IETF Logo Mail Archive

Re: [DNSOP] Second Working Group Last Call: draft-ietf-dnsop-refuse-any

Mark Andrews <marka@isc.org> Fri, 17 March 2017 07:39 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FEF61243FE for <dnsop@ietfa.amsl.com>; Fri, 17 Mar 2017 00:39:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eNUsTcTQfrZj for <dnsop@ietfa.amsl.com>; Fri, 17 Mar 2017 00:39:25 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B1B2120727 for <dnsop@ietf.org>; Fri, 17 Mar 2017 00:39:25 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.ams1.isc.org (Postfix) with ESMTPS id BBDB624AE30; Fri, 17 Mar 2017 07:39:20 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 3EF7716004C; Fri, 17 Mar 2017 07:39:20 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id E9378160069; Fri, 17 Mar 2017 07:39:19 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id kNWIJwhAbSEv; Fri, 17 Mar 2017 07:39:19 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 053E816004C; Fri, 17 Mar 2017 07:39:19 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 9525266FD536; Fri, 17 Mar 2017 18:39:14 +1100 (EST)
To: Doug Barton <dougb@dougbarton.us>
Cc: dnsop@ietf.org
From: Mark Andrews <marka@isc.org>
References: <CADyWQ+GSStfAiOs8R9Ob7+LVh0RAfPQ+AbbTFNuwsrKkO=EUWg@mail.gmail.com> <CAC94RYYir_5rKmW47XkUZoVCs5PUfWiKg4Cygyvw6pOzqC5mfA@mail.gmail.com> <d8f1076e-a635-7620-5e2b-0c70efe2c0cf@dougbarton.us>
In-reply-to: Your message of "Thu, 16 Mar 2017 23:54:06 -0700." <d8f1076e-a635-7620-5e2b-0c70efe2c0cf@dougbarton.us>
Date: Fri, 17 Mar 2017 18:39:14 +1100
Message-Id: <20170317073914.9525266FD536@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Nwa8kJ1QJy-36BlWwOvWAuSOk9k>
Subject: Re: [DNSOP] Second Working Group Last Call: draft-ietf-dnsop-refuse-any
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Mar 2017 07:39:27 -0000

In message <d8f1076e-a635-7620-5e2b-0c70efe2c0cf@dougbarton.us>, Doug Barton wr
ites:
> I think this is a bad idea generally, and that RRL is a better solution
> to the amplification vector issue. But since the "War on ANY" doesn't
> show signs of abating ...
>
> On 03/16/2017 09:27 PM, Richard Gibson wrote:
> > To re-raise my unaddressed points from the first Working Group Last
> Call:
> >
> >   * There is no mechanism for signaling section 4.1/ section 4.3
> >     "partial response" behavior to clients (e.g., a new OPT record EDNS
> >     header flag bit
>
> This is my chief concern. However much the purists don't like it,
> various things in the wild ask for ANY fully expecting that it means
> ALL. If something gets an ANY response that does not include the thing
> it really needs, how is it supposed to know that it needs to ask again?

Well if you are asking a recursive server there is 20+ years of
implemention history where * doesn't give all possible records,
only which is cached.  Retrying with specific types is built into
applications which use *.  They would fail too often otherwise.

So at this point we are only talking about tools that only talk
directly to authoritative servers or look at the "aa" flag to
determine if they are talking to a authoritative server.

Now, there is really only one signal that will work with old software
and that is TC=1.  New software could just use TCP by default for *.

In terms of possible signals, other than TC=1, adding a EDNS
option/flag would require relaxing ban on adding a OPT record to a
non EDNS query.  One could use the last DNS header bit.

> <http://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-p
> arameters-13>).
> >   * Insisting that the HINFO OS field SHOULD be empty ("set to the null
> >     string") seems a little too strong; there's room in it for-and value
> >     from-a short explanation (e.g., as can be observed
> >     today: dns.cloudflare.com
> >     <http://dns.cloudflare.com>. 3789INHINFO"Please stop asking for ANY"
> >     "See draft-ietf-dnsop-refuse-any"). I'd prefer text like "The OS
> >     field of the HINFO RDATA SHOULD be short to minimize the size
> >     of the response, and MAY be empty or MAY include a summarized
> >     description of local policy."
>
> Agreed. I'd rather see this flipped, with auth servers encouraged to
> include a brief explanation, or even a URL that explains the issue.
>
> >   * "ANY does not mean ALL" is misleading-RFC 1035
> >     <https://tools.ietf.org/html/rfc1035#section-3.2.3> is clear about
> >     QTYPE=255 being "a request for *all* records" (emphasis mine). That
> >     said, the proposed /response/ behavior is consistent with that RFC.
>
> That may be true technically, but I doubt anyone but a serious DNS RFC
> purist would understand, or agree with that distinction.
>
> Personally I have a lot of sympathy for the school of thought that says
> to send nothing back but the TC bit, and force the requestor to
> reconnect with TCP. But the "War on TCP" doesn't show any signs of
> abating either ...

Or TC once the answer exceeds a threshold.

> Doug
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email