Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-05.txt
Stephane Bortzmeyer <bortzmeyer@nic.fr> Sun, 24 March 2019 11:11 UTC
Return-Path: <stephane@laperouse.bortzmeyer.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FD03130E62 for <dnsop@ietfa.amsl.com>; Sun, 24 Mar 2019 04:11:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xjCd2-yKH1XS for <dnsop@ietfa.amsl.com>; Sun, 24 Mar 2019 04:10:57 -0700 (PDT)
Received: from ayla.bortzmeyer.org (ayla.bortzmeyer.org [IPv6:2001:4b98:dc0:41:216:3eff:fe27:3d3f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFE3712D110 for <dnsop@ietf.org>; Sun, 24 Mar 2019 04:10:56 -0700 (PDT)
Received: by ayla.bortzmeyer.org (Postfix, from userid 10) id A3296A0531; Sun, 24 Mar 2019 12:10:53 +0100 (CET)
Received: by godin (Postfix, from userid 1000) id EA71EEC0B5A; Sun, 24 Mar 2019 12:10:41 +0100 (CET)
Date: Sun, 24 Mar 2019 12:10:41 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: dnsop@ietf.org
Message-ID: <20190324111041.GA16961@laperouse.bortzmeyer.org>
References: <155234209018.23094.12618419523865163322@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <155234209018.23094.12618419523865163322@ietfa.amsl.com>
X-Transport: UUCP rules
X-Operating-System: Ubuntu 18.04 (bionic)
X-Charlie: Je suis Charlie
User-Agent: Mutt/1.9.4 (2018-02-28)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/i6SE_Zjh8mg6JciEnslTaY4T2gE>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended-error-05.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Mar 2019 11:11:01 -0000
On Mon, Mar 11, 2019 at 03:08:10PM -0700, internet-drafts@ietf.org <internet-drafts@ietf.org> wrote a message of 46 lines which said: > Title : Extended DNS Errors > Authors : Warren Kumari > Evan Hunt > Roy Arends > Wes Hardaker > David C Lawrence > Filename : draft-ietf-dnsop-extended-error-05.txt At the IETF 104 hackathon in Prague, Vladimír Čunát and myself implemented it in the Knot resolver <https://www.knot-resolver.cz/>. You can see the result in the git merge request <https://gitlab.labs.nic.cz/knot/knot-resolver/merge_requests/794> (branch extended_error <https://gitlab.labs.nic.cz/knot/knot-resolver/tree/extended_error>). > 4.1.5. SERVFAIL Extended DNS Error Code 5 - DNSSEC Indeterminate > The resolver attempted to perform DNSSEC validation, but validation > ended in the Indeterminate state. The R flag should not be set. Isn't there an error here? 4.1 is the section for NOERROR. What should be returned for DNSSEC Indeterminate? NOERROR or SERVFAIL? (In the first case, change the text, in the second, move this paragraph to 4.2.) Now, implementation experience. We tested with Wireshark and dig (did not try to develop a client using the extended error code, just the server). As expected, producing extended error codes is quite simple and the draft is clear. The camel will be happy. The biggest issue is of course to find out what to put in the extended error code. On some resolvers (at least on Knot), the place where the error is noticed can be quite far from the place where the answer is built, with its EDNS options. In practice, we had to add data to the request object, for the extended error information to be carried to the module that emits the extended error code EDNS option. So, the real difficulty is not in the draft, but in knowing and understanding your resolver. Some details: * no resolver will use all the response-code/info-codes because some are never reached for this resolver, or are mixed with other issues. Generic errors (such as "SERVFAIL Extended DNS Error Code 1 - DNSSEC Bogus") are useful for when you cannot reliably find the problem. * the draft is silent about the laying out of bits in info-code. Not many IETF protocols have an integer field which is larger than a byte but not byte-aligned. * the draft has a passing mention that multiple extended error options are allowed but I don't see how it could be used by the poor client trying to figure out what happened. I suggest to disallow it. * the draft has (rightly so) two info-codes for NXDOMAIN/Blocked and NXDOMAIN/Censored but Knot cannot use it currently since the policy module (written in Lua) has no way today to be configured to express the difference. Not a problem in the draft but it will be probably a common case that the resolver cannot make use of *all* codes. Let's end with a few examples: 4.2.2. SERVFAIL Extended DNS Error Code 2 - Signature Expired % dig @::1 -p 9053 A servfail.nl ... ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12100 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; OPT=65500: 00 00 20 02 44 4e 53 53 45 43 20 65 78 70 69 72 65 64 20 73 69 67 6e 61 74 75 72 65 73 (".. .DNSSEC expired signatures") ... 4.2.7. SERVFAIL Extended DNS Error Code 7 - No Reachable Authority % dig @::1 -p 9053 A brk.internautique.fr ... ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38620 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; OPT=65500: 80 00 20 07 6e 6f 20 4e 53 20 77 69 74 68 20 61 6e 20 61 64 64 72 65 73 73 (".. .no NS with an address") ... (Not an ideal message but this is quite generic code in Knot.) 4.5.1. NXDOMAIN Extended DNS Error Code 1 - Blocked % dig @::1 -p 9053 A googleanalytics.com ... ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1189 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; OPT=65500: 80 00 30 01 4e 6f 20 74 72 61 63 6b 69 6e 67 ("..0.No tracking") ;; QUESTION SECTION: ;googleanalytics.com. IN A ;; AUTHORITY SECTION: googleanalytics.com. 10800 IN SOA googleanalytics.com. nobody.invalid. ( 1 ; serial 3600 ; refresh (1 hour) 1200 ; retry (20 minutes) 604800 ; expire (1 week) 10800 ; minimum (3 hours) ) ;; ADDITIONAL SECTION: explanation.invalid. 10800 IN TXT "No tracking"
- [DNSOP] I-D Action: draft-ietf-dnsop-extended-err… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Puneet Sood
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-extended… Stephane Bortzmeyer