Re: [DNSOP] I-D Action: draft-ietf-dnsop-no-response-issue-00.txt

"Darcy Kevin (FCA)" <kevin.darcy@fcagroup.com> Tue, 01 December 2015 00:01 UTC

Return-Path: <kevin.darcy@fcagroup.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB5D01B2EE2; Mon, 30 Nov 2015 16:01:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DFgVXcAoAR45; Mon, 30 Nov 2015 16:01:42 -0800 (PST)
Received: from odbmap08.extra.chrysler.com (odbmap08.out.extra.chrysler.com [129.9.107.38]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B9B41B2AF2; Mon, 30 Nov 2015 16:01:42 -0800 (PST)
Received: from odbmap09.oddc.chrysler.com (Unknown_Domain [151.171.137.34]) by odbmap08.extra.chrysler.com (Symantec Messaging Gateway) with SMTP id 22.AF.14941.463EC565; Mon, 30 Nov 2015 19:01:40 -0500 (EST)
X-AuditID: 81096b24-f795b6d000003a5d-b2-565ce364c261
Received: from MXPA3CHRW.fgremc.it (Unknown_Domain [151.171.20.19]) by odbmap09.oddc.chrysler.com (Symantec Messaging Gateway) with SMTP id 3E.68.08139.463EC565; Mon, 30 Nov 2015 19:01:40 -0500 (EST)
Received: from mxph3chrw.fgremc.it (2002:97ab:152b::97ab:152b) by MXPA3CHRW.fgremc.it (2002:97ab:150f::97ab:150f) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Mon, 30 Nov 2015 19:01:40 -0500
Received: from mxph4chrw.fgremc.it (151.171.20.48) by mxph3chrw.fgremc.it (151.171.20.47) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Mon, 30 Nov 2015 19:01:40 -0500
Received: from mxph4chrw.fgremc.it ([fe80::cc0c:cb4f:1b3f:2701]) by mxph4chrw.fgremc.it ([fe80::cc0c:cb4f:1b3f:2701%18]) with mapi id 15.00.1076.000; Mon, 30 Nov 2015 19:01:39 -0500
From: "Darcy Kevin (FCA)" <kevin.darcy@fcagroup.com>
To: "internet-drafts@ietf.org" <internet-drafts@ietf.org>, "i-d-announce@ietf.org" <i-d-announce@ietf.org>
Thread-Topic: [DNSOP] I-D Action: draft-ietf-dnsop-no-response-issue-00.txt
Thread-Index: AQHRKdue11JxNgDKY0iVESsTXeHFXZ61O4eQ
Date: Tue, 1 Dec 2015 00:01:39 +0000
Message-ID: <2f2edc434a0b404982fc1bd8aa114f82@mxph4chrw.fgremc.it>
References: <20151128125143.4568.50789.idtracker@ietfa.amsl.com>
In-Reply-To: <20151128125143.4568.50789.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [151.171.20.201]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrBIsWRmVeSWpSXmKPExsUyfXWnkm7K45gwgwXvTC3uvrnMYrFk13Nm iw93cx2YPZYs+ckUwBjFZZOSmpNZllqkb5fAldHzzavgn3LFt8YF7A2MH2S6GDk5JARMJD4u nMsOYYtJXLi3nq2LkYtDSOASo8TENbeAEhxgRb8fK0LETzJKfFm8DaroGKPEv65eJpBuIYF1 jBInbhRDJHYySjw7dY0ZJMEG1L3wyl0wW0QgR+Lu76csIDazgKrEnwldbCC2sICXxPOby6Fq vCWOPF/MBGEbScx4OpsVxGYRUJH4/n8L2Km8Ak4SZ+YtZYdY7CDx+N4qsF5OAUeJ0xt/g9Uz Ar3z/dQaJohd4hK3nsxngnhTQGLJnvPMELaoxMvH/1ghbAOJrUv3sUDYShLfXq1hg+jVkViw +xOUrS2xbOFrZogbBCVOznzCAnGDqkT/2pfsIM9LCKzkkJh3cAfrBEbZWUh2z0IyaxaSWbOQ zFrAyLKKUTo/JSk3scDAQi+1oqQoUS85o6iyOCe1SC85P3cTIzDqGzmzVXYwrplneYhRgINR iYd34rKYMCHWxLLiytxDjNIcLErivByMYWFCAumJJanZqakFqUXxRaU5qcWHGJk4OKUaGPc8 Tk5ht+q6HvV6l9xWDk5OxYJH3KU6WpWnYyYsDXgkLT7ZyfZLbfFu5zS1hmcvM4rSLme92rYv fMEFSdZrr52rriXf5dVbqxTwRnDXAcu8x55LZvKskd4tPv+e5MfQv9VlbUr9ZzeYPDinGXH1 54u+drVLpsely5fELJ8pNEPlbbSQaE7fGiWW4oxEQy3mouJEAEcdFjfbAgAA
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrOKsWRmVeSWpSXmKPExsUyfbWIsG7K45gwg+ePNS3uvrnMYrFk13Nm iw93cx2YPZYs+ckUwBjFZZOSmpNZllqkb5fAldHzzavgn3LFt8YF7A2MH2S6GDk4JARMJH4/ Vuxi5AQyxSQu3FvP1sXIxSEkcJJR4svibVDOMUaJf129TCBVQgLrGCVO3CiGSOxklHh26hoz SIINaNLCK3fBbBGBHIm7v5+ygNjMAqoSfyZ0sYHYwgJeEs9vLoeq8ZY48nwxE4RtJDHj6WxW EJtFQEXi+/8t7CA2r4CTxJl5S9khFjtIPL63CqyXU8BR4vTG32D1jEBnfz+1hglil7jErSfz mSDeEZBYsuc8M4QtKvHy8T9WCNtAYuvSfSwQtpLEt1dr2CB6dSQW7P4EZWtLLFv4mhniBkGJ kzOfsEDcoCrRv/Yl+wRGqVlI1s1C0j4LSfssJO0LGFlWMUrlpyTlJhYYWOrlp6Qk6yVnFFUW 56QW6SXn525iBMdpp+IOxsZFlocYBTgYlXh4FVbEhAmxJpYVV+YeYpTkYFIS5a29BhTiS8pP qcxILM6ILyrNSS0+xCjBwawkwvtqD1CONyWxsiq1KB8mJc3BoiTOq1LgECgkkJ5YkpqdmlqQ WgSTleHgUJLglXgE1ChYlJqeWpGWmVOCkGbi4AQZzgM03B6khre4IDG3ODMdIn+KUVdKnFce JCEAksgozYPrVRISElBgmr5aVJsBDECsV4ziQG8J80qBdPAAUzPcpFdAS5iAlnz4Ew2ypCQR ISXVwFjT81vpa97aouxSaVMRlkveopY72qZpauxXLfkxad4KwUqbNSlisuvP7fRRlZx/LOvC Cjvzk2qquZlX5/hfdr8bziCZI+a6YMOrvu0qj6rLt7S1hFqcmdQkXtYpWxdsYsWq7jjb8+fj Uw/vJi3x+uYUKK0kzKnr2n61LV9xd8GnGa8uu/3JVWIpzkg01GIuKk4EAKT3Ba6KAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/_uO-eIImbFysAD_-UcDFbdh4zlw>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-no-response-issue-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2015 00:01:44 -0000

