IETF Logo Mail Archive

Re: [DNSOP] Asking TLD's to perform checks.

Mark Andrews <marka@isc.org> Wed, 11 November 2015 06:45 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 576D21B304A for <dnsop@ietfa.amsl.com>; Tue, 10 Nov 2015 22:45:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.611
X-Spam-Level:
X-Spam-Status: No, score=-6.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id unZfYpf3rn4S for <dnsop@ietfa.amsl.com>; Tue, 10 Nov 2015 22:45:05 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D55901B3031 for <dnsop@ietf.org>; Tue, 10 Nov 2015 22:45:04 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 8E176349408; Wed, 11 Nov 2015 06:44:58 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 9A61116004E; Wed, 11 Nov 2015 06:45:24 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 8699A16007C; Wed, 11 Nov 2015 06:45:24 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id OCd_JCO6q02K; Wed, 11 Nov 2015 06:45:24 +0000 (UTC)
Received: from rock.dv.isc.org (c122-106-161-187.carlnfd1.nsw.optusnet.com.au [122.106.161.187]) by zmx1.isc.org (Postfix) with ESMTPSA id 385E016004E; Wed, 11 Nov 2015 06:45:24 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id AF2623C84B4E; Wed, 11 Nov 2015 17:44:53 +1100 (EST)
To: Patrik Fältström <paf@frobbit.se>
From: Mark Andrews <marka@isc.org>
References: <20151105235402.39FFC3BF2F29@rock.dv.isc.org> <20151110152511.6f1a1c20@pallas.home.time-travellers.org> <20151110204330.C47C63C7D699@rock.dv.isc.org> <7B4B7DEA-C705-437E-8BC1-64D96D55014E@vpnc.org> <0F2DD78A-69C4-49DA-936F-C32D0FC97CC2@rfc1035.com> <5373DDAB-1ED2-489B-AB62-BA7CF6D3DB48@frobbit.se>
In-reply-to: Your message of "Wed, 11 Nov 2015 07:25:39 +0100." <5373DDAB-1ED2-489B-AB62-BA7CF6D3DB48@frobbit.se>
Date: Wed, 11 Nov 2015 17:44:53 +1100
Message-Id: <20151111064453.AF2623C84B4E@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/LmeG5zRfHPQRxkg7dw-6g3zgB8I>
Cc: dnsop@ietf.org, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [DNSOP] Asking TLD's to perform checks.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2015 06:45:06 -0000

In message <5373DDAB-1ED2-489B-AB62-BA7CF6D3DB48@frobbit.se>, "Patrik =?utf-8?b
?RsOkbHRzdHLDtm0=?=" writes:
> On 10 Nov 2015, at 22:24, Jim Reid wrote:
>
> >> Or perhaps we should not.
> >
> > +1
>
> This discussion on making tests is coming back now and then. In RIPE, in
> IETF, in discussions around TLDs (specifically ccTLDs).
>
> I have run one such initiative myself.
>
> Everything has so far collapsed into collision between tech people not
> agreeing on what is right and wrong. It also collapses into clashes
> between registry policy and the tests made. I.e. just the registration
> policy is setting blocks and constraints on what tests must be made (or
> can not be made). And harmonization of such rules is just impossible (we
> have seen).
>
> That said, initiatives like the one I did run did push errors (for some
> definition of errors) from 22% to maybe 17% in .SE and my inspection of
> the rest say that getting errors down to 15% is possible, but more is
> very hard.
>
> And, having a BCP or such that give suggestions on what can be viewed as
> "correct" would not be bad, but how to use it must be up to the reader.
>
> I think the IETF should be careful on writing too prescriptive text, I
> say being one hit by "rfc compliance" people that point at old whois
> related RFCs that "require" things that in fact is illegal in Sweden.
> I.e. by being compliant to Swedish law regarding privacy, I violate a
> very old RFC and because of that I am black listed.
>
> So be careful.

Which is why draft-andrews-dns-no-response-issue-13 focuses on
nameserver and firewall behaviour and not data content.  I haven't
had anyone say that any of the tests listed there are wrong.

Fixing this class of error is almost always upgrade the software
to something that is actually rfc compliant.  The only thing which
is tends to be user configurable is turn on/off DNS checks in the
firewall and in reality the firewall vendor shouldn't have been
blocking on what they were blocking in the first place.

Mark

>    Patrik
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email