Re: [DNSOP] "flagday" again, was Re: Wrapping up draft-ietf-dnsop-dns-tcp-requirements
Paul Wouters <paul@nohats.ca> Tue, 02 July 2019 14:32 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F7791200B6 for <dnsop@ietfa.amsl.com>; Tue, 2 Jul 2019 07:32:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xhOdHiU-Uudo for <dnsop@ietfa.amsl.com>; Tue, 2 Jul 2019 07:31:59 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99C2512008C for <dnsop@ietf.org>; Tue, 2 Jul 2019 07:31:58 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 45dRWw2Z5xzFQM; Tue, 2 Jul 2019 16:31:56 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1562077916; bh=3RJ7x3j4+5pZ7Izjdsuii7hgaqnuyocAfvvCiSWdqps=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=SNHmu4nWs7JxwoyzyRHVyx8Y7OjiSMmnXDTIwlb0Xbz2upGgSg4svFiJlkbDLeeUj CYaOQtUh3O34lWWjyz2o+Xq/YUVEzUW7p69/igLLDtVvqxCW+r09ky1v3Wfy8S71UX 4e5c/3zlhrxeIN++btkqRiMFUZk0E1pAF/EDTUHQ=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id J3RdGTWAVdgu; Tue, 2 Jul 2019 16:31:54 +0200 (CEST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 2 Jul 2019 16:31:53 +0200 (CEST)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 77D8F4392C5; Tue, 2 Jul 2019 10:31:52 -0400 (EDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca 77D8F4392C5
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 6BA98410A921; Tue, 2 Jul 2019 10:31:52 -0400 (EDT)
Date: Tue, 02 Jul 2019 10:31:52 -0400
From: Paul Wouters <paul@nohats.ca>
To: Petr Špaček <petr.spacek@nic.cz>
cc: dnsop@ietf.org
In-Reply-To: <c7d0a3df-68ea-bafa-f43b-e373fa791a58@nic.cz>
Message-ID: <alpine.LRH.2.21.1907021019280.20572@bofh.nohats.ca>
References: <20190625101020.3c601691@p50.localdomain> <cdb97d93-4480-08eb-436b-574fe22c4981@nic.cz> <alpine.LRH.2.21.1907011349190.28830@bofh.nohats.ca> <15467755.7jdABhfuui@linux-9daj> <c7d0a3df-68ea-bafa-f43b-e373fa791a58@nic.cz>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/SUbR9xb8W3n9Ktuf06WXv5PDrLs>
Subject: Re: [DNSOP] "flagday" again, was Re: Wrapping up draft-ietf-dnsop-dns-tcp-requirements
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jul 2019 14:32:01 -0000
On Tue, 2 Jul 2019, Petr Špaček wrote: > Let me clarify that we (as DNS flag day organizers) are not even > touching any RFC language because all the necessary pieces are already > standardized (madatory TCP support + mechanism to handle EDNS buffer size). If there is a security issue with fragmented DNS packets, perhaps that warrants a new RFC document, possibly a BCP, that instructs implementers what to do. > Some people claim that IETF cannot put requirements on operators, only > on implementations. We (as software and service vendors) are now saying > "if you want to interoperate, you as an operator have to follow > standards mandated for implementations", because in the end, what's > mandated for implementation does not matter if operators ignore these > requirements. That is not different from the examples I gave earlier for those RFCs. You can encourage/discourage or obsolete features. The good thing of doing that in an RFC is that organizations and goverments and vendors can point to it for compliance or policy and explain why it is done a certain way. > Of course it has to be explained to non-IETFers in many more words to > eliminate requirement to read all the RFCs, but that's it. If you think that, you haven't properly informed implementers via existing RFCs. A new one is apparently needed. I don't see why this should not be done here. This is dnsops. If you find an operational issue, you write a clarifying or correcting RFC. > Changing default EDNS buffer size is, I believe, in competency of > individual implementations, so we as implementors will do a thing we > deem sensible. No one is saying you are not sensible. My point was that none of this is a flag day, and the promotion to reach a few implementations via "flag days" is better directed at writing a new or updated RFC that explains the issue and recommends implementors what (not) to do. That also helps downstream with customers wanting RFC ABC compliance, which is a much stronger signal than compliance to "dnsflagday.net/2020". > Let's continue discussion about dns flag day 2020 at mailing list > dns-operations@lists.dns-oarc.net, please. I'd rather not. Operational issues related to the DNS protocol (mis)implementations or standard behaviour are well within the charter of this group. DNS-OARC is a good venue to look at what is happening, discuss why certain operational things are happening, maybe brainstorm on how to fix it. Then coming to this group with a proposal for a document to inform everyone and improve everything is the right venue. It seems the problem and solution are already well defined. It just needs to be written down in an RFC, and then gradually software can implement the new behaviour. And again, if for reasons vendors decide to implement it all on the same day to ensure strict vendors are not unreasonably punished by being blamed for failures, that's a reasonable goal. But seeing how upstream vendors have no control over when downstream vendors pick up new versions, the term "flag day" is just not the correct term to use, and only brings up negative connotations in people being misled into thinking IETF protocols needs flag days to continue running. Paul
- [DNSOP] Wrapping up draft-ietf-dnsop-dns-tcp-requ… John Kristoff
- Re: [DNSOP] Wrapping up draft-ietf-dnsop-dns-tcp-… Tim Wicinski
- Re: [DNSOP] Wrapping up draft-ietf-dnsop-dns-tcp-… Petr Špaček
- [DNSOP] "flagday" again, was Re: Wrapping up draf… Paul Wouters
- Re: [DNSOP] "flagday" again, was Re: Wrapping up … Joe Abley
- Re: [DNSOP] "flagday" again, was Re: Wrapping up … Paul Vixie
- Re: [DNSOP] "flagday" again, was Re: Wrapping up … Petr Špaček
- Re: [DNSOP] "flagday" again, was Re: Wrapping up … Paul Wouters
- Re: [DNSOP] "flagday" again, was Re: Wrapping up … Mark Andrews
- Re: [DNSOP] "flagday" again, was Re: Wrapping up … Paul Wouters
- Re: [DNSOP] "flagday" again, was Re: Wrapping up … Töma Gavrichenkov
- Re: [DNSOP] "flagday" again, was Re: Wrapping up … Mark Andrews