Re: [DNSOP] draft-ietf-dnsop-refuse-any - why not NOTIMP?

Paul Vixie <paul@redbarn.org> Mon, 07 August 2017 17:34 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45B8A1328AD for <dnsop@ietfa.amsl.com>; Mon, 7 Aug 2017 10:34:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y5xDvGsGM_1U for <dnsop@ietfa.amsl.com>; Mon, 7 Aug 2017 10:34:23 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F63F1326E6 for <dnsop@ietf.org>; Mon, 7 Aug 2017 10:34:23 -0700 (PDT)
Received: from [IPv6:2001:559:8000:c9:ed0a:9ec7:e266:79e4] (unknown [IPv6:2001:559:8000:c9:ed0a:9ec7:e266:79e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 12C8F61FF3; Mon, 7 Aug 2017 17:34:23 +0000 (UTC)
Message-ID: <5988A49D.3070607@redbarn.org>
Date: Mon, 07 Aug 2017 10:34:21 -0700
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 5.0.16 (Windows/20170718)
MIME-Version: 1.0
To: Ray Bellis <ray@bellis.me.uk>
CC: dnsop <dnsop@ietf.org>
References: <6c97191d-9591-d7de-6e8b-ed6e460c7707@bellis.me.uk>
In-Reply-To: <6c97191d-9591-d7de-6e8b-ed6e460c7707@bellis.me.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/QrxPHM1dJpWA_mRCWIesfR5rBbs>
Subject: Re: [DNSOP] draft-ietf-dnsop-refuse-any - why not NOTIMP?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Aug 2017 17:34:24 -0000


Ray Bellis wrote:
> ... returning NOTIMP for ANY queries, ...
>
> ...
>
> My reading of RFC 1035 is that it would be a perfectly appropriate
> response from a server that doesn't support ANY.

the RFC was treated as a general guideline by most implementers, and 
once the code for some client or server appeared to work, it was 
shipped. it is that code which constraints our work now, not the RFC.

> Unfortunately the retry semantics of DNS are not well specified and
> therefore implementation differences may occur. If as a result NOTIMP
> is really not usable then IMHO this should also be documented.

i think you'll find that NOTIMP causes try-next-server for many clients, 
but without poisoning, so if all servers return NOTIMP, then all those 
same servers will be tried again, without delay.

sometimes, withholding a response is the only way to keep the client out 
of this bombardment-mode. sometimes returning something poisonous like 
ANCOUNT=0 is nec'y. again, our guide today is how to get clients to do 
something constructive, ideally constructive for both them and us. it 
doesn't have to be true, and it doesn't have to be documented in an 
older RFC.

i agree that writing a new RFC whenever something like this is found to 
be necessary, and putting into that RFC more specific advice to client 
implementers so that the future might possibly improve, is a great idea.

-- P Vixie