Re: [DNSOP] Status of draft-ietf-dnsop-dns-error-reporting

Manu Bretelle <> Fri, 12 November 2021 17:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0F9BB3A0EC4; Fri, 12 Nov 2021 09:18:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id l8-3S-iCBQ8V; Fri, 12 Nov 2021 09:18:33 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 842913A0EC3; Fri, 12 Nov 2021 09:18:33 -0800 (PST)
Received: by with SMTP id u18-20020a9d7212000000b00560cb1dc10bso14805663otj.11; Fri, 12 Nov 2021 09:18:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2mLgehrghdO8uhYFzMDLiLkiUqXrxOm/Z0nHEFYdCEA=; b=exRLD48Fc7nrPVUlPcgKYPiZgnAL57+kMtscO9v/vHO41YlwEew08ed3YS3BKwnYgy 0Ulgez1WclPHDjAhZPXwaO51DnCVO53VbFgsbXGJK7ri1kYuiVjtJ9o9WmeBd8+O5+a8 7twinw5xQ4nvv2lDg27ndp1t2pgzIusv4qA2/XLpzsMtCzC6afZWNMqiooKyd70A+4Zg R8gqr+lyFlidhe2B+uPGUip0GSAhGOMmJIgZ4MT7l43RU7HYYx8anXnWyGu1lMpP8fqK qsc9YKYnw73XEMHHTFwPOegBYt4QqWEa8xsAWZ0XgOSsEo3YbX51bj/bYFb6Rhg5b8C2 fbtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2mLgehrghdO8uhYFzMDLiLkiUqXrxOm/Z0nHEFYdCEA=; b=IbL11Hjfb7zgh+iEEo4B73PGMfxoFCEHBvV9dVe1l9qaxUtMf5OHrqTwE0Goy+Deha uQhpt6W0N7I8CCtbIazrg+qB4ZcNabjCibyw8zHUVKmRq0SW0xNJNcOljt+fFvG8S3bR CB55sfdE5Ogea5w5bC+LeeWnz2kJucOO8o1Rf0ZLUCpzEyUKi79NHdStwkzgTfmSPuZu a2V7rUhLDGhRknlRnYz6Vg44O4Rwccc/gOtoM3I/cmf4LNwf3vjfs8pr5eECV8SHQth8 5YdW1EFcf1ZwMs9gmPRvfGV65EkV8bUxIm4+28rJVVpN/q7aEd7dVgz9Ze9nTmwVITyp 5uqw==
X-Gm-Message-State: AOAM532WxW9iFHR+cgijXEqwkz67hIw1McE1GA2LMy4Qb1b0JA5/MqWe y2ahvsxSpgb962yeCfM0YJEKZd20J0Js4HFtl5c=
X-Google-Smtp-Source: ABdhPJwPH/oGlBzRaxjh/zV8rjHXovXNNUxI50i3E1DO5yz9V48QBihEJgMni1BFo4wOEjbJM5VCVIVME29TULeZ+IE=
X-Received: by 2002:a9d:4e97:: with SMTP id v23mr14056574otk.315.1636737511865; Fri, 12 Nov 2021 09:18:31 -0800 (PST)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Manu Bretelle <>
Date: Fri, 12 Nov 2021 09:18:20 -0800
Message-ID: <>
To: Petr Špaček <>
Cc: Roy Arends <>, dnsop <>, dnsop-chairs <>, Matt Larson <>
Content-Type: multipart/alternative; boundary="000000000000fc44a705d09aa5f7"
Archived-At: <>
Subject: Re: [DNSOP] Status of draft-ietf-dnsop-dns-error-reporting
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 12 Nov 2021 17:18:39 -0000


On Fri, Nov 12, 2021 at 5:24 AM Petr Špaček <> wrote:

> On 12. 11. 21 7:42, Manu Bretelle wrote:
> > Hi Roy,
> >
> > I like the idea of an out-of-band error reporting and therefore I like
> > the proposition of this draft.
> >
> > One of the things I have a hard time visualizing though is how this
> > could be used for more than reporting DNSSEC specific errors. With the
> > option not being signed in the first place, it does not seem that DNSSEC
> > is a requirement to be able to leverage this functionality, hence it
> > would be great to think how we can make this work for more than
> > DNSSEC-only errors.
> E.g. it can conceivably report errors like "resolver had to fallback to
> Nth server because the first one we tried times out". Is that a
> sufficient example?

I suppose it could. Another one which may already fit in the EDE error code
could be EDE Code 3, "Stale Answer",
as an example.

Some others I have a harder time understanding their value could be EDE
Code 20, "Not Authoritative",
On one hand, this is log you already have as an auth operator, but on the
other hand, through the reporting endpoint, and ignoring possible abuses of
said endpoint, you would get a peek at the resolver view, not just any
unsolicited request that was sent to your auth server, making it easier to
track broken delegation.

