Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-serve-stale-03.txt

Tony Finch <dot@dotat.at> Tue, 05 March 2019 18:02 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6557112D861 for <dnsop@ietfa.amsl.com>; Tue, 5 Mar 2019 10:02:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ydqPHB612MS for <dnsop@ietfa.amsl.com>; Tue, 5 Mar 2019 10:02:03 -0800 (PST)
Received: from ppsw-31.csi.cam.ac.uk (ppsw-31.csi.cam.ac.uk [131.111.8.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3267E12D4F3 for <dnsop@ietf.org>; Tue, 5 Mar 2019 10:02:03 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:58308) by ppsw-31.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.137]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1h1EO9-0002wE-Jn (Exim 4.91) (return-path <dot@dotat.at>); Tue, 05 Mar 2019 18:02:01 +0000
Date: Tue, 5 Mar 2019 18:02:01 +0000
From: Tony Finch <dot@dotat.at>
To: Paul Wouters <paul@nohats.ca>
cc: dnsop <dnsop@ietf.org>
In-Reply-To: <alpine.LRH.2.21.1903051202360.1124@bofh.nohats.ca>
Message-ID: <alpine.DEB.2.20.1903051754370.13313@grey.csi.cam.ac.uk>
References: <155094804613.28045.8648150477440044197@ietfa.amsl.com> <CA+9_gVscCzr0S8A0Z23q0V1B+BZeLtDoZRSKyEJDPZ3P=KT-tw@mail.gmail.com> <CAL9jLaYo5JH6vf+djEn0O=YGhLV2AkytMg_eKQmWn=Pma5yBFQ@mail.gmail.com> <4253851.Zqd2zPpPcC@linux-9daj> <92355508-D5AC-46DC-8FF5-C1C4155601D8@isc.org> <alpine.LRH.2.21.1903042240330.32161@bofh.nohats.ca> <23678.40176.492174.37630@gro.dd.org> <3E7AF476-0989-4FA8-8186-F5AAFC87317A@icann.org> <alpine.LRH.2.21.1903051202360.1124@bofh.nohats.ca>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/UF5Qkp1TzozMF2iJU8A1SH1QYvU>
Subject: Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-serve-stale-03.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2019 18:02:06 -0000

Paul Wouters <paul@nohats.ca> wrote:
>
> I am a bit confused here. The goal of the draft is to keep data past the
> TTL in case you cannot reach the authoritative servers during a DDOS
> attack.

Right.

There's a tricky interaction between lameness and serve-stale.

Say you have a partially-lame zone, where some servers might have an
expired copy (returning SERVFAIL) and some might not know about the zone
at all (returning REFUSED or referrals to the root). Typically (without
serve-stale) a resolver will react by adding a lame server cache entry and
re-trying other hopefully working servers.

I think serve-stale should only take effect after this point, if a zone
has at least one non-lame server, and all the non-lame servers do not
respond.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
a fair, free and open society