[DNSOP] Feedback on extended error from the IETF hackathon
Shane Kerr <shane@time-travellers.org> Sun, 24 March 2019 11:30 UTC
Return-Path: <shane@time-travellers.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD661131148 for <dnsop@ietfa.amsl.com>; Sun, 24 Mar 2019 04:30:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3aNkGXtNxWF7 for <dnsop@ietfa.amsl.com>; Sun, 24 Mar 2019 04:30:13 -0700 (PDT)
Received: from time-travellers.org (c.time-travellers.nl.eu.org [IPv6:2a02:2770::21a:4aff:fea3:eeaa]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0215131138 for <dnsop@ietf.org>; Sun, 24 Mar 2019 04:30:10 -0700 (PDT)
Received: from [2001:67c:1232:144:ad24:cd93:9366:dfbe] by time-travellers.org with esmtpsa (TLS1.2:RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <shane@time-travellers.org>) id 1h81Ki-00033q-Jb for dnsop@ietf.org; Sun, 24 Mar 2019 11:30:32 +0000
To: dnsop@ietf.org
From: Shane Kerr <shane@time-travellers.org>
Message-ID: <f1ea01e2-d067-09ce-965d-d72024ed3be3@time-travellers.org>
Date: Sun, 24 Mar 2019 12:29:59 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/cehhhflTXEb4y9A5RHq8y-ZCVTI>
Subject: [DNSOP] Feedback on extended error from the IETF hackathon
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Mar 2019 11:30:21 -0000
Hello everyone, Several folks have worked on implementing the draft-ietf-dnsop-extended-error at the IETF Hackthon yesterday and today. This is my own feedback on the draft based on trying to get it added to dnsdist. ---------------- Stéphane Bortzmeyer pointed out that it wasn't clear how to encode the INFO-CODE into the 12 bits allocated to it. I think that the idea is that it should be represented in network (MSB) order, but probably it should be specified. ---------------- Minor suggestion: text for the descriptions should be consistent regarding capitalization. So: * Forged answer -> Forged Answer * DNSKEY missing -> DNSKEY Missing * RRSIGs missing -> RRSIGs Missing ---------------- For some reason NXDOMAIN(3)-specific codes are listed after NOTIMP(4)-specific and REFUSED(5)-specific codes in the draft. I think it would make more sense to just include these in order. ---------------- Numbering is a bit weird in section 4.1.3: 4.1.3. INFO-CODEs for use with RESPONSE-CODE: NOERROR(3) 4.1.3.1. NOERROR Extended DNS Error Code 3 - Stale Answer Probably the idea is just to have: 4.1.3. NOERROR Extended DNS Error Code 3 - Stale Answer ---------------- RESPONSE-CODE: 3 (NOERROR) INFO-CODE: 3 Purpose: Answering with stale/cached data Reference: Section 4.1.3.1 -> should be RESPONSE-CODE 0 ---------------- RESPONSE-CODE: 2 (SERVFAIL) INFO-CODE: 7 Purpose: No NSEC records could be obtained Reference: Section 4.2.8 -> should be "No Reachable Authority", 4.2.7 ---------------- This code is missing in the table: RESPONSE-CODE: 2 (SERVFAIL) INFO-CODE: 8 Purpose: No NSEC records could be obtained Reference: Section 4.2.8 ---------------- RESPONSE-CODE: 4 (NOTIMP) INFO-CODE: 1 Purpose: Reference: Section 4.4.2 -> should be "Deprecated" ---------------- Finally, I note that the suggestion of requiring that the sender have some signal indicating that it is interested in extended errors was not adopted. I don't insist on it, but I think it would be useful to avoid bloating packets unnecessarily. It's a bit like the useless additional section data that lots of servers insist on appending to answers... why send something that will not be seen? OTOH I realize that having this information available may be useful for humans debugging things, even if the sender does not ask for it. On the gripping hand, adding unasked-for information may have privacy implications. Possibly adding a "Privacy Considerations" section would be useful? https://tools.ietf.org/html/rfc6973#section-7 Cheers, -- Shane