Re: [DNSOP] Two Resurrected WG I-Ds: Don't Switch Resolvers & Auth DNS Mistakes

Tim Wicinski <> Thu, 21 February 2019 17:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 29B39131066 for <>; Thu, 21 Feb 2019 09:43:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.988
X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_FREEMAIL_DOC_PDF=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Qp16oXkM41Nw for <>; Thu, 21 Feb 2019 09:43:00 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 24E75131036 for <>; Thu, 21 Feb 2019 09:42:59 -0800 (PST)
Received: by with SMTP id y13so2563614iop.11 for <>; Thu, 21 Feb 2019 09:42:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QYuIa7xtXUZKPAYXuj1cmXjtb5ukXTxerhS5egSG3xo=; b=cX22deFuHvLGhLwqZ2n5AFGyqqTBUfQY/J7kpvXQ0f2VNds3zxeBZx0Zarqx6LLnE+ vvdsCQsy6Qv6Hkhm+Wwud46y2uJm6U2xUONwhUedG95QtApS2bPXSys+1NvdgRlOUy8T H4p8nW37EMRvg5D1ctoGdmLfTknrI0yxJsReXCY1EEA/0rQagABiL7Ys2lPQSSPA0l9/ m/SRMAIBnEGJNIidyRKIPuJcyxwA3GtbRW44FZtDNFqf2Ry0Yqu+byjSq4rQGlcdVOMI 5cZoaFPlhlTKbkjmgoSa7EWRxosYXvY10yPnsj1Wmvxfcd8MwSSglCuVMdjJ5TAGPJyY Fq+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QYuIa7xtXUZKPAYXuj1cmXjtb5ukXTxerhS5egSG3xo=; b=A2DJ7xs2OPeTHoPRVvfF0RsifF0AmJGK6A5dOB5/ufElmQ1v8ck/th8GFxqHTHKlJ9 lnAckNmRkR+vKLFfJ2UbS1rjmJYjzARn9dcqRRlNY0Pt246CYhtyytWbf/4I5qspQLSr AE+eYzhIuEcowtmiUSXxrpOmqdWpayfQo7RTB7Muqd5OZNSVhcHccM9VVQKbznQn7z49 eUBfv3EEu63pnE+yoJYhUsvm28qv9l7DcEnX2PUmNqIJqHY6GnMkzgzAhPKqTzXrdBp+ Z30h1vJ6vyMSBqCkQw7ZrrRn4GW2goN42WdbFyI64Ye4LR1Lw8JDF3w9BEvj73/alQtQ ptng==
X-Gm-Message-State: AHQUAuYiXuIhe/ctlt85naySa/RQjVEM2ppzYX1YIdBkbsPGUVopnH5w PcJeE9w8Ev/ZE5xKkobEpMh6S0Yf4aq4iOCiXSc=
X-Google-Smtp-Source: AHgI3IZtL+xtlWhWRMdEa7IXMra9ZN2+RhXsNwdAtkzaV2NJ2oDGfh4nRUCwFYd1CUTLhvrDg7E911VEK7WjQXnf+F8=
X-Received: by 2002:a5e:8d0e:: with SMTP id m14mr26056742ioj.30.1550770977405; Thu, 21 Feb 2019 09:42:57 -0800 (PST)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Tim Wicinski <>
Date: Thu, 21 Feb 2019 12:42:49 -0500
Message-ID: <>
To: "Livingood, Jason" <>
Cc: dnsop <>
Content-Type: multipart/mixed; boundary="0000000000003d386f05826b01bb"
Archived-At: <>
Subject: Re: [DNSOP] Two Resurrected WG I-Ds: Don't Switch Resolvers & Auth DNS Mistakes
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 Feb 2019 17:43:03 -0000

Followup to DNSOP on a conversation the Chairs had.

I remembered Jason's earlier drafts, and him presenting, but not the
approvals, but senility is always a concern.   Luckily I'm a seem to
be a hoarder or sorts.   Here is Jason's original presentation from IETF91
(Honolulu for those keeping score at home), but no
official adoption.


On Wed, Feb 20, 2019 at 9:54 AM Livingood, Jason <> wrote:

> A few years ago I had somehow succeeded in getting WG adoption of 2
> documents that addressed some pet peeves I had as a recursive DNS operator.
> Things got busy and my attention wandered elsewhere and I did not advance
> them. Since these issues continue to haunt RDNS operators, I have decided
> to update these documents. The first says that DNSSEC errors (and other
> auth RR issues) are the operational responsibility of and must be solved by
> auth DNS admins. The second says that people should not change to
> non-validating resolvers when a DNSSEC failure occurs. Both are likely
> obvious to us in the WG, but no so much to anyone else. ;-)
> Just a week or so ago, Windows Update started to fail seemingly due to a
> bad delegation to a CDN from Microsoft and the TTL on the bad RR was
> long-ish (details are scant). So reporters and even Microsoft support
> started suggesting that people change their DNS resolvers. Only later did
> people figure out the problem was on Microsoft’s auth DNS end (see
> and 1st story at
> And we also see the issue of “DNSSEC validation failed, so switch to a
> non-validator” on a regular basis.
> So I just submitted these again / updated them. I have asked the WG chairs
> to let me know how they’d like me to proceed with them, but haven’t yet
> heard back. In the meantime, I’m happy to continue to once again take input
> and comment from the WG.
> Thanks!
> Jason
> _______________________________________________
> DNSOP mailing list