Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-serve-stale-03.txt
Paul Wouters <paul@nohats.ca> Tue, 05 March 2019 17:07 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDFD513106E for <dnsop@ietfa.amsl.com>; Tue, 5 Mar 2019 09:07:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zl_GrdfOwrls for <dnsop@ietfa.amsl.com>; Tue, 5 Mar 2019 09:07:05 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F6BC13104B for <dnsop@ietf.org>; Tue, 5 Mar 2019 09:07:05 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 44DNbp21k2zDts for <dnsop@ietf.org>; Tue, 5 Mar 2019 18:07:02 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1551805622; bh=FhwiPhey12wLMyDdIWGJSdP6M6t+hU3PyGBfjfklMB4=; h=Date:From:To:Subject:In-Reply-To:References; b=pGjEKJwvDrWMEFPCjAGRPvxjM0e6TKFWBLqJe7TekI7Jv8R0ruvEGXD7d4IGY07rT x8W0Ck/6jlwmSidiN6dOGKY3xjv4uY16xCGoO36XzAUydUMNs7smQZV5Toz16KUvQd 1cAuhSGCXNslcYe02XiEgyMEUxH4coG0Ak6X3bYE=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id RU7MPFfAqzeS for <dnsop@ietf.org>; Tue, 5 Mar 2019 18:07:00 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <dnsop@ietf.org>; Tue, 5 Mar 2019 18:06:59 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id CC6D439A5BC; Tue, 5 Mar 2019 12:06:58 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca CC6D439A5BC
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id C49B44116024 for <dnsop@ietf.org>; Tue, 5 Mar 2019 12:06:58 -0500 (EST)
Date: Tue, 05 Mar 2019 12:06:58 -0500
From: Paul Wouters <paul@nohats.ca>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <3E7AF476-0989-4FA8-8186-F5AAFC87317A@icann.org>
Message-ID: <alpine.LRH.2.21.1903051202360.1124@bofh.nohats.ca>
References: <155094804613.28045.8648150477440044197@ietfa.amsl.com> <CA+9_gVscCzr0S8A0Z23q0V1B+BZeLtDoZRSKyEJDPZ3P=KT-tw@mail.gmail.com> <CAL9jLaYo5JH6vf+djEn0O=YGhLV2AkytMg_eKQmWn=Pma5yBFQ@mail.gmail.com> <4253851.Zqd2zPpPcC@linux-9daj> <92355508-D5AC-46DC-8FF5-C1C4155601D8@isc.org> <alpine.LRH.2.21.1903042240330.32161@bofh.nohats.ca> <23678.40176.492174.37630@gro.dd.org> <3E7AF476-0989-4FA8-8186-F5AAFC87317A@icann.org>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/lxCB9b4IIio2wBImeGVaP3rOJfw>
Subject: Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-serve-stale-03.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2019 17:07:08 -0000
On Tue, 5 Mar 2019, Paul Hoffman wrote: > On Mar 5, 2019, at 7:59 AM, Dave Lawrence <tale@dd.org> wrote: >> >> Paul Wouters writes: >>> In the non-DDOS case, the auth server is reachable and none of the data >>> is getting additional TTL added: >>> >>> Answers from authoritative servers that have a DNS Response Code of >>> either 0 (NOERROR) or 3 (NXDOMAIN) MUST be considered to have >>> refreshed the data at the resolver. In particular, this means that >>> this method is not meant to protect against operator error at the >>> authoritative server that turns a name that is intended to be valid >>> into one that is non-existent, because there is no way for a resolver >>> to know intent. >>> >>> Although perhaps it should also explicitely state this regarding >>> ServFail ? >> >> I personally have a very strong opposition to including servfail. >> Servfail is an extremely clear indication that the authority that was >> contacted is having some sort of structural problem. It is a very >> distinct condition from being told by the authority that the name does >> or does not exist. > > I agree with David on this. This has been clear since RFC 1035. I am a bit confused here. The goal of the draft is to keep data past the TTL in case you cannot reach the authoritative servers during a DDOS attack. If you reach the authoritiatve server, and it gives ServFail, you did reach the server. You might have "structural problems" but not in the way of a denial of service attack. Unless you are saying DNS implementations that are overloaded return ServFail instead of dropping the packets? Misconfiguring your authoritative server by removing the zone is not meant to be covered by this draft if I understood it correctly. If it is, then introduction will need to add text to cover that use case. Paul
- [DNSOP] I-D Action: draft-ietf-dnsop-serve-stale-… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-serve-st… Bob Harold
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-serve-st… Dave Lawrence
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Paul Hoffman
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Paul Hoffman
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Dave Lawrence
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Paul Hoffman
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Tim Wicinski
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-serve-st… Holger Freyther
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Puneet Sood
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Christopher Morrow
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Paul Vixie
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Christopher Morrow
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Mark Andrews
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Paul Wouters
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Mark Andrews
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Christopher Morrow
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Paul Wouters
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Dave Lawrence
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Dave Lawrence
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Paul Hoffman
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Paul Wouters
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Christopher Morrow
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Joe Abley
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Paul Hoffman
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Tony Finch
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Tony Finch
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Dave Lawrence
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Dave Lawrence
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Dave Lawrence
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Paul Wouters
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Tony Finch
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Joe Abley
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Daniel Stirnimann
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Tony Finch
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Dave Lawrence
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Dave Lawrence
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Joe Abley
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… 神明達哉
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-se… Dave Lawrence