Re: [DNSOP] draft-ietf-dnsop-refuse-any - why not NOTIMP?

Ólafur Guðmundsson <olafur@cloudflare.com> Mon, 07 August 2017 15:44 UTC

Return-Path: <olafur@cloudflare.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9ADFE132443 for <dnsop@ietfa.amsl.com>; Mon, 7 Aug 2017 08:44:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s9Nye5hmMM-x for <dnsop@ietfa.amsl.com>; Mon, 7 Aug 2017 08:44:13 -0700 (PDT)
Received: from mail-qt0-x22d.google.com (mail-qt0-x22d.google.com [IPv6:2607:f8b0:400d:c0d::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8C1D132420 for <dnsop@ietf.org>; Mon, 7 Aug 2017 08:44:12 -0700 (PDT)
Received: by mail-qt0-x22d.google.com with SMTP id p3so4919219qtg.2 for <dnsop@ietf.org>; Mon, 07 Aug 2017 08:44:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=QpGknPU0TwrsMWILduWUzD545VgfeZlOUD4ZyFKfV8U=; b=JpP2ljMpO1iaAsagwU8//eSduwQ1qEimYLiD0dEhFnzGP7Afn3TDaBVwgO9KgYEZvD AnVrinp2z2LNhr6taQzD4bYEFOvxOludFoiSLF1tuKEz07iy7RkLEFu9OYc3g8ZO9+60 BjtUctFRPToIiGJK3cxz3tPeHJACfBkN/ycvU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=QpGknPU0TwrsMWILduWUzD545VgfeZlOUD4ZyFKfV8U=; b=S0SVXSuC46bl8tM8JSHQG8wyxV7xl/g9je3tLvTtDx2W9x8Jg+gAwWmpkL0UFedbQM 8dCex5s+H0/5E4Qny5jv/isiLLtWQOyqKVKW/hQ0ypGTTxidl7dL5+DctE7meF/w0Ybb bzHwbQmcdQkzli6RxCZIn3B/9ZqVPDI7oQ8jy6+InsPSMsEvBe8j0vquVD8g6mxrLzvS FZMIkWyRjV6oTfA1+rn325rtIeAOuvw4SLXvZ0hZ5uFrqelXe/M9pTkdspnEcLje5Gub LE32hFruFgBZZrAGzPzPCZzlQoF3uoGbXBUljvyINOKCuPOKGTi5s65LQh6FmJfURpjO 1NeQ==
X-Gm-Message-State: AHYfb5iwxrmRm99l8RamkuHPZfdq2k/D9jjubYhk769OKMrChK13jyvx 8LHR6ItmWqFwa6Qg0Na8AoXuHIw9Ox5xBVg=
X-Received: by 10.200.36.80 with SMTP id d16mr1447252qtd.281.1502120651781; Mon, 07 Aug 2017 08:44:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.88.228 with HTTP; Mon, 7 Aug 2017 08:44:11 -0700 (PDT)
In-Reply-To: <6c97191d-9591-d7de-6e8b-ed6e460c7707@bellis.me.uk>
References: <6c97191d-9591-d7de-6e8b-ed6e460c7707@bellis.me.uk>
From: =?UTF-8?B?w5NsYWZ1ciBHdcOwbXVuZHNzb24=?= <olafur@cloudflare.com>
Date: Mon, 7 Aug 2017 11:44:11 -0400
Message-ID: <CAN6NTqwXnZB_1nCn5nyg+TFSkh2dT=niZWAYg8wA2Tfe-ebWqA@mail.gmail.com>
To: Ray Bellis <ray@bellis.me.uk>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="001a113c862edc0bec05562bb785"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/evHL7td3QcMEclGINKB9GN9pF_0>
Subject: Re: [DNSOP] draft-ietf-dnsop-refuse-any - why not NOTIMP?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Aug 2017 15:44:15 -0000

This was the original proposal,
the drawback is that resolvers to not cache the answer, and to make things
worse they ask ALL NS addresses for listed domain
thus it acts as a DDoS against the domain in question.

Olafur


On Mon, Aug 7, 2017 at 7:14 AM, Ray Bellis <ray@bellis.me.uk> wrote:

> Having looked at this a few months ago when one of our partners was
> (briefly) returning NOTIMP for ANY queries, I find myself wondering why
> this isn't discussed in the draft?
>
> The draft does talk about *new* RCODEs, but not existing ones.
>
> My reading of RFC 1035 is that it would be a perfectly appropriate
> response from a server that doesn't support ANY.
>
> Unfortunately the retry semantics of DNS are not well specified and
> therefore implementation differences may occur.  If as a result NOTIMP
> is really not usable then IMHO this should also be documented.
>
> Ray
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>