[DNSOP] Review of draft-ietf-dnsop-no-response-issue-05.txt

Ondřej Surý <ondrej.sury@nic.cz> Tue, 20 September 2016 08:40 UTC

Return-Path: <ondrej.sury@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F001812B6EB for <dnsop@ietfa.amsl.com>; Tue, 20 Sep 2016 01:40:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.316
X-Spam-Level:
X-Spam-Status: No, score=-9.316 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-2.316] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JfUY5NEE7JDc for <dnsop@ietfa.amsl.com>; Tue, 20 Sep 2016 01:40:23 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1C3812B6F7 for <dnsop@ietf.org>; Tue, 20 Sep 2016 01:34:20 -0700 (PDT)
Received: from zimbra.rfc1925.org (calcifer.labs.nic.cz [217.31.192.138]) by mail.nic.cz (Postfix) with ESMTP id 48BD9600C5 for <dnsop@ietf.org>; Tue, 20 Sep 2016 10:34:18 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1474360458; bh=0Bl/gfDcP2JRO6IvjqZSPK/yFhryDLOLusKAzP0u3Ug=; h=Date:From:To; b=TpTC+4afUm3YJTcd6FvFEjPC7vzcFksWsvN/29WNdATFP+xZH59HxUQdu2Zrlvi71 XL4QWH0d1+biifrkbygqQkA1Qh0+0kj1w4TfAHxDyfPfSyqUqIHQxLM4X8zkwZcc2S yYXzpTaq0WO+TznZWZEr12Tng0JP1aA6dE/LFLqo=
Date: Tue, 20 Sep 2016 10:34:18 +0200 (CEST)
From: =?utf-8?Q?Ond=C5=99ej_Sur=C3=BD?= <ondrej.sury@nic.cz>
To: dnsop@ietf.org
Message-ID: <566842833.1526.1474360458132.JavaMail.zimbra@nic.cz>
In-Reply-To: <147424216159.14944.7658102461705205502.idtracker@ietfa.amsl.com>
References: <147424216159.14944.7658102461705205502.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Originating-IP: [217.31.192.138]
X-Mailer: Zimbra 8.7.0_GA_1659 (ZimbraWebClient - FF48 (Linux)/8.7.0_GA_1659)
Thread-Topic: Review of draft-ietf-dnsop-no-response-issue-05.txt
Thread-Index: sLUf8LXR/jxVCZUnvio2HymTxryqdg==
X-Virus-Scanned: clamav-milter 0.98.7 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/bpE9T0olLrtQqvdt7qsbMFFRXvY>
Subject: [DNSOP] Review of draft-ietf-dnsop-no-response-issue-05.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Sep 2016 08:40:26 -0000

Hi dnsop,

Tim has asked me for a review for TLD perspective, so here it is.

A. The text in the RFC is very dense and very hard to read for me.  Sometimes it feels like that the paragraphs are composed just of bullet points put together.  I feel it needs a serious rewrite to improve readability.

B. Chapter 3 is missing RFC references at many places

C. While reading Chapter 3 I got very confused about intended audience of the I-D.  Is is a DNS servers vendors (as in DNS servers), a DNS resolver vendors (as in DNS clients), a DNS protocol compliance testers?

D. Section 3.2.1 phrase "the first and last queries" is used at several places in the Chapter 3, but without definition what the first and last query is or should be.  It becomes slightly clearer in the Chapter 4, but still it got me _very_ confused.

E. Each section in Chapter 3 is written in different style.  One time it speaks about misbehavior, second time it speak about correct behavior and f.e. third time it speaks about "Servers should be checked".  This is probably relevant to my point 3.  I feel that whole Chapter 3 needs to be rewritten using a language that in each Section f.e. defines correct behavior (with references to relevant RFCs), then usual mistakes and then it defines the tests for correct/incorrect behavior.  (Or split the Chapter 3 to several chapters each focusing on one of the parts - correct / incorrect / testing).

As an example, let's take Chapter 3.2.4 EDNS Flags and rewrite it this way:

--cut here--
3.2.4. EDNS Flags

3.2.4.1 Compliant behaviour

DNS server MUST respond to DNS queries with EDNS flags set.  Servers SHOULD (or should?) ignore EDNS flags they do not understand and SHOULD NOT (or should not?) add them to the response [RFC6891].

3.2.4.2 Common mistakes

When receiving DNS queries with EDNS flags set, the non-compliant DNS servers:

 * drop the query (fail to respond)
 * respond with RCODE indicating failure (FORMERR/SERVFAIL/REFUSED/...)
 * lorem ipsum, ...

