Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-serve-stale-03.txt
Dave Lawrence <tale@dd.org> Wed, 06 March 2019 01:45 UTC
Return-Path: <tale@dd.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0255C128CB7 for <dnsop@ietfa.amsl.com>; Tue, 5 Mar 2019 17:45:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hdUbyDRkcFmT for <dnsop@ietfa.amsl.com>; Tue, 5 Mar 2019 17:45:45 -0800 (PST)
Received: from gro.dd.org (host2.dlawren-3-gw.cust.sover.net [207.136.201.30]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B78DF124BF6 for <dnsop@ietf.org>; Tue, 5 Mar 2019 17:45:43 -0800 (PST)
Received: by gro.dd.org (Postfix, from userid 102) id A9F5B2896A; Tue, 5 Mar 2019 20:45:42 -0500 (EST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <23679.9798.678631.923122@gro.dd.org>
Date: Tue, 05 Mar 2019 20:45:42 -0500
From: Dave Lawrence <tale@dd.org>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <alpine.LRH.2.21.1903051202360.1124@bofh.nohats.ca>
References: <155094804613.28045.8648150477440044197@ietfa.amsl.com> <CA+9_gVscCzr0S8A0Z23q0V1B+BZeLtDoZRSKyEJDPZ3P=KT-tw@mail.gmail.com> <CAL9jLaYo5JH6vf+djEn0O=YGhLV2AkytMg_eKQmWn=Pma5yBFQ@mail.gmail.com> <4253851.Zqd2zPpPcC@linux-9daj> <92355508-D5AC-46DC-8FF5-C1C4155601D8@isc.org> <alpine.LRH.2.21.1903042240330.32161@bofh.nohats.ca> <23678.40176.492174.37630@gro.dd.org> <3E7AF476-0989-4FA8-8186-F5AAFC87317A@icann.org> <alpine.LRH.2.21.1903051202360.1124@bofh.nohats.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ZAFux3FFqkniabh980SjSqEEOBM>
Subject: Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-serve-stale-03.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2019 01:45:48 -0000
Paul Wouters writes: > I am a bit confused here. The goal of the draft is to keep data past > the TTL in case you cannot reach the authoritative servers during a > DDOS attack. There are many different failure modes in operating the DNS and the goal of this draft has been to accommodate the ones that are clear failures. I, for one, have never put forth that it is only about resiliency against DDoS and don't recall hearing Warren or Puneet say that either. It can include when there are other clear errors in the system, even when self-inflicted by the authoritative operator. > Misconfiguring your authoritative server by removing the zone is not > meant to be covered by this draft if I understood it correctly. If it > is, then introduction will need to add text to cover that use case. I can sort of see how someone might infer from "It is predicated on the observation that authoritative server unavailability can cause outages ..." that it means this whole idea is constrained to DDoS, and presumably you would include as well other network and server outages not caused by DDoS. It doesn't only mean that though. The intention is that this applies to any inability to get a proper authoritative response, one which has AA set in a protocol-meaningful way. This can be edited to be clearer, perhaps as simply as changing "authoritative server unavailability" to "authoritative answer unavailability". We'd be happy to consider alternative text. Realistically only rcodes NoError and NXDomain apply for being authoritative answers, each being an explicit assertion regarding the name/type in the query and legitimately supplanting whatever previous data was known about that name and type. ServFail is a clear signal that something is going wrong with the authoritative server itself has something going wrong. If you send a ServFail then AA is completely irrelevant. REFUSED is slightly murkier as to its exact meaning, thanks to overloading, but in its most commonly seen usage for lameness indicates a clear problem with the delegation. Even in its other use cases, notably an EDNS Client Subnet error or an actual "I am authoritative for the name but administratively denying your resolution of it", I submit that if the resolver has a stale answer then serving it is reasonable. In that administrative denial case it'd be better to issue NXDomain anyway, which is exactly what split horizon authorities do. Other lesser seen rcodes are largely similar in not indicating anything at all about the legitimacy of the name and whatever data you might have previously associated with it. Only the dynamic update rcodes come close to being relevant, but they are not part of the resolution process covered by serve-stale. Despite the unfortunate RFC 1035 nomenclature of NXDomain as "Name Error" it is called out explicitly because it isn't really an error, not in the database lookup sense. There's no way of knowing whether the NXDomain is happening because of operator fault or the far more likely case that it just doesn't exist. That's why it is called out separately in the doc, with an explicit note about why it has to be treated as replacing any stale data associated with the name.
- [DNSOP] I-D Action: draft-ietf-dnsop-serve-stale-… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-serve-st… Bob Harold
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-serve-st… Dave Lawrence
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Paul Hoffman
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Paul Hoffman
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Dave Lawrence
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Paul Hoffman
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Tim Wicinski
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-serve-st… Holger Freyther
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Puneet Sood
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Christopher Morrow
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Paul Vixie
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Christopher Morrow
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Mark Andrews
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Paul Wouters
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Mark Andrews
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Christopher Morrow
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Paul Wouters
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Dave Lawrence
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Dave Lawrence
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Paul Hoffman
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Paul Wouters
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Christopher Morrow
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Joe Abley
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Paul Hoffman
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Tony Finch
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Tony Finch
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Dave Lawrence
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Dave Lawrence
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Dave Lawrence
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Paul Wouters
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Tony Finch
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Joe Abley
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Daniel Stirnimann
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Tony Finch
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Dave Lawrence
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Dave Lawrence
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Joe Abley
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… 神明達哉
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Dave Lawrence