IETF Logo Mail Archive

Re: [DNSOP] Delegation acceptance checks [was: Re: [Ext] WGLC rfc8499bis one week extension for lame delegation definition]

Edward Lewis <edward.lewis@icann.org> Fri, 12 May 2023 18:31 UTC

Return-Path: <edward.lewis@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4194AC15198F for <dnsop@ietfa.amsl.com>; Fri, 12 May 2023 11:31:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C1C7tXQgrbQU for <dnsop@ietfa.amsl.com>; Fri, 12 May 2023 11:31:32 -0700 (PDT)
Received: from ppa5.dc.icann.org (ppa5.dc.icann.org [192.0.46.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA9B5C15107E for <dnsop@ietf.org>; Fri, 12 May 2023 11:31:31 -0700 (PDT)
Received: from MBX112-W2-VA-1.pexch112.icann.org (out.mail.icann.org [64.78.48.207]) by ppa5.dc.icann.org (8.17.1.19/8.17.1.19) with ESMTPS id 34CIVVZ8012536 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <dnsop@ietf.org>; Fri, 12 May 2023 18:31:31 GMT
Received: from MBX112-E2-VA-1.pexch112.icann.org (10.217.41.128) by MBX112-E2-VA-2.pexch112.icann.org (10.217.41.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Fri, 12 May 2023 14:31:29 -0400
Received: from MBX112-E2-VA-1.pexch112.icann.org ([10.217.41.128]) by MBX112-E2-VA-1.pexch112.icann.org ([10.217.41.128]) with mapi id 15.02.1118.026; Fri, 12 May 2023 14:31:29 -0400
From: Edward Lewis <edward.lewis@icann.org>
To: "dnsop@ietf.org" <dnsop@ietf.org>
Thread-Topic: [DNSOP] Delegation acceptance checks [was: Re: [Ext] WGLC rfc8499bis one week extension for lame delegation definition]
Thread-Index: AQHZfy01s9BtiUuZck2bcPsI+S6mRK9MSC8AgAFZAgCAACy8AIAAb2AAgAKcOICAAAv5AIAFIEKAgAD70wA=
Date: Fri, 12 May 2023 18:31:29 +0000
Message-ID: <5EC234F6-5CCC-4476-90E1-71E0353BC0F2@icann.org>
References: <20230508171325.0616DD2FF5B0@ary.qy> <728744CF-9FD2-4B0A-8BC2-9CD00F3A619C@isc.org>
In-Reply-To: <728744CF-9FD2-4B0A-8BC2-9CD00F3A619C@isc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.65.22091101
x-originating-ip: [192.0.47.234]
x-source-routing-agent: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <7C347CABB3D1A749A18D5AA14EAC71E9@pexch112.icann.org>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22 definitions=2023-05-12_11,2023-05-05_01,2023-02-09_01
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/fkKlhAuedP648cqwCjchffyaotI>
Subject: Re: [DNSOP] Delegation acceptance checks [was: Re: [Ext] WGLC rfc8499bis one week extension for lame delegation definition]
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 May 2023 18:31:36 -0000

On 5/11/23, 7:30 PM, "DNSOP on behalf of Mark Andrews" <dnsop-bounces@ietf.org on behalf of marka@isc.org> wrote:
>
>    It’s not a challenge to track what is lame.  It’s dead simple.  You just have to look.  Getting
>    it addressed is the challenge.

Speaking from experience (which means I'm about to launch an amplification attack here: taking a short message and adding in stories from the past few decades in this area), this is very true.  Using the analogy of observing symptoms, diagnosing cause, prescribing a fix, and following through, it's easy to tell when someone coughs - but, if the cause happens to be from a personal habit, very difficult to mitigate.

In following this discussion, admitting that I have no idea what "rfc8499bis" is (not a title, not a document file name, not a link), I ought to throw in this question: "Why do broken delegations (lame, unreachable address, etc.) matter?"  So in some sense I'm committing an IETF sin.

In my experience with lameness, the problem was rather specific.  In that era, a server, given a question it could not answer would refer the querier to the root zone - perhaps as some sort of joke initially.  The trouble was that some resolvers were not in on the joke (and I bet there was no technical document specifying what an "upwards referral" signified) but it turned out to be pretty easy to fix the problematic resolvers.  (It was one major, proprietary source who, surprisingly to many in the open source fandom, actually fixed their bug.)  I'm not sure my work in quantifying the amount of lameness ever mattered as the eradication process undertaken seemed to overcome by the fix of the resolvers (nevertheless, it was pretty interesting research to conduct).

(This is the central thought of this rant:)
It's true that if a registrant misconfigures their delegation or servers, their service will suffer.  But does this have fallout for anyone other than their service users?  Other than researchers who poke into this stuff (like me)?  Does it impact the registry delegating to the registrant?

From other experience, I once dove into an incident (details I can't divulge).  One of the things I identified was the source of the queries for a particular DNSSEC-related data set.  In the top-ten queries was a "labs" machine - a research organization was "pounding" the servers for this data set to the extent they were a noticeable portion of the incoming traffic.  At times, research is not measuring traffic but becoming the traffic.

And from another experience, I once had to deal with a customer who had a zone delegated to the servers that we operated but neglected to tell us.  (The very picture of lameness, completely unrelated to my earlier lameness quantification.)  Our monitors did not know the incoming queries were headed for one of our current customer's zone as we didn't know the zone was theirs.  We thought it was simply DDoS-related traffic.  A factor here is that the operations I am talking about were not a TLD of any kind (hence the last label was not tell-tale).

And yet another experience, I've dealt with situations where a major change was being proposed but those that needed to play along had absolutely no relationship with us.  The Internet encourages people to plug in and play without being subject to remote monitoring.  At times that is very good.  At times that is very frustrating.  What I learned from that was no one can set expectations on what someone else will do on the Internet.  One can't expect protocol conformance from an entity with which you have no relationship, but you need to be prepared to deal with whatever comes (a take on "liberal accept, conservative send" - that adage attributed to Jon Postel).

It's fine to quantify situations.  It's fine to launch campaigns to improve the "health&safety" of the Internet and fine to measure the impact of the campaigns.  But you can never expect to see "success".  This is really frustrating when changes (including clarifications) are sorely needed to improve the state of operations across the global public Internet.

v2.23.0 | Report a Bug | By Email