3.2.4.3 Testing

DNS Testing Tools wishing to test DNS queries with EDNS flags set SHOULD do <foo> and <bar>.
--cut here--

F. Chapter 4 is very long and I feel it has to be split into subsections with recommendations for each relevant party (auth DNS, recursive DNS, DNS operators, TLDs)

G. Here comes my greatest objection to the document so far.  I don't think that IETF technical community is the right place to give non-technical operational advice to the TLD operators.  The paragraph that requires to remove the delegation of the customer zone has a legal implications, and I am sorry to say that but dnsop is not the here to define the legal aspects of the operating a TLD.  Such advices must be removed before any form of this document is published.  Same goes with other advices that uses language as "it needs to be performed" and similar.  There might be some contractual obligations for some types of TLD (gTLDs, new gTLDs, sTLDs) and not for others (ccTLDs).  The document might provide a guidance and advices, but it certainly cannot require TLDs to do <random> stuff.

While many TLDs have a good relationships with the registrars and DNS operators withing their bailiwick and they work very hard to ensure the DNS service withing the TLD is in overall good health, it's definitely not possible to cut off non-compliant servers from within the TLD authority.

On the other hand I definitely have no problem to start failing some horrendous DNS servers if the DNS vendor community agrees to do so, but it would require a responsible and coordinated approach between DNS server vendors (OSS and non-OSS).  But pushing this down the TLDs' throats is not a way to make a progress.

H. Could the authors use RFC 2119 language in the document?  It's quite confusing without it and that becomes especially visible in Chapter 5 where the authors speak about what Firewalls and Load Balancers should and should not do.

I. It seems to me that Chapter 5 just repeats what has been already said.  A reference to well-structured Chapter 3 (e.g. correct behavior) and saying that it applies to Firewalls and Load Balancers should be sufficient.  There's no reason to make a second comprehensive list with the things that have been already stated.  Also saying "Nameservers hasve always been expected to be able to hadnel such queries" three times seems to be more fit for a rant than an Internet Standard.

J. Chapter 4, 5, 6 and 7 target specific services, so it' very confusing that Chapter 8 jumps back to a definition of what the correct/incorrect DNS behavior is.  I think that Chapter 8 needs to be merged with improved Chapter 3.

K. Chapter 9 testing should be rewritten to not used BIND's dig, but to provide a detailed definition of DNS queries and responses.  Relying on specific tool might be problematic for the future implementors.  Providing a description how to construct a testing packet is more universal and less prone to the tool changes in the future.  This would also allow to describe and construct tests that are not (yet) implemented in BIND's dig tool.

L. Overall I have a feeling this might be an excellent document that would provide a lot of benefit to the DNS community and I support moving this forward.  It needs to be extensively rewritten to improve readability and structure of the document.  To be really useful, the implementors of DNS protocol should be able to use this as an easy to understand and follow checklist that needs to be followed step by step to get a compliant DNS implementation.  The well-informed end-users could then use this document as a bashing instrument when slapping and shaming the various networking equipment vendors from tiny (SOHO) to huge (scrubbing, load-balancing, etc.).

Nits:

a. (nit) Chapter 2, first paragraph; s/known issues know/knows issues now/

b. (nit) Chapter 3.1.5: s/attempts, they should/attempts should/

Cheers,
--
 Ondřej Surý -- Technical Fellow
 --------------------------------------------
 CZ.NIC, z.s.p.o.    --     Laboratoře CZ.NIC
 Milesovska 5, 130 00 Praha 3, Czech Republic
 mailto:ondrej.sury@nic.cz    https://nic.cz/
 --------------------------------------------

----- Original Message -----
> From: internet-drafts@ietf.org
> To: i-d-announce@ietf.org
> Cc: dnsop@ietf.org
> Sent: Monday, 19 September, 2016 01:42:41
> Subject: [DNSOP] I-D Action: draft-ietf-dnsop-no-response-issue-05.txt

> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Domain Name System Operations of the IETF.
> 
>        Title           : A Common Operational Problem in DNS Servers - Failure To
>        Respond.
>        Author          : M. Andrews
>	Filename        : draft-ietf-dnsop-no-response-issue-05.txt
>	Pages           : 20
>	Date            : 2016-09-18
> 
> Abstract:
>   The DNS is a query / response protocol.  Failure to respond or to
>   respond correctly to queries causes both immediate operational
>   problems and long term problems with protocol development.
> 
>   This document identifies a number of common kinds of queries which
>   some servers either fail to respond or else respond incorrectly.
>   This document also suggests procedures for TLD and other zone
>   operators to apply to help reduce / eliminate the problem.
> 
>   The document does not look at the DNS data itself, just the structure
>   of the responses.
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-no-response-issue/
> 
> There's also a htmlized version available at:
> https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-05
> 
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-no-response-issue-05
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop