IETF Logo Mail Archive

Re: [DNSOP] Clarifying referrals (#35)

Paul Vixie <paul@redbarn.org> Tue, 14 November 2017 07:03 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17E7A128961 for <dnsop@ietfa.amsl.com>; Mon, 13 Nov 2017 23:03:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wTDsDOpjbDbR for <dnsop@ietfa.amsl.com>; Mon, 13 Nov 2017 23:03:12 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F37DF127977 for <dnsop@ietf.org>; Mon, 13 Nov 2017 23:03:11 -0800 (PST)
Received: from [IPv6:2001:559:8000:c9:2c81:6cd7:5872:4e2f] (unknown [IPv6:2001:559:8000:c9:2c81:6cd7:5872:4e2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id BE2DF61FA2; Tue, 14 Nov 2017 07:03:11 +0000 (UTC)
Message-ID: <5A0A952F.1060001@redbarn.org>
Date: Mon, 13 Nov 2017 23:03:11 -0800
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 5.0.20 (Windows/20171012)
MIME-Version: 1.0
To: Andrew Sullivan <ajs@anvilwalrusden.com>
CC: dnsop@ietf.org
References: <20171112075445.tf2ut5dxzhhnqe7l@mx4.yitter.info> <20171112131831.GA32208@laperouse.bortzmeyer.org> <20171113014445.ncldrwnuuvluecx7@mx4.yitter.info> <5A08FD96.8030907@redbarn.org> <20171113020736.ga7rzgst2hurb56h@mx4.yitter.info> <5A09068A.3030206@redbarn.org> <20171113032640.tbn7icsllm6jeeny@mx4.yitter.info> <5A09C4D6.6080202@redbarn.org> <20171114063209.gjubqyovnwcrl33a@mx4.yitter.info>
In-Reply-To: <20171114063209.gjubqyovnwcrl33a@mx4.yitter.info>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Yik0lTgszf5UuslTTJh7ZbhtWK4>
Subject: Re: [DNSOP] Clarifying referrals (#35)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Nov 2017 07:03:13 -0000


Andrew Sullivan wrote:
> Hi,
>
> On Mon, Nov 13, 2017 at 08:14:14AM -0800, Paul Vixie wrote:
>>> If I ask the authoritative server for example.com about a name
>>> label.example.net, in a graph-theoretic sense the NS RRset for the
>>> root zone is clearly closer to label.example.net than anything else I
>>> can give.
>> dns is not that kind of graph.
>>
>> ...
>
> Obviously.  But your example is still on the current tree, just not
> immediately below.  The example I gave is in a completely different
> section of the tree, and my point is that none of the text you quoted
> shows why "." isn't the "closer server" that an authoritative server
> somewhere beneath com. can give in response to a qname that is
> somewhere beneath net.  We might think today that is a misfeature in
> STD13, but I don't think it's a misinterpretation of what STD13 says.
> I don't know what kind of graph would make that false.

actually, i had misread you (com vs net). i apologize. let me re-answer.

there is no reason for an authority server to know who the root name 
servers are. so, there can be no expectation that it would know any 
"closer" name server set than the one at its zone bottom.

since RFC 1034 talks about zone bottoms, and "closest enclosing", and 
its algorithm speaks specifically of a referral being generated by 
copying non-authoritative NS RRs from the zone bottom into the answer, 
there is no reasonable interpretation of "closer" other than an NS RRset 
which is closer, along the path from the zone apex to the qname, than 
the zone apex was. in fact, from that algorithm, there is no way to 
generate a referral other than by copying along-the-path data into an 
answer.

any attempt to interpret "closer" in an off-the-path way is a clear 
misinterpretation of RFC 1034. we are only on "the current tree" here.

>> as i wrote during the SOPA wars, REFUSED has been widely used as an
>> administrative denial, and repurposing it would not be effective at this
>> late date.
>
> This, too, seems to be a claim that is at best poorly justified.  It
> might be that it is how BIND interprets the RCODE, but it's not what
> it is defined to be.

it's defined as "administrative denial" not merely "widely interpreted 
as administrative denial" as i wrote above.

> ... I'm anyway not sure your description in the circleid piece (or
> elsewhere) is inconsistent with the RFC 1035 definition of RCODE 5:
> "The name server refuses to perform the specified operation for
> policy reasons."  Refusing to respond to this or that IP address is a
> policy, and refusing to perform upwardreferrals is also a policy, no?

"no." the client isn't asking for an upward referral, it's asking for an 
answer, and is expecting either an answer (positive or negative or 
empty) or an on-the-path referral copied from the non-authoritative data 
at the bottom of the authority zone. it is not expecting its query to be 
interpreted as a request for an upward referral, so, it cannot treat 
REFUSED as an administrative denial of that upward referral.

the rest of the text of the definition of REFUSED makes this clearer:

<<For example, a name server may not wish to provide the information to 
the particular requester, or a name server may not wish to perform a 
particular operation (e.g., zone transfer) for particular data.>>

the word "particular" appears four times.

as witnessed in discussions of the u.s. constitutions and the christian 
bible, arguments about the literal intent of the authors are interesting 
mostly to scholars, whereas our concern should be with the actions taken 
by the far end given the data pattern we transmit and the circumstances 
as we know them.

while specific guidance was not given as to resolver action in response 
to each possible authority RCODE, i have both witnessed and implemented 
full resolvers which treated REFUSED as a permanent failure whereas 
SERVFAIL was a temporary failure. that is, receipt of a REFUSED from any 
authority consulted during iteration would cause a final error code 
(assuming no other authority gave a more useful answer) of NO_RECOVERY, 
whereas if only timeouts and SERVFAILs were heard, the final error code 
would be TRY_AGAIN. (these are BSD h_errno values, but modern API's have 
equivalents.)

---

treating "i don't have the zone configured" as a REFUSED condition, 
while treating "i can't write the secondary zone" or "i can't read the 
primary zone" as SERVFAIL conditions, adds no value, but does subtract 
it. usually when i don't have a zone configured that is delegated to me, 
it's because i have not caught up with my inbox, or i have FUBAR'd my 
configuration file using "git" or similar. in those cases, the name 
being looked up _might exist_ and retrying later _might succeed_.

i have heard a number of folks argue that this logic is common, but i 
have heard noone argue that it is superior to known alternatives. can we 
hear someone who is in favour of this for reasons beyond "five million 
frenchmen cannot be wrong"?

-- 
P Vixie

v2.34.0 | Report a Bug | By Email | System Status