Re: [DNSOP] Barry Leiba's Yes on draft-ietf-dnsop-qname-minimisation-08: (with COMMENT)

Paul Vixie <> Mon, 28 December 2015 19:30 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7A9691AC3D3 for <>; Mon, 28 Dec 2015 11:30:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.801
X-Spam-Status: No, score=0.801 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HJWlxEhM_kDn for <>; Mon, 28 Dec 2015 11:30:33 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F40E71AC3D2 for <>; Mon, 28 Dec 2015 11:30:32 -0800 (PST)
Received: from linux-85bq.suse (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 74BAD1814C; Mon, 28 Dec 2015 19:30:32 +0000 (UTC)
From: Paul Vixie <>
To: Olafur Gudmundsson <>
Date: Mon, 28 Dec 2015 11:30:32 -0800
Message-ID: <5004966.q9dYLaveqz@linux-85bq.suse>
Organization: TISF
User-Agent: KMail/4.14.10 (Linux/4.1.13-5-default; KDE/4.14.10; x86_64; ; )
In-Reply-To: <>
References: <20151228044020.48378.qmail@ary.lan> <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="nextPart7803232.HOeW6Yme7b"
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] Barry Leiba's Yes on draft-ietf-dnsop-qname-minimisation-08: (with COMMENT)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 28 Dec 2015 19:30:34 -0000

On Monday, December 28, 2015 09:43:01 AM Olafur Gudmundsson wrote:
...> In 1999 or 2000 we started seeing LoadBalancers that returned NXDOMAIN for
> any query other than A for a name. At the time the bind-9 team argued about
> what to do, I still think that the behavior selected was the wrong one i.e.
> ignore NXDOMAN for AAAA query and ask for A.

i agreed with you and still do. the operators consuming BIND9 didn't and still don't.

> IMHO a resolver that does not like the answers it is getting from a
> authority has full right to stop trying to find the answer and return
> SERVFAIL. I understand that operators of said resolver will get complaints
> that important cat pictures are unavailable,……

i would love it if operators would want the best long term outcome, and would tolerate short 
term pain in order to inflict tough love elsewhere in the economy. however, just as comcast 
didn't like being the only operator whose DNSSEC validation was causing not to 
resolve during a high-profile landing on some asteroid somewhere, it's also the case that no 
operator can afford to take phone calls and trouble reports from large numbers of customers 
at once.

> I think for all practical purposes this situation is a great example of the
> “Prisoners Dilemma” as there is no way to educate the people writing the
> crap software as they are insulated by multiple layers of protection.

i agree with this analysis.

arguably, the moment we all agreed that DNSSEC's only purpose was to cause more 
resolution failures more often for more and new reasons, we ought to have said it can't be 
deployed and shouldn't be designed at all. i'm glad we did the foolish thing and kept going, 

P. Vixie