Re: [DNSOP] Two Resurrected WG I-Ds: Don't Switch Resolvers & Auth DNS Mistakes
Tim Wicinski <tjw.ietf@gmail.com> Thu, 21 February 2019 17:43 UTC
Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29B39131066 for <dnsop@ietfa.amsl.com>; Thu, 21 Feb 2019 09:43:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.988
X-Spam-Level:
X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_FREEMAIL_DOC_PDF=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qp16oXkM41Nw for <dnsop@ietfa.amsl.com>; Thu, 21 Feb 2019 09:43:00 -0800 (PST)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24E75131036 for <dnsop@ietf.org>; Thu, 21 Feb 2019 09:42:59 -0800 (PST)
Received: by mail-io1-xd2f.google.com with SMTP id y13so2563614iop.11 for <dnsop@ietf.org>; Thu, 21 Feb 2019 09:42:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QYuIa7xtXUZKPAYXuj1cmXjtb5ukXTxerhS5egSG3xo=; b=cX22deFuHvLGhLwqZ2n5AFGyqqTBUfQY/J7kpvXQ0f2VNds3zxeBZx0Zarqx6LLnE+ vvdsCQsy6Qv6Hkhm+Wwud46y2uJm6U2xUONwhUedG95QtApS2bPXSys+1NvdgRlOUy8T H4p8nW37EMRvg5D1ctoGdmLfTknrI0yxJsReXCY1EEA/0rQagABiL7Ys2lPQSSPA0l9/ m/SRMAIBnEGJNIidyRKIPuJcyxwA3GtbRW44FZtDNFqf2Ry0Yqu+byjSq4rQGlcdVOMI 5cZoaFPlhlTKbkjmgoSa7EWRxosYXvY10yPnsj1Wmvxfcd8MwSSglCuVMdjJ5TAGPJyY Fq+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QYuIa7xtXUZKPAYXuj1cmXjtb5ukXTxerhS5egSG3xo=; b=A2DJ7xs2OPeTHoPRVvfF0RsifF0AmJGK6A5dOB5/ufElmQ1v8ck/th8GFxqHTHKlJ9 lnAckNmRkR+vKLFfJ2UbS1rjmJYjzARn9dcqRRlNY0Pt246CYhtyytWbf/4I5qspQLSr AE+eYzhIuEcowtmiUSXxrpOmqdWpayfQo7RTB7Muqd5OZNSVhcHccM9VVQKbznQn7z49 eUBfv3EEu63pnE+yoJYhUsvm28qv9l7DcEnX2PUmNqIJqHY6GnMkzgzAhPKqTzXrdBp+ Z30h1vJ6vyMSBqCkQw7ZrrRn4GW2goN42WdbFyI64Ye4LR1Lw8JDF3w9BEvj73/alQtQ ptng==
X-Gm-Message-State: AHQUAuYiXuIhe/ctlt85naySa/RQjVEM2ppzYX1YIdBkbsPGUVopnH5w PcJeE9w8Ev/ZE5xKkobEpMh6S0Yf4aq4iOCiXSc=
X-Google-Smtp-Source: AHgI3IZtL+xtlWhWRMdEa7IXMra9ZN2+RhXsNwdAtkzaV2NJ2oDGfh4nRUCwFYd1CUTLhvrDg7E911VEK7WjQXnf+F8=
X-Received: by 2002:a5e:8d0e:: with SMTP id m14mr26056742ioj.30.1550770977405; Thu, 21 Feb 2019 09:42:57 -0800 (PST)
MIME-Version: 1.0
References: <343FC655-8CC4-4B6A-A258-760AA699EBE2@cable.comcast.com>
In-Reply-To: <343FC655-8CC4-4B6A-A258-760AA699EBE2@cable.comcast.com>
From: Tim Wicinski <tjw.ietf@gmail.com>
Date: Thu, 21 Feb 2019 12:42:49 -0500
Message-ID: <CADyWQ+F7WPtxOO9juWVTBOPwruWiSP6rwBU1ZBifGTb2W73BXg@mail.gmail.com>
To: "Livingood, Jason" <Jason_Livingood@comcast.com>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/mixed; boundary="0000000000003d386f05826b01bb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/PU0yJh8WCfsMmgk_5pFcOBW1MM0>
Subject: Re: [DNSOP] Two Resurrected WG I-Ds: Don't Switch Resolvers & Auth DNS Mistakes
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Feb 2019 17:43:03 -0000
Followup to DNSOP on a conversation the Chairs had. I remembered Jason's earlier drafts, and him presenting, but not the approvals, but senility is always a concern. Luckily I'm a seem to be a hoarder or sorts. Here is Jason's original presentation from IETF91 (Honolulu for those keeping score at home), but no official adoption. Tim On Wed, Feb 20, 2019 at 9:54 AM Livingood, Jason < Jason_Livingood@comcast.com> wrote: > A few years ago I had somehow succeeded in getting WG adoption of 2 > documents that addressed some pet peeves I had as a recursive DNS operator. > Things got busy and my attention wandered elsewhere and I did not advance > them. Since these issues continue to haunt RDNS operators, I have decided > to update these documents. The first says that DNSSEC errors (and other > auth RR issues) are the operational responsibility of and must be solved by > auth DNS admins. The second says that people should not change to > non-validating resolvers when a DNSSEC failure occurs. Both are likely > obvious to us in the WG, but no so much to anyone else. ;-) > > > > Just a week or so ago, Windows Update started to fail seemingly due to a > bad delegation to a CDN from Microsoft and the TTL on the bad RR was > long-ish (details are scant). So reporters and even Microsoft support > started suggesting that people change their DNS resolvers. Only later did > people figure out the problem was on Microsoft’s auth DNS end (see > https://www.zdnet.com/article/windows-update-problems-fixed-now-but-heres-what-went-wrong-says-microsoft/ > and 1st story at > https://www.zdnet.com/article/windows-10-updates-are-broken-again-but-this-time-its-not-microsofts-fault/). > And we also see the issue of “DNSSEC validation failed, so switch to a > non-validator” on a regular basis. > > > > So I just submitted these again / updated them. I have asked the WG chairs > to let me know how they’d like me to proceed with them, but haven’t yet > heard back. In the meantime, I’m happy to continue to once again take input > and comment from the WG. > > > > > https://datatracker.ietf.org/doc/draft-livingood-dnsop-dont-switch-resolvers/ > > > https://datatracker.ietf.org/doc/draft-livingood-dnsop-auth-dnssec-mistakes/ > > > > Thanks! > Jason > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] Two Resurrected WG I-Ds: Don't Switch Res… Livingood, Jason
- Re: [DNSOP] Two Resurrected WG I-Ds: Don't Switch… Tim Wicinski