Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-serve-stale-03.txt

Paul Wouters <> Tue, 05 March 2019 04:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C42FF130F08 for <>; Mon, 4 Mar 2019 20:00:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id G80upu_NtRtF for <>; Mon, 4 Mar 2019 20:00:05 -0800 (PST)
Received: from ( [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6CDD7130EFE for <>; Mon, 4 Mar 2019 20:00:05 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by (Postfix) with ESMTP id 44D37k2vmkz25c for <>; Tue, 5 Mar 2019 05:00:02 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1551758402; bh=+ns4fotyJBoJ3BVm2zrzhpbd4m3IPj2JrWGSwxMDE74=; h=Date:From:To:Subject:In-Reply-To:References; b=pHA2w/SkHUkSU66pWE7SlLKRa2SfRSudw6B8T58EP3ExM6IQdEu7+QmBWnAD6WomW C+F0hUwUkNn5K5xTCco8O9C5APqlABqhB7qkTdCd9kG4CI0b/8G1cS/VdRKLquYy1P 3aWPlsTEJAy8laNvsvs4sRmEc3829OO8bkohT6KM=
X-Virus-Scanned: amavisd-new at
Received: from ([IPv6:::1]) by localhost ( [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id 4z8JprLsRAUg for <>; Tue, 5 Mar 2019 05:00:00 +0100 (CET)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS for <>; Tue, 5 Mar 2019 04:59:59 +0100 (CET)
Received: by (Postfix, from userid 1000) id C75F45E4BA8; Mon, 4 Mar 2019 22:59:58 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 C75F45E4BA8
Received: from localhost (localhost []) by (Postfix) with ESMTP id BC7D1411601B for <>; Mon, 4 Mar 2019 22:59:58 -0500 (EST)
Date: Mon, 4 Mar 2019 22:59:58 -0500 (EST)
From: Paul Wouters <>
To: dnsop <>
In-Reply-To: <>
Message-ID: <>
References: <> <> <> <4253851.Zqd2zPpPcC@linux-9daj> <>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <>
Subject: Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-serve-stale-03.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 05 Mar 2019 04:00:08 -0000

On Tue, 5 Mar 2019, Mark Andrews wrote:

>> On Tuesday, 5 March 2019 02:21:42 UTC Christopher Morrow wrote:
>>> can I ask, what happens when a domain is intentionally down though? For
>>> instance, take .eg... ~4yrs back? (maybe 5?) Someone requested that the
>>> master/shadow NS go down, hard. All public auth servers eventually (in a
>>> day or so) went dark too.

 	"If the recursive server is unable to contact the
          authoritative servers for a query "

So make the DNS server reachable, but return ServFail or NXDOMAIN. If
the owner doesn't cooperate and there is legal standing, talk to the
parent to do this for the delegation.

I don't think this draft stops a domain from being brought down

>> i already raised that question, very far up-thread. got no answer.
>>> If someone is 'ordered' to make a zone dark, there may be reasons for that
>>> action, and real penalties if the request is not honored.
>>> Is this draft suggesting that the DNS operations folk go against the wishes
>>> of the domain owner by keeping a domain alive after the auth servers have
>>> become unreachable? How would a recursive resolver know that the auth is
>>> down: "By mistake" vs: "By design" ?

The DNS resolvers who want to accomodate their governments need to
manually override their resolvers anyway with new (forged) data. This
draft does not change that.

If the owner itself wants to bring the domain down, they just need to
make its auth servers reachable.

If the DNS hoster wants to bring it down, they just need to modify the
data it serves resulting in NXDOMAIN, ServFail or A records.

>> this the essence of the argument against utility for this entire proposal. no
>> data should be served beyond its TTL unless some new leasing protocol is first
>> defined, to obtain permission and to provide a cache invalidation method.

I don't really follow this reasoning. Are you saying that:
1) if the domain owner wants their domain to be reachable
2) and they have lost their auth servers due to a DDOS attack
3) they might prefer to be down over extending the TTL a bit

In the non-DDOS case, the auth server is reachable and none of the data
is getting additional TTL added:

    Answers from authoritative servers that have a DNS Response Code of
    either 0 (NOERROR) or 3 (NXDOMAIN) MUST be considered to have
    refreshed the data at the resolver.  In particular, this means that
    this method is not meant to protect against operator error at the
    authoritative server that turns a name that is intended to be valid
    into one that is non-existent, because there is no way for a resolver
    to know intent.

Although perhaps it should also explicitely state this regarding
ServFail ?

> And one can to that if we add 2 TTLs to each DNS record. One for total time to
> live and one for freshness (old client get this).  It will require EDNS to signal
> that multiple TTLs are desired and are present in the response and may require
> using the last DNS flag bit to move the OPT record to in front of the question
> section to make parsing easier (no trial and error).
> Yes, this is radical but it will work and is incrementally deployable.

See above. It seems a bit overkill for a strange corner case. But even
so, one could specify the maximum ever allowed TTL to be like 3 days? Which
I think is kind of enforced by most DNS resolvers anyway?

Adding more TTLs would just make this more complicated and more error
prone and not lead to reduced outage times which is the goal of this

I don't think the "4 years" is a realistic problem case.

I can see how people want to get a few hours or a few days of usage
beyond the TTL to accomodate for errors. Although, it is likely that
moving up the error this way will also delay the error from being
detected before the extra time has expired, and we are just moving
the goal post with no effective gain. But in the case of a DDOS
attack, the draft's feature is surely useful.