IETF Logo Mail Archive

Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-error-reporting-05.txt

Roy Arends <roy@dnss.ec> Mon, 14 August 2023 22:26 UTC

Return-Path: <roy@dnss.ec>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A272C1595FE for <dnsop@ietfa.amsl.com>; Mon, 14 Aug 2023 15:26:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dnss.ec
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UuN07E3Edysc for <dnsop@ietfa.amsl.com>; Mon, 14 Aug 2023 15:26:35 -0700 (PDT)
Received: from mail-qt1-x836.google.com (mail-qt1-x836.google.com [IPv6:2607:f8b0:4864:20::836]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 796D6C15106E for <dnsop@ietf.org>; Mon, 14 Aug 2023 15:26:34 -0700 (PDT)
Received: by mail-qt1-x836.google.com with SMTP id d75a77b69052e-40ffb4476d8so28283011cf.2 for <dnsop@ietf.org>; Mon, 14 Aug 2023 15:26:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dnss.ec; s=google; t=1692051993; x=1692656793; h=to:references:message-id:content-transfer-encoding:date:in-reply-to :from:subject:mime-version:from:to:cc:subject:date:message-id :reply-to; bh=AQLNhqc1emntxaANwtkJirPSZuGWhqlmkLOWz1dhKes=; b=MQnOwwSHFNVPtnz+N95AdUiayYj9slIGkyAb8hPTq+oA9UFX15Zd5bnroKIf++tK9t 68kYYRDbaF2uw+/wjQW0STPNXiR+HFmV8HkyxD/K+QiFXMTEvh8JBfKWEgAr93NBaj/q 1sdLdZnJ1eAFzecGI6pFbWVcpjqwysRwlG1ws=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692051993; x=1692656793; h=to:references:message-id:content-transfer-encoding:date:in-reply-to :from:subject:mime-version:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=AQLNhqc1emntxaANwtkJirPSZuGWhqlmkLOWz1dhKes=; b=JLWm4ASGyLtCHr134dGCwA6K8+RWqcfDk4YDtNji+kvzpVpkGLn4mCmbstnrQ6MrSD Sl3UuPLVvaG1TNioe8/ukP0YuL2xmW8w/JNqAgtCaiK4ZubS2HtxgEuaTuDE4z984EKJ B63NF5rEBM1YHlxhxpr/NidKCD13jIW7HcwEQCy/XVxMNBFA84soGMs8wRuAP/Nehe+k HehQWX8TJ5r4B3tmeVplbPAy51CrHptFAbLHs0I08ivzU4/2NDdS+74unkYKvkAUifAX OQijirIJeY9NolVcbnrm4+5HHmx+EzZxoWsmhMBjXrQ0WsyQL8Ro8ysULHkWqDnxRgIP 0wGg==
X-Gm-Message-State: AOJu0Yzs7WtZJrhYmtyOBjyT0MXs2DsBar3LCEr/0yAOJYUjqGAog5Do p04cDFeXT0/jZWQBIh6tRCaTDM3VyvLA8SMJwvs=
X-Google-Smtp-Source: AGHT+IGecp+4SgnuHEdq0JeshGEO8RV0WPXF/e1mjSDmlUwKzoDYx666Dk84fBlVm/b0JbA12B2TSA==
X-Received: by 2002:ac8:5850:0:b0:40e:f3da:507f with SMTP id h16-20020ac85850000000b0040ef3da507fmr16184364qth.11.1692051992881; Mon, 14 Aug 2023 15:26:32 -0700 (PDT)
Received: from smtpclient.apple ([89.33.15.144]) by smtp.gmail.com with ESMTPSA id m12-20020ae9e00c000000b0076ccf1a0da3sm3346355qkk.75.2023.08.14.15.26.31 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 14 Aug 2023 15:26:32 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
From: Roy Arends <roy@dnss.ec>
In-Reply-To: <ZKyeLXqCqJVrJnv5@straasha.imrryr.org>
Date: Mon, 14 Aug 2023 23:26:18 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <05ECC93E-9EB9-406C-BCDF-2B8AB1287177@dnss.ec>
References: <ZKyeLXqCqJVrJnv5@straasha.imrryr.org>
To: dnsop@ietf.org
X-Mailer: Apple Mail (2.3731.600.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/RhYPJI9pmUXGWzS6FXGfIUEXElg>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-error-reporting-05.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2023 22:26:40 -0000

Viktor,

> On 11 Jul 2023, at 01:11, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
> 
> On Mon, Jul 10, 2023 at 03:48:34PM -0700, internet-drafts@ietf.org wrote:
> 
>> A New Internet-Draft is available from the on-line Internet-Drafts
>> directories. This Internet-Draft is a work item of the Domain Name
>> System Operations (DNSOP) WG of the IETF.
>> 
>>   Title           : DNS Error Reporting
>>   Authors         : Roy Arends
>>                     Matt Larson
>>   Filename        : draft-ietf-dnsop-dns-error-reporting-05.txt
>>   Pages           : 11
>>   Date            : 2023-07-10
> 
> Some comments on on the -05 update.
> 
> * Spelling:  s/unsollicited/unsolicited/

Ack. Will fix.

> 
> * Substance: The new text suggests using TCP **and** cookies:
> 
>       Resolvers that send error reports SHOULD send these over TCP
>       [RFC7766] and SHOULD use DNS COOKIEs [RFC7873].  This makes it
>       hard to falsify the source address.  The monitoring agent SHOULD
>       respond to queries received over UDP with the truncation bit (TC
>       bit) set to challenge the resolver to re-query over TCP.
> 
>    I don't believe it is at all common to combine TCP with cookies,
>    typically cookies are used over UDP, with fallback to TCP (sans
>    cookies) if the server's cookie is missing or invalid.
> 
>    So above should be "either TCP **or** COOKIES".  If error reports are
>    infrequent no recent cookies will be cached for the monitoring agent,
>    and obtaining a cookie will require a round trip.  So perhaps simplest
>    to just use TCP.

Will fix.

> I don't yet see any text about rate-limiting of reports beyond per
> qname/qtype/info-code caching.  And yet the resolver has significant
> additional context:
> 
>    - The IP address of the problem nameserver.
> 
>        * It can rate-limit the frequency of reports per nameserver IP.
> 
>    - The server zone.
> 
>        * It can rate-limit the frequency of reports per zone.
> 
> The per IP limit can be significantly more "generous", than the per-zone
> limit, because some nameservers serve O(1M) zones, of which a few
> thousand might exhibit a problem, while the server's overall health is
> fine.  Reports for many different qnames in the same zone are likely
> to be substantially redundant.

If the resolver has rate-limiting features, it should apply them to these queries as well, and not ring fence these queries as special. I am not willing to over-specify the resolver behaviour for this. 

I am willing to specify that any rate limiting features should also apply to these queries.

Roy

v2.23.0 | Report a Bug | By Email