IETF Logo Mail Archive

Re: [DNSOP] CloudFlare policy on ANY records changing

Evan Hunt <each@isc.org> Wed, 11 March 2015 01:57 UTC

Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DB9D1A9009 for <dnsop@ietfa.amsl.com>; Tue, 10 Mar 2015 18:57:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IOSFKLyIJohA for <dnsop@ietfa.amsl.com>; Tue, 10 Mar 2015 18:57:15 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E67051A9026 for <dnsop@ietf.org>; Tue, 10 Mar 2015 18:57:14 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id 2E2EE1FCACC; Wed, 11 Mar 2015 01:57:12 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id 01EEA216C31; Wed, 11 Mar 2015 01:57:11 +0000 (UTC)
Date: Wed, 11 Mar 2015 01:57:10 +0000
From: Evan Hunt <each@isc.org>
To: Paul Vixie <paul@redbarn.org>
Message-ID: <20150311015710.GB10189@isc.org>
References: <35E6FB76-9751-41A4-BF6B-38A8F0BFF82E@puck.nether.net> <54F9FBB7.6080109@redbarn.org> <CAGmQtQJrpx_XG_OJTShsW5YqAeFKZwdMa16XW7iry9PR0_FT+A@mail.gmail.com> <20150310025859.8A04D2B21054@rock.dv.isc.org> <CAGmQtQJta4EXRD4pLOk=xVH0dGirHeb=edkPTMWLmKXBcBVK0Q@mail.gmail.com> <5B445B49-BA18-493A-A1EA-DC90C7C6D7AE@vpnc.org> <21759.4545.472775.866594@tale.kendall.corp.akamai.com> <F6A39307-6C8F-4FD5-8CAD-97775C5276A9@vpnc.org> <0A8D7AE0-B6FF-4B85-A42B-4EBF93A17873@verisign.com> <54FF86CB.7010705@redbarn.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <54FF86CB.7010705@redbarn.org>
User-Agent: Mutt/1.4.2.3i
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/fBXV361IT4naQxodMsjMBHgxxBM>
Cc: dnsop <dnsop@ietf.org>, "Wessels, Duane" <dwessels@verisign.com>
Subject: Re: [DNSOP] CloudFlare policy on ANY records changing
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2015 01:57:17 -0000

On Wed, Mar 11, 2015 at 08:05:31AM +0800, Paul Vixie wrote:
> if we're serious about redefining ANY as a meta-query, then answering
> with RCODE=0/ANCOUNT=0 is correct. (as it would be for RD=0 queries
> against an RA=1 server.)

I'm concerned that a NOERROR/NODATA for qtype=ANY, once cached, would be
identical to the cache representation of an empty nonterminal node, and
that all subsequent queries for any other qtype would then be answered
with the cached NODATA.

> but whatever we do, any new reaction to QTYPE=ANY has to ensure that the
> client gives up, and stops asking.

I liked the sound of REFUSED because it matches *XFR semantics, but if
you're right about how resolvers will react, then it's a bad idea.

I'm running on supposition here, and we need data. I wonder aloud if
CloudFlare or some other site would be open to trying a variety of
response semantics to find out which one pinches least.

-- 
Evan Hunt -- each@isc.org
Internet Systems Consortium, Inc.

v2.23.0 | Report a Bug | By Email