Re: [DNSOP] draft-jabley-dnsop-ordered-answers

Mark Andrews <marka@isc.org> Fri, 27 November 2015 22:32 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19CEE1B2D01 for <dnsop@ietfa.amsl.com>; Fri, 27 Nov 2015 14:32:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.486
X-Spam-Level:
X-Spam-Status: No, score=-7.486 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sOIhCHe5fM3j for <dnsop@ietfa.amsl.com>; Fri, 27 Nov 2015 14:32:21 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E58C21B2D02 for <dnsop@ietf.org>; Fri, 27 Nov 2015 14:32:20 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.ams1.isc.org (Postfix) with ESMTPS id 204191FCABE; Fri, 27 Nov 2015 22:32:17 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id EA804160042; Fri, 27 Nov 2015 22:33:53 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id C08FB160078; Fri, 27 Nov 2015 22:33:53 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id ExW9iSqaTGYV; Fri, 27 Nov 2015 22:33:53 +0000 (UTC)
Received: from rock.dv.isc.org (c122-106-161-187.carlnfd1.nsw.optusnet.com.au [122.106.161.187]) by zmx1.isc.org (Postfix) with ESMTPSA id 27520160042; Fri, 27 Nov 2015 22:33:53 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id C33963DAC590; Sat, 28 Nov 2015 09:32:12 +1100 (EST)
To: Ray Bellis <ray@bellis.me.uk>
From: Mark Andrews <marka@isc.org>
References: <1E5B644E-EA0D-4287-8AB5-1907EE06BE1C@hopcount.ca> <20151127122209.GA24118@sources.org> <0AA087ED-D22B-4EAE-A57B-C4ADC8EA9B53@nohats.ca> <5658652F.2080901@bellis.me.uk>
In-reply-to: Your message of "Fri, 27 Nov 2015 14:14:07 -0000." <5658652F.2080901@bellis.me.uk>
Date: Sat, 28 Nov 2015 09:32:12 +1100
Message-Id: <20151127223212.C33963DAC590@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/LAvYYvX9VnnHEXB9iU5G4GL83wo>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] draft-jabley-dnsop-ordered-answers
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Nov 2015 22:32:23 -0000

In message <5658652F.2080901@bellis.me.uk>uk>, Ray Bellis writes:
> 
> 
> On 27/11/2015 13:16, Paul Wouters wrote:
> >  RFC 1122: "Be liberal in what you accept, and conservative in what you
> > send").
> > 
> > It's cute, but it will lead to interop issues. It will also make
> > debugging more annoying for humans.
> 
> See also draft-thomson-postel-was-wrong-00
> 
> <https://tools.ietf.org/html/draft-thomson-postel-was-wrong-00>
> 
> Ray

DNSSEC only says the signature should stay together with the data.
It does not specify the order of the data and the signatures as far
as I have seen.

As for being liberal in what you accept when it is out of spec,
that often causes more problems that it fixes.  It's also hard to
wind back if you want to make things more strict.

We fixed a bug which allowed us to start correctly rejecting non
"aa=1" responses and we had to start re-accepting them as high
profile servers were failing to set "aa=1" on all their servers.

Then you have Panodra.tv's DNS servers which are absolute pieces
of garbage spewing out non compliant answers but if you start
rejecting them there is all hell to pay.  They don't do DNS or EDNS.

% dig pandora.tv ns @61.111.8.236 +noad +noedns

; <<>> DiG 9.11.0pre-alpha <<>> pandora.tv ns @61.111.8.236 +noad +noedns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51035
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: Message has 27 extra bytes at end

;; QUESTION SECTION:
;pandora.tv.			IN	NS

;; ANSWER SECTION:
pandora.tv.		300	IN	NS	n1.pandora.tv.
pandora.tv.		300	IN	NS	n2.pandora.tv.
pandora.tv.		300	IN	NS	n5.pandora.tv.
pandora.tv.		300	IN	NS	n6.pandora.tv.
pandora.tv.		300	IN	NS	n7.pandora.tv.

;; Query time: 218 msec
;; SERVER: 61.111.8.236#53(61.111.8.236)
;; WHEN: Sat Nov 28 09:12:32 EST 2015
;; MSG SIZE  rcvd: 140

% dig pandora.tv ns @61.111.8.236 +nocookie
;; Got bad packet: FORMERR
140 bytes
8c 39 85 a0 00 01 00 05 00 00 00 01 07 70 61 6e          .9...........pan
64 6f 72 61 02 74 76 00 00 02 00 01 c0 0c 00 02          dora.tv.........
00 01 00 00 01 2c 00 05 02 6e 31 c0 0c c0 0c 00          .....,...n1.....
02 00 01 00 00 01 2c 00 05 02 6e 32 c0 0c c0 0c          ......,...n2....
00 02 00 01 00 00 01 2c 00 05 02 6e 35 c0 0c c0          .......,...n5...
0c 00 02 00 01 00 00 01 2c 00 05 02 6e 36 c0 0c          ........,...n6..
c0 0c 00 02 00 01 00 00 01 2c 00 05 02 6e 37 c0          .........,...n7.
0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00          ................
00 00 00 00 00 00 00 00 00 00 00 00                      ............
% 

Now if we just start rejecting this garbage there will lots of
complaints but servers like this should just be wiped off the net.

Mark

> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org