Re: [DNSOP] Barry Leiba's Yes on draft-ietf-dnsop-qname-minimisation-08: (with COMMENT)

Mark Andrews <marka@isc.org> Mon, 28 December 2015 18:34 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D13D41A92AE for <dnsop@ietfa.amsl.com>; Mon, 28 Dec 2015 10:34:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.012
X-Spam-Level:
X-Spam-Status: No, score=-5.012 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id erd7KIQ-YP-r for <dnsop@ietfa.amsl.com>; Mon, 28 Dec 2015 10:34:23 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EAD051A9245 for <dnsop@ietf.org>; Mon, 28 Dec 2015 10:34:22 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.ams1.isc.org (Postfix) with ESMTPS id 374D71FCAE7; Mon, 28 Dec 2015 18:34:19 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 171BD160032; Mon, 28 Dec 2015 18:38:09 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 065D516004B; Mon, 28 Dec 2015 18:38:09 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 9ScNikzzjaF7; Mon, 28 Dec 2015 18:38:08 +0000 (UTC)
Received: from rock.dv.isc.org (c122-106-161-187.carlnfd1.nsw.optusnet.com.au [122.106.161.187]) by zmx1.isc.org (Postfix) with ESMTPSA id ADB39160032; Mon, 28 Dec 2015 18:38:08 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [127.0.0.1]) by rock.dv.isc.org (Postfix) with ESMTP id F2F653FF1F6E; Tue, 29 Dec 2015 05:34:14 +1100 (EST)
To: Olafur Gudmundsson <ogud@ogud.com>
From: Mark Andrews <marka@isc.org>
References: <20151228044020.48378.qmail@ary.lan> <A82E8E5B-4295-439D-9293-0C7C8941D863@ogud.com>
In-reply-to: Your message of "Mon, 28 Dec 2015 09:43:01 -0500." <A82E8E5B-4295-439D-9293-0C7C8941D863@ogud.com>
Date: Tue, 29 Dec 2015 05:34:14 +1100
Message-Id: <20151228183414.F2F653FF1F6E@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/OBJrO2JAZj69nSP-EcHYhPi8Tkg>
Cc: dnsop@ietf.org, John Levine <johnl@taugh.com>
Subject: Re: [DNSOP] Barry Leiba's Yes on draft-ietf-dnsop-qname-minimisation-08: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Dec 2015 18:34:25 -0000

In message <A82E8E5B-4295-439D-9293-0C7C8941D863@ogud.com>, Olafur Gudmundsson writes:
>
> > On Dec 27, 2015, at 11:40 PM, John Levine <johnl@taugh.com> wrote:
> >
> >>> NEW
> >>>   For instance, some authoritative name servers embedded in load
> >>>   balancers reply properly to A queries but send REFUSED to NS
> queries.
> >>>   This behaviour violates the DNS protocol (see Section ??? of RFC??,
> >>>   and improvements to the DNS are impeded if we accept such behaviour
> >>>   as normal.
> >>> END
> >>
> >> Does anyone has an idea of the reference to use to replace the "???"
> >
> > Given that it doesn't seem to be a protocol violation, I'd suggest this:
> >
> >    For instance, some authoritative name servers embedded in load
> >    balancers reply properly to A queries but send REFUSED to NS queries.
> >    This behavior causes a variety of problems, such as invalid negative
> >    answers, that are so severe that it is unreasonable to expect clients
> >    to interoperate with them reliably and so there is no point in
> trying to
> >    work around them.
> >
> > R's,
> > John
> >
>
> For the longest time in the DNS world there have been different
> standards of conduct for the different functional elements.
> Publishers can get a away with gross misconduct, while resolvers are
> expected to find the answer at all cost.
>
> I agree with your statement as the first step in calling out authorities
> that if they are not nice there is no need to try to return the answer.
> In 1999 or 2000 we started seeing LoadBalancers that returned NXDOMAIN
> for any query other than A for a name.
> At the time the bind-9 team argued about what to do, I still think that
> the behavior selected was the wrong one i.e. ignore NXDOMAN for AAAA
> query and ask for A.

Named doesn't ignore the NXDOMAIN.  The only type where NXDOMAIN
is handled seperately is for DS.  If named learns that AAAA returns
NXDOMAIN the next A lookup will return NXDOMAIN.

Named does treat a server as broken on a per type basis so REFUSED /
SERVFAIL etc. for one type does not impact on lookupd of other types.

> IMHO a resolver that does not like the answers it is getting from a
> authority has full right to stop trying to find the answer and return
> SERVFAIL.
> I understand that operators of said resolver will get complaints that
> important cat pictures are unavailable,
>
> I think for all practical purposes this situation is a great example of
> the Prisoners Dilemma as there is no way to educate the people writing
> the crap software as they are insulated by multiple layers of protection.
>
> Olafur
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org