> > As it is, the requirement for the EDNS0 option to be in the response,
> > while it does offer some properties such as controlling sampling rate…,
> > essentially will prevent any report of answers which are not properly
> > formatted in the first place, or never received like when a resolver is
> > not able to reach any authorities for a given name, when resolver start
> > falling back on staled data, and possibly in the future, failing to
> > reach over an advertised encrypted channel… There is likely value for an
> > authoritative resolver operator to be able to get report for those
> > issues too.
> While I agree with the sentiment that reporting other issues would be
> also useful, I think that _for now_ we should keep the scope limited to
> situations which do not require any extra state in resolvers.
> That is, reporting "no server is reachable" requires prior information
> stored or reachable somewhere else, which is IMHO order of magnitude
> more complex task. Let's get experience with simple error reporting
> first and only then move forward to more complex tasks...

I am more than happy to have an iterative approach to this. My concern was
that this solution would be the end-goal, essentially closing
possibilities for other type of errors such as the ones mentioned.

> > The title of the draft: "DNS Error Reporting" would let one believe that
> > it is a somewhat generic mechanism, but I don't think it is as is.
> I disagree here. It is a generic mechanism, see the first response
> paragraph in this e-mail.

This sentence was coming in block with the rest of the paragraph below for

> > Actually, while DNSSEC is not named in the title/abstract, the examples
> > in the abstract are DNSSEC specific, the wording in the rest of the
> > document refers for the most part to "validating resolvers". Should this
> > be a "DNSSEC Error Reporting" draft? or a "DNS Error Reporting" draft,
> > but then the function of "validating" itself should be less emphasized?
> > While a validating resolver can report more type of errors than a
> > non-validating resolvers, validation is not a requirement to be able to
> > report.
> Agreed, but I really don't feel the problem as severe. Would it be
> sufficient to add more examples of non-DNSSEC errors?

Yes, I think a non-DNSSEC error could help, along with not using
"validating" outside the scope of DNSSEC specific errors. As an example, in
the terminology, the reporting resolver is a validating resolver:

> Reporting Resolver: In the context of this document, the term
   reporting resolver is used as a shorthand for a validating recursive
   resolver that supports DNS Error Reporting

> > On Tue, Nov 9, 2021 at 3:07 PM Roy Arends <
> > <>> wrote:
> >
> >     Dear WG,
> >
> >     Change 3) There as a lot of descriptive text what implementations
> >     should and shouldn’t do, and what configurations should and
> >     shouldn’t do. This was found to be overly descriptive and pedantic,
> >     and has now been removed.
> >
> >
> > I see that the security consideration about not reporting errors from an
> > encrypted channel (over a supposedly unencrypted channel) has been
> > removed. Wouldn’t it make sense to leave it in order to avoid leaking
> > traffic for queries that were not previously visible on the network?
> > Possibly requiring than an encrypted channel (equal or stronger, for
> > whatever definition that may be) is used to send such reports if needed?
> > This would also make sure the mechanism is going to work once the ADo*
> > mechanisms are ironed out.
> AFAIK it was removed because the only things we could place there were
> extremely vague and probably not implementable anyway.
> Reason: There is _no such thing_ as 1:1 mapping between client queries
> and outgoing answers, which makes it super hard to define anything
> sensible.
> A simple example:
> 1. Client A asks for
> over plain UDP (and is now waiting for resolver's answer).
> 2. Resolver starts recursing and eventually sends query for
> NS over UDP (client sent query over plain UDP,
> right?). At this point the query was sent but answer was not received yet
> 3. Client B asks for
> over TLS
> 4. Resolver deduplicates the query for NS, i.e.
> queries (1) and (3) are now waiting for the same packet - delegation
> from to
> 5. If this deduplicated query for NS failed and came
> back with error reporting option, what should the resolver do now? We
> have two clients waiting for it. Is the query considered "secret" or
> not? If the client B (packet in step 3.) arrived couple ms later it
> would not be secret?
> In short: This way madness lies.
> The only sane way to implement "never leak queries to plaintext" policy
> is to operate TLS-only resolver and do not permit non-TLS
> clients/queries. Then you can disable the error reporting feature
> completely ...

Thanks, that makes sense. I did not remember this from either the interim
discussion or the list, so it thought it was removed under the
explanation "This
was found to be overly descriptive and pedantic, and has now been removed."

> Having said that, we can have _some_ text in Security considerations
> section, but someone needs to write a sensible description - which I'm
> not capable of.

Agreed, there is going to be tons of shades between cases. For a resolver
internal to a network, it may not care that the client queried over
plaintext, but wants to prevent the plaintext query to go out of network,
for an open resolver the considerations are going to be different.
Maybe some warning notes along the line "In a possible scenario where
recursive perform strict encryption to authoritative name servers, Error
reporting over plaintext DNS could leak queries." would at least highlight
the possible problem.


> Have a great day.
> Petr Špaček
> >
> > Thanks,
> > Manu
> >
> >
> >
> >     There was a request to put the markdown version of the document in
> >     GitHub. This has now been placed here:
> >
> >     <>
> >
> >     New version:
> >
> >     <
> >
> >     Diffs:
> >
> >     <
> >
> >     Warm regards,
> >
> >     Roy Arends