486
X-Spam-Level:
X-Spam-Status: No, score=-7.486 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sOIhCHe5fM3j for <dnsop@ietfa.amsl.com>; Fri, 27 Nov 2015 14:32:21 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E58C21B2D02 for <dnsop@ietf.org>; Fri, 27 Nov 2015 14:32:20 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.ams1.isc.org (Postfix) with ESMTPS id 204191FCABE; Fri, 27 Nov 2015 22:32:17 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id EA804160042; Fri, 27 Nov 2015 22:33:53 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id C08FB160078; Fri, 27 Nov 2015 22:33:53 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ExW9iSqaTGYV; Fri, 27 Nov 2015 22:33:53 +0000 (UTC)
Received: from rock.dv.isc.org (c122-106-161-187.carlnfd1.nsw.optusnet.com.au [122.106.161.187]) by zmx1.isc.org (Postfix) with ESMTPSA id 27520160042; Fri, 27 Nov 2015 22:33:53 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id C33963DAC590; Sat, 28 Nov 2015 09:32:12 +1100 (EST)
To: Ray Bellis <ray@bellis.me.uk>
From: Mark Andrews <marka@isc.org>
References: <1E5B644E-EA0D-4287-8AB5-1907EE06BE1C@hopcount.ca> <20151127122209.GA24118@sources.org> <0AA087ED-D22B-4EAE-A57B-C4ADC8EA9B53@nohats.ca> <5658652F.2080901@bellis.me.uk>
In-reply-to: Your message of "Fri, 27 Nov 2015 14:14:07 -0000." <5658652F.2080901@bellis.me.uk>
Date: Sat, 28 Nov 2015 09:32:12 +1100
Message-Id: <20151127223212.C33963DAC590@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/LAvYYvX9VnnHEXB9iU5G4GL83wo>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] draft-jabley-dnsop-ordered-answers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Nov 2015 22:32:23 -0000
In message <5658652F.2080901@bellis.me.uk>, Ray Bellis writes: > > > On 27/11/2015 13:16, Paul Wouters wrote: > > RFC 1122: "Be liberal in what you accept, and conservative in what you > > send"). > > > > It's cute, but it will lead to interop issues. It will also make > > debugging more annoying for humans. > > See also draft-thomson-postel-was-wrong-00 > > <https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00> > > Ray DNSSEC only says the signature should stay together with the data. It does not specify the order of the data and the signatures as far as I have seen. As for being liberal in what you accept when it is out of spec, that often causes more problems that it fixes. It's also hard to wind back if you want to make things more strict. We fixed a bug which allowed us to start correctly rejecting non "aa=1" responses and we had to start re-accepting them as high profile servers were failing to set "aa=1" on all their servers. Then you have Panodra.tv's DNS servers which are absolute pieces of garbage spewing out non compliant answers but if you start rejecting them there is all hell to pay. They don't do DNS or EDNS. % dig pandora.tv ns @61.111.8.236 +noad +noedns ; <<>> DiG 9.11.0pre-alpha <<>> pandora.tv ns @61.111.8.236 +noad +noedns ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51035 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: Message has 27 extra bytes at end ;; QUESTION SECTION: ;pandora.tv. IN NS ;; ANSWER SECTION: pandora.tv. 300 IN NS n1.pandora.tv. pandora.tv. 300 IN NS n2.pandora.tv. pandora.tv. 300 IN NS n5.pandora.tv. pandora.tv. 300 IN NS n6.pandora.tv. pandora.tv. 300 IN NS n7.pandora.tv. ;; Query time: 218 msec ;; SERVER: 61.111.8.236#53(61.111.8.236) ;; WHEN: Sat Nov 28 09:12:32 EST 2015 ;; MSG SIZE rcvd: 140 % dig pandora.tv ns @61.111.8.236 +nocookie ;; Got bad packet: FORMERR 140 bytes 8c 39 85 a0 00 01 00 05 00 00 00 01 07 70 61 6e .9...........pan 64 6f 72 61 02 74 76 00 00 02 00 01 c0 0c 00 02 dora.tv......... 00 01 00 00 01 2c 00 05 02 6e 31 c0 0c c0 0c 00 .....,...n1..... 02 00 01 00 00 01 2c 00 05 02 6e 32 c0 0c c0 0c ......,...n2.... 00 02 00 01 00 00 01 2c 00 05 02 6e 35 c0 0c c0 .......,...n5... 0c 00 02 00 01 00 00 01 2c 00 05 02 6e 36 c0 0c ........,...n6.. c0 0c 00 02 00 01 00 00 01 2c 00 05 02 6e 37 c0 .........,...n7. 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 ............ % Now if we just start rejecting this garbage there will lots of complaints but servers like this should just be wiped off the net. Mark > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [DNSOP] draft-jabley-dnsop-ordered-answers Joe Abley
- Re: [DNSOP] draft-jabley-dnsop-ordered-answers Donald Eastlake
- Re: [DNSOP] draft-jabley-dnsop-ordered-answers Ray Bellis
- Re: [DNSOP] draft-jabley-dnsop-ordered-answers Niall O'Reilly
- Re: [DNSOP] draft-jabley-dnsop-ordered-answers Joe Abley
- Re: [DNSOP] draft-jabley-dnsop-ordered-answers Joe Abley
- Re: [DNSOP] draft-jabley-dnsop-ordered-answers Ray Bellis
- Re: [DNSOP] draft-jabley-dnsop-ordered-answers Ray Bellis
- Re: [DNSOP] draft-jabley-dnsop-ordered-answers Mark Andrews
- Re: [DNSOP] draft-jabley-dnsop-ordered-answers Paul Vixie
- [DNSOP] Ambiguous standards suck (was Re: draft-j… Shane Kerr
- Re: [DNSOP] draft-jabley-dnsop-ordered-answers Andrew Sullivan
- Re: [DNSOP] draft-jabley-dnsop-ordered-answers Bob Harold
- Re: [DNSOP] draft-jabley-dnsop-ordered-answers Paul Vixie
- Re: [DNSOP] draft-jabley-dnsop-ordered-answers Stephane Bortzmeyer
- Re: [DNSOP] draft-jabley-dnsop-ordered-answers Paul Wouters
- Re: [DNSOP] draft-jabley-dnsop-ordered-answers Ray Bellis
- Re: [DNSOP] draft-jabley-dnsop-ordered-answers Mark Andrews