Re: [DNSOP] [Ext] Re: draft-ietf-dnsop-extended-error and combinations of EDEs and RCODEs

Wes Hardaker <wjhns1@hardakers.net> Fri, 27 September 2019 23:43 UTC

Return-Path: <wjhns1@hardakers.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70CFC120072 for <dnsop@ietfa.amsl.com>; Fri, 27 Sep 2019 16:43:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sYu7P1GaD2si for <dnsop@ietfa.amsl.com>; Fri, 27 Sep 2019 16:43:31 -0700 (PDT)
Received: from mail.hardakers.net (mail.hardakers.net [168.150.192.181]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30DFB120026 for <dnsop@ietf.org>; Fri, 27 Sep 2019 16:43:31 -0700 (PDT)
Received: from localhost (unknown [128.9.16.41]) by mail.hardakers.net (Postfix) with ESMTPA id 8C3942DD7C; Fri, 27 Sep 2019 16:43:22 -0700 (PDT)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Tony Finch <dot@dotat.at>
Cc: dnsop@ietf.org
References: <EA557043-34D1-43EA-B750-4A17CFC6BE50@icann.org> <ybl36h4aj8x.fsf@w7.hardakers.net> <AFE92D06-8418-4451-A827-D5656C83B796@icann.org> <yblzhjbeova.fsf@w7.hardakers.net> <067589D2-8E7E-47FA-867C-72E266A55D6D@icann.org> <CADyWQ+EB-eotvTdYwNv5Oo4=-mibdgEgpkQ3yh37orAwp-AgWg@mail.gmail.com> <ybly2yubfnp.fsf@w7.hardakers.net> <21136294-FDFD-4A99-9529-E79C45E79535@icann.org> <yblzhja9kz3.fsf@w7.hardakers.net> <3AC375B1-D858-4577-AEBE-4BB7CD40C241@icann.org> <1878161734.14716.1568306548325@appsuite-gw1.open-xchange.com> <0C5DC6B2-E9C5-46A6-B0BA-12830A405DD2@dukhovni.org> <775d97e3-65b0-832a-6118-a3c64d872539@bellis.me.uk> <F7A157E6-9773-4B6F-90C8-761D1B3CFC00@icann.org> <AACC9277-D817-4384-99D9-4F65EE809F0C@dukhovni.org> <alpine.DEB.2.20.1909132047400.5352@grey.csi.cam.ac.uk>
Date: Fri, 27 Sep 2019 16:43:21 -0700
In-Reply-To: <alpine.DEB.2.20.1909132047400.5352@grey.csi.cam.ac.uk> (Tony Finch's message of "Fri, 13 Sep 2019 21:01:33 +0100")
Message-ID: <ybl7e5tz4o6.fsf@w7.hardakers.net>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/LN0Ak8c8IDyWf_ZhTGkKPLe6rxg>
Subject: Re: [DNSOP] [Ext] Re: draft-ietf-dnsop-extended-error and combinations of EDEs and RCODEs
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Sep 2019 23:43:33 -0000

Tony Finch <dot@dotat.at>; writes:

> Some questions about the intended meanings...

Thanks Tony,

Thanks for the comments.  Responses are inline below in my tracking
notes below.

14.9 DONE Tony Finch in a sub thread to Paul
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  Some questions about the intended meanings...


14.9.1 DONE 3.6.  Extended DNS Error Code 5 - DNSSEC Indeterminate
------------------------------------------------------------------

  If I remember correctly, there isn't a consistent definition of what
  "indeterminate" means. Perhaps it's worth adding a reference to the
  intended definition.

  [ actually maybe all the codes could have citations to where the error
  cases are mentioned in existing specifications, perhaps with a comment
  that the citations are not intended to be exhausive ]

  + Response: good point.  I'll use a reference to 4035.  We'll have to
    collect references for the rest...  That's a good (and painful)
    idea.


14.9.2 DONE 3.5.  Extended DNS Error Code 4 - Forged Answer
-----------------------------------------------------------

  3.16.  Extended DNS Error Code 15 - Blocked 3.17.  Extended DNS Error
  Code 16 - Censored 3.19.  Extended DNS Error Code 18 - Filtered

  I don't understand the shades of meaning that these are supposed to
  distinguish.

  wrt "filtered", the description implies vaguely RPZ flavoured
  filtering, but it mentions a REFUSED RCODE which isn't what a sensible
  implementation would use for that purpose, so I am more confused.

  3.18.  Extended DNS Error Code 17 - Prohibited

  If I understand correctly, the four above are about the qname whereas
  this is about the client? The ordering is a bit confusing.

  + Response: Those three codes were supplied in a previous comment
    round and they are supposed to indicate policies being applied from
    different sources.  Can you check the new text of them to see if
    they are more understandable now?


14.9.3 DONE 3.21.  Extended DNS Error Code 20 - Lame
----------------------------------------------------

  This needs to be split into two: server doesn't know about the zone
  queried for (typically RCODE=REFUSED), and server knows about the zone
  but it has expired (typically RCODE=SERVFAIL).

  Resolvers handling RD=0 queries typically answer from cache or would
  answer REFUSED/Prohibited, I would have thought.

  + Response: I created an "Invalid Data" error code to handle this.
    Does this work for you?


-- 
Wes Hardaker
USC/ISI