Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

"Darcy Kevin (FCA)" <> Fri, 13 March 2015 22:21 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 5AD331A89FA for <>; Fri, 13 Mar 2015 15:21:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.001
X-Spam-Status: No, score=-5.001 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, RCVD_IN_DNSWL_HI=-5] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zjQ9yBm0Scr9 for <>; Fri, 13 Mar 2015 15:21:40 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 19B921A1A99 for <>; Fri, 13 Mar 2015 15:21:40 -0700 (PDT)
Received: from (Unknown_Domain []) by (Symantec Messaging Gateway) with SMTP id 07.25.11099.2F263055; Fri, 13 Mar 2015 18:21:38 -0400 (EDT)
X-AuditID: 81092818-b7f396d000002b5b-ee-550362f2d734
Received: from (Unknown_Domain []) by (Symantec Messaging Gateway) with SMTP id 7F.8D.05140.2F263055; Fri, 13 Mar 2015 18:21:38 -0400 (EDT)
Received: from ([]) by ([]) with mapi id 14.03.0224.003; Fri, 13 Mar 2015 22:21:37 +0000
From: "Darcy Kevin (FCA)" <>
To: Randy Bush <>, Michael Graff <>
Thread-Topic: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards
Thread-Index: AQHQXMjlU8B5JgDk5kmlDcZGYEb3O50ZBPSAgAEyNwCAAHo6cA==
Date: Fri, 13 Mar 2015 22:21:37 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrCIsWRmVeSWpSXmKPExsViKrMgRvdTEnOowZduJYuj3/cwW+yff5jJ 4u6byywWszoeMls8a33J5MDq0dUb5fG06RCzx5IlP5k8Xh+Yz+oxdeZsxgDWKC6blNSczLLU In27BK6MbcfnsxTMF6nY+UK7gfGCQBcjJ4eEgInE+4u7WCBsMYkL99azdTFycQgJXGCUmHV5 GSNM0a5LE5khEicYJa7N+8AI4exmlOhacIwZpIoNqGrhlbtgtoiAp8Sfu62sIEXMAm2MEsvW 9rCBJIQFgiXm9N9hgigKkXg1fQELhO0k0bD+FpDNwcEioCrxcGklSJhXIELi4cNlrBDLWhgl 9vw+wgqS4BTQkvh+5QzYTEagu7+fWgM2k1lAXOLWk/lMEGcLSCzZc54ZwhaVePn4HyuErSix adFmRoh6HYkFuz+xQdjaEssWvmaGWCwocXLmExaQxRICZ9gkjl37zTyBUXIWkh2zkPTPQtI/ C0n/AkaWVYzS+SlJuYkFBoZ6qRUlRYl6yRlFlcU5qUV6yfm5mxiBMd3IqSGxg/HRXN5DjNIc LErivGFfPAOFBNITS1KzU1MLUovii0pzUosPMTJxcEo1MNb6HrJwkJr8SmbD3oilc/gtZqt9 f7lJcYF23pUpVytXbHvlyLfq3Ucz3ieZx7rsPwfMNa6P7+7K/390YXHrdLPlJyd6BnLtPMLK nbnma3rSo7XVt7qv1v2uaSyOuPGL12l+Y+dVU6NHsp0iv+w5j6u/SlC22fGc87Hj8QP9W/jM 3pivkMxR9FNiKc5INNRiLipOBACmPYvRtwIAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrLLMWRmVeSWpSXmKPExsUyffUHId1PScyhBre3yVgc/b6H2WL//MNM FnffXGaxmNXxkNniWetLJgdWj67eKI+nTYeYPZYs+cnk8frAfFaPqTNnMwawRnHZpKTmZJal FunbJXBlbDs+n6VgvkjFzhfaDYwXBLoYOTkkBEwkdl2ayAxhi0lcuLeerYuRi0NI4ASjxLV5 HxghnN2MEl0LjoFVsQF1LLxyF8wWEfCU+HO3lRWkiFmgjVFi2doeNpCEsECwxJz+O0wQRSES r6YvYIGwnSQa1t8Csjk4WARUJR4urQQJ8wpESDx8uIwVYlkLo8Se30dYQRKcAloS36+cAZvJ CHTe91NrwGYyC4hL3HoynwnibAGJJXvOQ70gKvHy8T9WCFtRYtOizYwQ9ToSC3Z/YoOwtSWW LXzNDLFYUOLkzCcsExjFZiEZOwtJyywkLbOQtCxgZFnFKFWckZSbWGBgoleckZKsl5xRVFmc k1qkl5yfu4kRGIWmMguidzDOuiF/iFGag0VJnHdL3qEQIYH0xJLU7NTUgtSi+KLSnNTiQ4xM HJxSDYxSzZfOrPLw53v4aKGOz1TFul1/J8ya/sruzN6EulaO8rhjB+5+l9v//DUvb3b8yhfX 5y16KG74ekdvzvbdFQULGKrUJ768/lW9+c5a3+n8c3cG1Dl/cmxrLfkSYmG27P+KE43Rz1J3 Jy0qDzAv1um55nPpzPJ5s53F7qY4y4U7sDHdCbaaczpWiaU4I9FQi7moOBEAM6nbxpACAAA=
Archived-At: <>
Cc: "" <>, "D. J. Bernstein" <>, "" <>
Subject: Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 13 Mar 2015 22:21:42 -0000

According to their own statement, Cloudflare perceived the "problem" to be the code-complexity of their DNS implementation -- in particular, they characterized the complexity of their (former) QTYPE=*-handling code as "enormous". Their "fix" was to feign ignorance (RCODE=NOTIMP) of QTYPE=* and thus -- as I and others interpret it -- fall out of compliance of any reasonable reading of RFC 1034/1035.

IANAL, but I think this might have legal ramifications. If they are advertising/selling "DNS" services and what they are delivering is not "DNS", then Truth in Advertising and/or Bait-and-Switch statutes, regulations and/or treaty provisions may apply. They could avoid this fate, of course, by rebranding their name-resolution service as something other than "DNS" (Cloudnameserviceflare?), even though coincidentally it runs on port 53 and in all respects other than QTYPE=* responses looks and quacks a lot like "DNS".

Of course, IETF is not the FTC, nor is it the WTO. What can we do? There seems to be a diversity of opinion on this:

The standards-purists want to render an opinion that Cloudflare's implementation has forsaken standards-compliance, and let those chips fall where they may, legally or otherwise.

The accommodationists want to come up with a "smarter" or "cleverer" way for Cloudflare (and undoubtedly others to follow) to frustrate QTYPE=* queries in a way that causes as little wreckage as possible. Not sure how they hope to achieve that, if anything beyond "return(DNS_RCODE_NOTIMP)" qualifies as "enormous" code-complexity to the Cloudflare folks...

Cloudflare justifies their action, in part, by making the questionable claim "The original reason for adding the ANY to DNS was to aid in debugging and testing". Whatever other action may or may not be taken by the IETF, since only IETF has the institutional memory to definitively confirm or deny this claim, I think it is worthy of a response.

												- Kevin

-----Original Message-----
From: DNSOP [] On Behalf Of Randy Bush
Sent: Friday, March 13, 2015 6:28 AM
To: Michael Graff
Cc:; D. J. Bernstein;
Subject: Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

> What problem are we specifically trying to solve here again?

not break things that are working


DNSOP mailing list