Re: [DNSOP] Status of draft-ietf-dnsop-dns-error-reporting

Manu Bretelle <> Fri, 12 November 2021 23:29 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7D19B3A0846; Fri, 12 Nov 2021 15:29:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id guYhgzW74Eyk; Fri, 12 Nov 2021 15:29:34 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D4C323A0855; Fri, 12 Nov 2021 15:29:34 -0800 (PST)
Received: by with SMTP id bf8so20753621oib.6; Fri, 12 Nov 2021 15:29:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HC0U8Sh1FFsWKhRFE5a3PiDznc+678nQzNZ7DqGUFD8=; b=EpSGP3nKhXv3Xy1qN8wjDEaslsY36QgZVkCg83GvILpC2N+BQp/C1SonwhiBCbRFza OWOzXi4hlQbfjAPp+U9jhhsyYBKWKiGwp2rvx1POpN+gdnPIMr0Tbb/ScIZyUr6y87nj hhzNStwnndf36Vg4Wev1S54+r2kNvlHX6dKAVjYAdvPysst/eVkxyAvncbOozkbEm9Jl KEoXTPMXJKe7KDTC2dyxxiscJqT6jZEMr5G79GoMqxDeEGTLgqE8usyznXvNrDRrqyJ7 knQLk+N4JEjCeFMBgRyd19ti/YKW4Mduz79H6B6JfYZc0rgnEWS1TZc2s1mvkAC0+dF5 h6Eg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HC0U8Sh1FFsWKhRFE5a3PiDznc+678nQzNZ7DqGUFD8=; b=r9hjODua8lpo0cNNetZTqblUabnlXO+yO69wfd7gV10Q+5CjUWm0WrsBkNboPjzpxi NSviI8e+5DHQUynAIFQwkkeM8ezitQ1zVCXKa6eocapQGtw6hHbakfUVmWG3oHxaWs11 uEbLc60couB5bv++hqK5DDA9RcMG5b/Nf7LnVweVyB44UhVFnWE8sk/MbYQ475BGCECP DcO2eypkgrCT6hAGv/LsY8YYehWqFoMBkeP4ZfsL4Zuzr/evlNwbF4JcKaOSBGnPdaqQ yRXqP0PSIIDM8eZW18lwhhGPB9GZBLD+Xavh/qYb9YvAht0QIx4aBhbzbJtOMognsISx ylyw==
X-Gm-Message-State: AOAM532qYkJqIPAwyvf24MSKeAV7FSrUb+tkHREdS6eDL4wjWp1zODMR QIsuUuSeFYAGfqCRPNWkmmmSbsEb7J+mMRyLdM0FInZrjGruAFEa
X-Google-Smtp-Source: ABdhPJxWslHIFDn2zrq4UTOEST1Pjrxw+peYvuRnWp52bKYMBU8XnsyyFFI2zECRG1djYZGmFsXgq42gyle18bJogyw=
X-Received: by 2002:a05:6808:14c3:: with SMTP id f3mr10687248oiw.51.1636759772675; Fri, 12 Nov 2021 15:29:32 -0800 (PST)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Manu Bretelle <>
Date: Fri, 12 Nov 2021 15:29:21 -0800
Message-ID: <>
To: Roy Arends <>
Cc: dnsop <>, dnsop-chairs <>, Matt Larson <>
Content-Type: multipart/alternative; boundary="000000000000d5431905d09fd40f"
Archived-At: <>
Subject: Re: [DNSOP] Status of draft-ietf-dnsop-dns-error-reporting
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 12 Nov 2021 23:29:40 -0000

Hi Roy,

It seems those 2 paragraphs are conflicting with each others:

On the one hand the aggressive use of DNSSEC-validated cache is suggested
for the reporting agent:


This caching is essential.  It ensures that the number of reports
   sent by a reporting resolver for the same problem is dampened, i.e.
   once per TTL, however, certain optimizations such as [RFC8020
<>] and

   [RFC8198 <>] may reduce the
number of error reporting queries as well.

But on the other hand, it is not recommended to sign the reporting agent domain.

A solution is to avoid DNSSEC for the reporting agent domain.
   Signing the agent domain will incur an additional burden on the
   reporting resolver, as it has to validate the response.  However,

   this response has no utility to the reporting resolver.


On Tue, Nov 9, 2021 at 3:07 PM Roy Arends <> wrote:

> Dear WG,
> After the October 26, IETF DNSOP interim WG on DNS Error Reporting, the
> document editors have made the following changes to reflect the discussion:
> Change 1) Due to qname minimisation, the reporting agent may not know that
> the reported string has been shortened. There were a few options suggested,
> such as adding a label counter. However, the most straightforward option
> seemed to be to start the reporting query with an _er label as well.
> Change 2) There was an observation by developers that some authoritative
> servers do not parse (unknown) EDNS0 options correctly, leading to an
> additional roundtrip by the resolver. It was suggested that authoritative
> servers could return the new EDNS0 option “unsolicited”. This is already
> the case for Extended DNS errors. We have adopted this suggestion. It was
> also pointed out that this kind of unsolicited behaviour can be surveyed.
> We believe that one such effort is underway.
> Change 3) There as a lot of descriptive text what implementations should
> and shouldn’t do, and what configurations should and shouldn’t do. This was
> found to be overly descriptive and pedantic, and has now been removed.
> There was a request to put the markdown version of the document in GitHub.
> This has now been placed here:
> New version:
> Diffs:
> Warm regards,
> Roy Arends
> _______________________________________________
> DNSOP mailing list