I'm still reading through this draft, but a few things jumped out at me right away. Some of them are typos, others merely "style" issues, one is a jargon/definitional issue, and then one observation that goes somewhat deeper.

TYPOS: Intro: "not a necessarily" should be simply "not necessarily". Section 6: "proceeded" should be "preceded".

STYLE ISSUES: a) The use of the second-person "you" throughout the document. It's a little familiar, and could be interpreted as a slightly condescending/overbearing. General RFC "style" seems to use the passive voice (e.g. "If EDNS is supported" instead of "If you support EDNS"), use "implementations" as the subject, or use the more formal "one", as in "receiving queries for zones that one is not configured to serve". b) the term "broken" is somewhat overused, and in one case in particular -- "Testing is broken... ", at the very beginning of Section 8, can momentarily lead an unwary reader into a false train of thought. I suggest "Testing methodology is divided" (or "categorized") as substitute language to lead off that section.

JARGON/DEFINITIONAL: I must admit never having heard/read the term "Whole Answer Cache" before, and I'm still unclear what this term denotes. A quick Google search of the singular term yields nothing DNS-related; of the plural term, all references point to this I-D. So what is a "Whole Answer Cache"? What does it do? Can an example of a product, package or implementation be cited? Or am I missing the reference here, and "Whole Answer Cache" is just a new name for something old and familiar?

CONTENT ISSUE: There are several conclusory statements in Sections 4 and 5 about what DNS anomalies are or are not "an attack", or an "attack vector". Is there clear consensus on all of these? Even if they are not attacks _per_se_, could they be components of a more complex, multi-pronged attack, or, at the very least, if the codepaths which handle these anomalies are not optimized sufficiently, could they not be used to perpetrate a DoS? I'd be fine if someone with more InfoSec chops than I would review all of these scenarios and confirm that they are all benign. But, failing that, and failing clear consensus, I think at least a mention should be made in Security Considerations that some of the anomalous behavior described _could_ be used to perpetrate attacks, and thus might call for reasonable countermeasures as such attacks are discovered/revealed. A flat declaration that something is or is not an attack, could come back to haunt the declarer...

													- Kevin

-----Original Message-----
From: DNSOP [mailto:dnsop-bounces@ietf.org] On Behalf Of internet-drafts@ietf.org
Sent: Saturday, November 28, 2015 7:52 AM
To: i-d-announce@ietf.org
Cc: dnsop@ietf.org
Subject: [DNSOP] I-D Action: draft-ietf-dnsop-no-response-issue-00.txt


A New Internet-Draft is available from the on-line Internet-Drafts directories.
 This draft is a work item of the Domain Name System Operations Working Group of the IETF.

        Title           : A Common Operational Problem in DNS Servers - Failure To Respond.
        Author          : M. Andrews
	Filename        : draft-ietf-dnsop-no-response-issue-00.txt
	Pages           : 16
	Date            : 2015-11-28

Abstract:
   The DNS is a query / response protocol.  Failure to respond or to
   respond correctly to queries causes both immediate operational
   problems and long term problems with protocol development.

   This document identifies a number of common classes of queries to
   which some servers either fail to respond or else respond
   incorrectly.  This document also suggests procedures for TLD and
   other similar zone operators to apply to help reduce / eliminate the
   problem.

   The document does not look at the DNS data itself, just the structure
   of the responses.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-no-response-issue/

There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-00


Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop