Re: [DNSOP] Barry Leiba's Yes on draft-ietf-dnsop-qname-minimisation-08: (with COMMENT)
Mark Andrews <marka@isc.org> Mon, 28 December 2015 18:34 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D13D41A92AE for <dnsop@ietfa.amsl.com>; Mon, 28 Dec 2015 10:34:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.012
X-Spam-Level:
X-Spam-Status: No, score=-5.012 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id erd7KIQ-YP-r for <dnsop@ietfa.amsl.com>; Mon, 28 Dec 2015 10:34:23 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EAD051A9245 for <dnsop@ietf.org>; Mon, 28 Dec 2015 10:34:22 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.ams1.isc.org (Postfix) with ESMTPS id 374D71FCAE7; Mon, 28 Dec 2015 18:34:19 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 171BD160032; Mon, 28 Dec 2015 18:38:09 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 065D516004B; Mon, 28 Dec 2015 18:38:09 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 9ScNikzzjaF7; Mon, 28 Dec 2015 18:38:08 +0000 (UTC)
Received: from rock.dv.isc.org (c122-106-161-187.carlnfd1.nsw.optusnet.com.au [122.106.161.187]) by zmx1.isc.org (Postfix) with ESMTPSA id ADB39160032; Mon, 28 Dec 2015 18:38:08 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [127.0.0.1]) by rock.dv.isc.org (Postfix) with ESMTP id F2F653FF1F6E; Tue, 29 Dec 2015 05:34:14 +1100 (EST)
To: Olafur Gudmundsson <ogud@ogud.com>
From: Mark Andrews <marka@isc.org>
References: <20151228044020.48378.qmail@ary.lan> <A82E8E5B-4295-439D-9293-0C7C8941D863@ogud.com>
In-reply-to: Your message of "Mon, 28 Dec 2015 09:43:01 -0500." <A82E8E5B-4295-439D-9293-0C7C8941D863@ogud.com>
Date: Tue, 29 Dec 2015 05:34:14 +1100
Message-Id: <20151228183414.F2F653FF1F6E@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/OBJrO2JAZj69nSP-EcHYhPi8Tkg>
Cc: dnsop@ietf.org, John Levine <johnl@taugh.com>
Subject: Re: [DNSOP] Barry Leiba's Yes on draft-ietf-dnsop-qname-minimisation-08: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Dec 2015 18:34:25 -0000
In message <A82E8E5B-4295-439D-9293-0C7C8941D863@ogud.com>, Olafur Gudmundsson writes: > > > On Dec 27, 2015, at 11:40 PM, John Levine <johnl@taugh.com> wrote: > > > >>> NEW > >>> For instance, some authoritative name servers embedded in load > >>> balancers reply properly to A queries but send REFUSED to NS > queries. > >>> This behaviour violates the DNS protocol (see Section ??? of RFC??, > >>> and improvements to the DNS are impeded if we accept such behaviour > >>> as normal. > >>> END > >> > >> Does anyone has an idea of the reference to use to replace the "???" > > > > Given that it doesn't seem to be a protocol violation, I'd suggest this: > > > > For instance, some authoritative name servers embedded in load > > balancers reply properly to A queries but send REFUSED to NS queries. > > This behavior causes a variety of problems, such as invalid negative > > answers, that are so severe that it is unreasonable to expect clients > > to interoperate with them reliably and so there is no point in > trying to > > work around them. > > > > R's, > > John > > > > For the longest time in the DNS world there have been different > standards of conduct for the different functional elements. > Publishers can get a away with gross misconduct, while resolvers are > expected to find the answer at all cost. > > I agree with your statement as the first step in calling out authorities > that if they are not nice there is no need to try to return the answer. > In 1999 or 2000 we started seeing LoadBalancers that returned NXDOMAIN > for any query other than A for a name. > At the time the bind-9 team argued about what to do, I still think that > the behavior selected was the wrong one i.e. ignore NXDOMAN for AAAA > query and ask for A. Named doesn't ignore the NXDOMAIN. The only type where NXDOMAIN is handled seperately is for DS. If named learns that AAAA returns NXDOMAIN the next A lookup will return NXDOMAIN. Named does treat a server as broken on a per type basis so REFUSED / SERVFAIL etc. for one type does not impact on lookupd of other types. > IMHO a resolver that does not like the answers it is getting from a > authority has full right to stop trying to find the answer and return > SERVFAIL. > I understand that operators of said resolver will get complaints that > important cat pictures are unavailable, > > I think for all practical purposes this situation is a great example of > the Prisoners Dilemma as there is no way to educate the people writing > the crap software as they are insulated by multiple layers of protection. > > Olafur > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [DNSOP] Barry Leiba's Yes on draft-ietf-dnsop-qna… Barry Leiba
- Re: [DNSOP] Barry Leiba's Yes on draft-ietf-dnsop… Stephane Bortzmeyer
- Re: [DNSOP] Barry Leiba's Yes on draft-ietf-dnsop… Tim Wicinski
- Re: [DNSOP] Barry Leiba's Yes on draft-ietf-dnsop… Stephane Bortzmeyer
- Re: [DNSOP] Barry Leiba's Yes on draft-ietf-dnsop… John Levine
- Re: [DNSOP] Barry Leiba's Yes on draft-ietf-dnsop… Paul Wouters
- Re: [DNSOP] Refusing NS queries, was Barry Leiba'… John Levine
- Re: [DNSOP] Refusing NS queries, was Barry Leiba'… Paul Wouters
- Re: [DNSOP] Refusing NS queries, was Barry Leiba'… Shumon Huque
- Re: [DNSOP] Refusing NS queries, was Barry Leiba'… Paul Vixie
- Re: [DNSOP] Refusing NS queries, was Barry Leiba'… John Levine
- Re: [DNSOP] Barry Leiba's Yes on draft-ietf-dnsop… John Levine
- Re: [DNSOP] Barry Leiba's Yes on draft-ietf-dnsop… Paul Vixie
- Re: [DNSOP] Barry Leiba's Yes on draft-ietf-dnsop… John R Levine
- Re: [DNSOP] Barry Leiba's Yes on draft-ietf-dnsop… Olafur Gudmundsson
- Re: [DNSOP] Barry Leiba's Yes on draft-ietf-dnsop… Mark Andrews
- Re: [DNSOP] Barry Leiba's Yes on draft-ietf-dnsop… Paul Vixie
- Re: [DNSOP] Barry Leiba's Yes on draft-ietf-dnsop… Jared Mauch