[DNSOP] Setting of the RD bit in queries in draft-ietf-dnsop-resolver-priming-06.txt
"Paul Hoffman" <paul.hoffman@vpnc.org> Fri, 22 January 2016 03:07 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7E201B36E8 for <dnsop@ietfa.amsl.com>; Thu, 21 Jan 2016 19:07:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.552
X-Spam-Level:
X-Spam-Status: No, score=0.552 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZqT1axtZsfMn for <dnsop@ietfa.amsl.com>; Thu, 21 Jan 2016 19:07:29 -0800 (PST)
Received: from hoffman.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 020E41B36DE for <dnsop@ietf.org>; Thu, 21 Jan 2016 19:07:28 -0800 (PST)
Received: from [192.168.114.1] (50-1-98-110.dsl.dynamic.fusionbroadband.com [50.1.98.110]) (authenticated bits=0) by hoffman.proper.com (8.15.2/8.14.9) with ESMTPSA id u0M37RWZ086501 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <dnsop@ietf.org>; Thu, 21 Jan 2016 20:07:28 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host 50-1-98-110.dsl.dynamic.fusionbroadband.com [50.1.98.110] claimed to be [192.168.114.1]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: IETF DNSOP WG <dnsop@ietf.org>
Date: Thu, 21 Jan 2016 19:07:27 -0800
Message-ID: <7BCEFBC2-0F3B-466C-B1D0-BA447C15E0BD@vpnc.org>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.3r5187)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/PuenqaN_B1559WUEu057TJh_Yss>
Subject: [DNSOP] Setting of the RD bit in queries in draft-ietf-dnsop-resolver-priming-06.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2016 03:07:30 -0000
This is the summary of the thread about the following sentence in the section on priming queries: The RD bit MAY be set to 0 or 1, although the meaning of it being set to 1 is undefined for priming queries. There were four replies with what seems like four different takes on it. Can others in the WG weigh in so we might get consensus? --Paul Hoffman On 15 Jan 2016, at 2:50, Stephane Bortzmeyer wrote: > On Thu, Jan 14, 2016 at 11:09:36AM -0800, > Paul Hoffman <paul.hoffman@vpnc.org> wrote > a message of 34 lines which said: > >> Setting the RD bit to 1 could result in non-authoritative answers. > > Today, all root name servers are not recursive. It seems good > practice, even if I'm not sure it's formally written somewhere (I do > not find it in RFC 7720). > >> If the response to a priming query is non-authoritative, should the >> resolver reject it and try more queries? > > I would say yes, since it is supposed to be sent to authoritative > servers. > > If a name server is deprecated and replaced by a resolver, not > authoritative for the root, I tend to think that its response cannot > be trusted. On 15 Jan 2016, at 5:03, Tony Finch wrote: > Paul Hoffman <paul.hoffman@vpnc.org> wrote: >> >> If the response to a priming query is non-authoritative, should the >> resolver reject it and try more queries? Or is it OK for a priming >> response to be non-authoritative? > > If you are unlucky enough to be on a network that intercepts DNS > queries > and diverts them to a recursive server, you are likely to get RA=1 > AA=0 > answers to priming queries. Your resolver ought to soldier on as best > it > can in this situation. On 15 Jan 2016, at 5:59, Stephane Bortzmeyer wrote: > On Fri, Jan 15, 2016 at 01:03:41PM +0000, > Tony Finch <dot@dotat.at> wrote > a message of 22 lines which said: > >> If you are unlucky enough to be on a network that intercepts DNS >> queries and diverts them to a recursive server, you are likely to >> get RA=1 AA=0 answers to priming queries. Your resolver ought to >> soldier on as best it can in this situation. > > If the resolver validates with DNSSEC, it may go on in such a case. If > it doesn't, I'm tempted to say that it should give in and tell the > sysadmin that it cannot do its job properly and safely. > > At the very minimum, such problem should be escalated to the sysadmin. On 15 Jan 2016, at 9:52, Darcy Kevin (FCA) wrote: > It's not really a "normal" query, in the sense that it's not coming > from a stub resolver, typically, and the initiator wouldn't normally > assume that recursion is required to fetch the answer. > > So, in the typical case I'd expect RD=0. > > Not sure that the "although" verbiage below really adds any value, > though. If you've already declared that something is a "MAY", what's > the practical effect of then saying that its meaning is "undefined"? > Either it's allowable per the standard or it's not. >
- [DNSOP] Setting of the RD bit in queries in draft… Paul Hoffman
- Re: [DNSOP] Setting of the RD bit in queries in d… Suzanne Woolf