IETF Logo Mail Archive

Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 25 August 2016 04:35 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C7E612D099 for <dnsop@ietfa.amsl.com>; Wed, 24 Aug 2016 21:35:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I2nafywopHFY for <dnsop@ietfa.amsl.com>; Wed, 24 Aug 2016 21:35:54 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E87CE12B017 for <dnsop@ietf.org>; Wed, 24 Aug 2016 21:35:53 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 3154A284F26; Thu, 25 Aug 2016 04:35:52 +0000 (UTC)
Date: Thu, 25 Aug 2016 04:35:52 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dnsop <dnsop@ietf.org>
Message-ID: <20160825043551.GP4670@mournblade.imrryr.org>
References: <BC3FCB73-3ECA-4374-8AD5-845A452B6835@icann.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <BC3FCB73-3ECA-4374-8AD5-845A452B6835@icann.org>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/kIVs2sM3m9jjbMaOs9TH-PDj8_k>
Subject: Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: dnsop@ietf.org
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2016 04:35:55 -0000

On Thu, Aug 18, 2016 at 02:34:54PM +0000, Edward Lewis wrote:

> ##1.  Introduction
> ##
> ##   The DNS [RFC1034], [RFC1035] is a query / response protocol.  Failure
> ##   to respond to queries or to respond incorrectly causes both immediate
> ##   operational problems and long term problems with protocol
> ##   development.
> 
> While the latter is true, operationally the DNS is not strictly query -
> response.  It's more like "query - if I want to respond".  I was
> "enlightened" during a project 10-15 years ago when I realized that some
> DNS implementations choose silence when deciding how to respond.

Of course nobody can compell a server to respond, and dropping some
queries may be unavoidable/necessary when under attack.  That said,
routine silence is substantially sub-optimal.  Especially (as is
typical) when said silence is the result of misguided "security
features" in middleboxes.

When a nameserver consistently fails to respond:

    * Queries will needlessly be sent to the remaining nameservers,
      increasing the traffic load.
    * For lack of a cached negative reply, queries will also be sent
      much more frequently.
    * DNS clients will experience significant latency retrying the
      query.
    * Security-aware applications may deduce a possible downgrade
      attack and defer or fail data transmission.

Similar considerations apply when inappropriate RCODEs are used in
replies for unsupported RRTYPEs that don't appear in the zone, and
thus a NODATA or NXDOMAIN would be the right response.  Compare:

    $ time dig +noall +ans +auth +comment +qu +cmd +nocl +nottl -t tlsa _25._tcp.pilot.jhuapl.edu
    ; <<>> DiG 9.10.3-P4 <<>> +noall +ans +auth +comment +qu +cmd +nocl +nottl -t tlsa _25._tcp.pilot.jhuapl.edu
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached

    real    0m15.081s

with:

    $ time dig +noall +ans +auth +comment +qu +cmd +nocl +nottl -t aaaa _25._tcp.pilot.jhuapl.edu

    ; <<>> DiG 9.10.3-P4 <<>> +noall +ans +auth +comment +qu +cmd +nocl +nottl -t aaaa _25._tcp.pilot.jhuapl.edu
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40442
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;_25._tcp.pilot.jhuapl.edu. IN AAAA

    ;; AUTHORITY SECTION:
    jhuapl.edu.             SOA     infoblox-prod-gm.jhuapl.edu. nic-contact.jhuapl.edu. 13899920 10800 1080 2592000 600

    real    0m0.120s

Which would you say is the correct nameserver behaviour?
Given:

    $ dig +short -t mx jhuapl.edu | sort -n
    40 pilot.jhuapl.edu.
    40 piper.jhuapl.edu.

and that the same behaviour is observed for the TLSA records of
both MX hosts, the jhuapl.edu domain is a blackhole for email via
DANE-enabled sending MTAs.

> ##   Some servers fail to respond to ...
> 
> This doesn't establish a need to react to the situation.  "Some" might be
> one operator's code, etc.

While the situation is improving, non-response is still a real
issue, with some domains having all non-responsive nameservers,
and others having a subset of non-responsive nameservers.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email