Re: [DNSOP] I-D Action: draft-ietf-dnsop-no-response-issue-08.txt

Stephane Bortzmeyer <bortzmeyer@nic.fr> Mon, 29 May 2017 20:23 UTC

Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58EB0124D37 for <dnsop@ietfa.amsl.com>; Mon, 29 May 2017 13:23:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_20=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dCEW61t_jP7T for <dnsop@ietfa.amsl.com>; Mon, 29 May 2017 13:23:13 -0700 (PDT)
Received: from mail.bortzmeyer.org (aetius.bortzmeyer.org [IPv6:2001:4b98:dc0:41:216:3eff:fece:1902]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5791E1205D3 for <dnsop@ietf.org>; Mon, 29 May 2017 13:23:13 -0700 (PDT)
Received: by mail.bortzmeyer.org (Postfix, from userid 10) id E794B31D2B; Mon, 29 May 2017 22:23:09 +0200 (CEST)
Received: by mail.sources.org (Postfix, from userid 1000) id 51635190AB6; Mon, 29 May 2017 22:20:47 +0200 (CEST)
Date: Mon, 29 May 2017 22:20:47 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: dnsop@ietf.org
Message-ID: <20170529202047.GB25128@sources.org>
References: <148853300022.10133.1786841727275160096.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <148853300022.10133.1786841727275160096.idtracker@ietfa.amsl.com>
X-Transport: UUCP rules
X-Operating-System: Debian GNU/Linux 8.7
X-Charlie: Je suis Charlie
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/bZcTxNXL8UdQrLukCKiW0C7pFmc>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-no-response-issue-08.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 May 2017 20:23:16 -0000

On Fri, Mar 03, 2017 at 01:23:20AM -0800,
 internet-drafts@ietf.org <internet-drafts@ietf.org> wrote 
 a message of 46 lines which said:

>         Title           : A Common Operational Problem in DNS Servers - Failure To Respond.
>         Author          : M. Andrews
> 	Filename        : draft-ietf-dnsop-no-response-issue-08.txt

I've read it and, to summarize, I like the idea (documenting all the
bad things that can happen when you don't reply, or don't reply
correctly) but I dislike the document in its current form, and I
regret that several objections raised seem to have been forgotten. May
be because one or two emails on this list is not WG consensus? If so,
let me add my opinion, even if it means I'll repeat things already
said.

First problem, is the draft about "no response", as its title suggest,
or also about wrong responses? It is not clear and would require some
editing. Since there have been several discussions on the list about
"is it legitimate for a server not to reply?", I suggest a section on
that.

Second problem, section 3 is confusing: it mixes description of the
problem, and possible remediations. 3.2.6, for instance, is very
unclear: does it mean DNSSEC is mandatory? What is this (lowercase)
"should"? This problem was already reported in
<https://mailarchive.ietf.org/arch/msg/dnsop/bpE9T0olLrtQqvdt7qsbMFFRXvY> and
<https://mailarchive.ietf.org/arch/msg/dnsop/z5OqfuJIgwssxsqCqDOFnazIgME>

Third, section 8 seems to be something quite different, a series of
"standard" tests to run against name servers, something which was
tried several times in the IETF, or RIPE, or other places, and always
failed (see for instance
draft-wallstrom-dnsop-dns-delegation-requirements).

Fourth, section 9 goes into politics and suggest widely unrealistic
remedies, such as depublishing a domain. (This serious problem was
already reported in
<https://mailarchive.ietf.org/arch/msg/dnsop/h8wj4cX3NSw2eHLld6KHNiJfKLA>
and
<https://mailarchive.ietf.org/arch/msg/dnsop/7_kFW9_2xV4CwoEBOpGf1hzwY5g>.)

Fifth, the draft does not mention some important documents. For
instance, the draft talks a lot about unknown RR types but do not
mention RFC 3597. When it does mention RFCs, it does not always do it
correctly. For instance, section 7 claims that RFC 1034 says that a
name server must not load a zone with unsupported types, without being
specific on which section of RFC 1034 says so (I was not able to find
it).

The draft needs a lot of changes. My preferate way would be to trim it
down to just a description of what happens when you don't reply (the
evil consequences). Mostly section 2 and a part of section 3, with may
be some of section 8 as an appendix.