Re: [DNSOP] [Ext] Re: Processing error codes in draft-ietf-dnsop-extended-error-10

Bob Harold <rharolde@umich.edu> Tue, 01 October 2019 19:01 UTC

Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F547120827 for <dnsop@ietfa.amsl.com>; Tue, 1 Oct 2019 12:01:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=umich.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1FQmIdfL56ma for <dnsop@ietfa.amsl.com>; Tue, 1 Oct 2019 12:01:16 -0700 (PDT)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B136912084D for <dnsop@ietf.org>; Tue, 1 Oct 2019 12:01:15 -0700 (PDT)
Received: by mail-lj1-x229.google.com with SMTP id f5so14541497ljg.8 for <dnsop@ietf.org>; Tue, 01 Oct 2019 12:01:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lMTiqXOVFWcpAGKiNDr9gP+bkFEYXS8LP8uubY49NIQ=; b=KgoeBH/2RBKH5Y684QZciGvOXHyYOh0V6tsk+cqdMRKORGYJsTHHH6Q0LVGqf99cvg rHbw2gUnZWIZEKRTLBbJvHX5eImCYfmz2w2IzbcKN0s9+/of39ar1HvAnSCwpufPo7lS gt+g71pKaz9oxWL5E84EgJkfWHl/zQucx3Y+TErc4XThrCYVexW2dyCPOkZi5uPn0xbd D6N9SywYp67WuK6+zxViIKIQQmChx25I4iErtsO/uFRp6iyNHvQPM6AS1hQebcnno7Ri yEnVQ68qone67EU42cjQf5OAL54a2Y8ZPfENqOJ774n5ljYbbOJmoIq+jgpXAr7d51TF nYYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lMTiqXOVFWcpAGKiNDr9gP+bkFEYXS8LP8uubY49NIQ=; b=Fz9mb7S+ieFeWWZCY8uuhnr0PtTHeTYfut5vidaNzkk291WTFSDkH9imoKrk5rXGvF i8h1lwiiju79KQ08TRKaD4GBWR4oUuNHkdHUH8nwVTsi6iqZUcOOwEPKh1fjvY6VURTA tzfSeLP1oc/VJM136Xk2qlUu3tXX9T/htjFLM+oXXgQgBfkhprkarVoVyvPGHPPzH0X8 PILQfvQQmSmdm6FKQnmxbdUCzu2z3eHj74sqT3klWAKujvTf2E28QAn939eVILg5ozHD RO5WHpD+I9EVpXyS3q9xELsQ4pUKK67H2qNj9U++7sOg6aJVbaDgqs5yWFVdxX0ampgz tvbQ==
X-Gm-Message-State: APjAAAW08JEbSby05nCBW/fA/jsgE+lWhu2FqiDm/pghITRpjBjd3heL yx5c5qW9s2XKAG9IGLTU7ePw1GwL6tAnJNuuwrKQFA==
X-Google-Smtp-Source: APXvYqxAHeJ2f8NNTa/yE0dcZqnBfHAaxRnX0Dda4XtCi5owS+eW1UDYKsj/0nVnPChNiGXiyme10sNO04/V4aQsI2s=
X-Received: by 2002:a2e:9ac1:: with SMTP id p1mr16934174ljj.179.1569956473724; Tue, 01 Oct 2019 12:01:13 -0700 (PDT)
MIME-Version: 1.0
References: <CAMOjQcEtDBR29yKmOTvnx-7B7SmC9pox_kzOCKs4jBMQr1VSTA@mail.gmail.com> <yblblv15wv0.fsf@w7.hardakers.net> <6419da25-924e-8d54-0700-48a4cd6d4d34@icann.org> <yblimp92xgc.fsf@w7.hardakers.net> <0dff410f-4218-1d3a-3037-2b43fc64a86c@icann.org>
In-Reply-To: <0dff410f-4218-1d3a-3037-2b43fc64a86c@icann.org>
From: Bob Harold <rharolde@umich.edu>
Date: Tue, 1 Oct 2019 15:01:02 -0400
Message-ID: <CA+nkc8C824AWbduK0=RYnbtrAU9fcUq78psnk3UG8QEqK9Oc5Q@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000edf14e0593ddf93d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/_r65EnGUVSHcxfb5po9fJpEbIGc>
Subject: Re: [DNSOP] [Ext] Re: Processing error codes in draft-ietf-dnsop-extended-error-10
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Oct 2019 19:01:25 -0000

On Mon, Sep 30, 2019 at 8:55 PM Paul Hoffman <paul.hoffman@icann.org> wrote:

> On 9/30/19 7:09 PM, Wes Hardaker wrote:
> > Paul Hoffman <paul.hoffman@icann.org> writes:
> >
> >> Saying "SHOULD NOT" without helping the reading understand the
> >> implications is dangerous and will lead to lack of
> >> interoperability. Either this document specifies the exact places
> >> where an EDE can change the processing of the RCODE, or the current
> >> MUST NOT wording is correct.
> >
> > Did you read the new replacement sentence?
> >
> >        Applications MUST continue to follow requirements from applicable
> >        specs on how to process RCODEs no matter what EDE values is also
> >        received.
> >
> > Is that sufficient?
>
> Yes, thank you.
>
> --Paul Hoffman
>


Just a note.  The original draft had a 'retry' code that was intended to
change how the client reacted.  That has been removed, but there are still
some that would like to 'act on' the EDE.
One reason given for not doing that is that is can be spoofed or changed by
attackers, so it cannot be trusted.  I was hoping that this could improve
some cases where the client is not acting in an optimal way, but I can
understand why that would be discouraged.
Should we warn implementers of the issues, but still not forbid acting on
them?

-- 
Bob Harold