Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03
Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 25 August 2016 04:35 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C7E612D099 for <dnsop@ietfa.amsl.com>; Wed, 24 Aug 2016 21:35:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I2nafywopHFY for <dnsop@ietfa.amsl.com>; Wed, 24 Aug 2016 21:35:54 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E87CE12B017 for <dnsop@ietf.org>; Wed, 24 Aug 2016 21:35:53 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 3154A284F26; Thu, 25 Aug 2016 04:35:52 +0000 (UTC)
Date: Thu, 25 Aug 2016 04:35:52 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dnsop <dnsop@ietf.org>
Message-ID: <20160825043551.GP4670@mournblade.imrryr.org>
References: <BC3FCB73-3ECA-4374-8AD5-845A452B6835@icann.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <BC3FCB73-3ECA-4374-8AD5-845A452B6835@icann.org>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kIVs2sM3m9jjbMaOs9TH-PDj8_k>
Subject: Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: dnsop@ietf.org
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2016 04:35:55 -0000
On Thu, Aug 18, 2016 at 02:34:54PM +0000, Edward Lewis wrote: > ##1. Introduction > ## > ## The DNS [RFC1034], [RFC1035] is a query / response protocol. Failure > ## to respond to queries or to respond incorrectly causes both immediate > ## operational problems and long term problems with protocol > ## development. > > While the latter is true, operationally the DNS is not strictly query - > response. It's more like "query - if I want to respond". I was > "enlightened" during a project 10-15 years ago when I realized that some > DNS implementations choose silence when deciding how to respond. Of course nobody can compell a server to respond, and dropping some queries may be unavoidable/necessary when under attack. That said, routine silence is substantially sub-optimal. Especially (as is typical) when said silence is the result of misguided "security features" in middleboxes. When a nameserver consistently fails to respond: * Queries will needlessly be sent to the remaining nameservers, increasing the traffic load. * For lack of a cached negative reply, queries will also be sent much more frequently. * DNS clients will experience significant latency retrying the query. * Security-aware applications may deduce a possible downgrade attack and defer or fail data transmission. Similar considerations apply when inappropriate RCODEs are used in replies for unsupported RRTYPEs that don't appear in the zone, and thus a NODATA or NXDOMAIN would be the right response. Compare: $ time dig +noall +ans +auth +comment +qu +cmd +nocl +nottl -t tlsa _25._tcp.pilot.jhuapl.edu ; <<>> DiG 9.10.3-P4 <<>> +noall +ans +auth +comment +qu +cmd +nocl +nottl -t tlsa _25._tcp.pilot.jhuapl.edu ;; global options: +cmd ;; connection timed out; no servers could be reached real 0m15.081s with: $ time dig +noall +ans +auth +comment +qu +cmd +nocl +nottl -t aaaa _25._tcp.pilot.jhuapl.edu ; <<>> DiG 9.10.3-P4 <<>> +noall +ans +auth +comment +qu +cmd +nocl +nottl -t aaaa _25._tcp.pilot.jhuapl.edu ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40442 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_25._tcp.pilot.jhuapl.edu. IN AAAA ;; AUTHORITY SECTION: jhuapl.edu. SOA infoblox-prod-gm.jhuapl.edu. nic-contact.jhuapl.edu. 13899920 10800 1080 2592000 600 real 0m0.120s Which would you say is the correct nameserver behaviour? Given: $ dig +short -t mx jhuapl.edu | sort -n 40 pilot.jhuapl.edu. 40 piper.jhuapl.edu. and that the same behaviour is observed for the TLSA records of both MX hosts, the jhuapl.edu domain is a blackhole for email via DANE-enabled sending MTAs. > ## Some servers fail to respond to ... > > This doesn't establish a need to react to the situation. "Some" might be > one operator's code, etc. While the situation is improving, non-response is still a real issue, with some domains having all non-responsive nameservers, and others having a subset of non-responsive nameservers. -- Viktor.
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 Tim Wicinski
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 Mark Andrews
- [DNSOP] draft-ietf-dnsop-no-response-issue-03 Edward Lewis
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 Stephane Bortzmeyer
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 Viktor Dukhovni
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 Mark Andrews
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 william manning
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 Tony Finch
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 william manning
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 Tony Finch
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 Marek VavruĊĦa
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 Stephane Bortzmeyer
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 Mark Andrews
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 Edward Lewis
- Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03 Mark Andrews