Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-serve-stale-03.txt

Paul Wouters <paul@nohats.ca> Tue, 05 March 2019 17:07 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDFD513106E for <dnsop@ietfa.amsl.com>; Tue, 5 Mar 2019 09:07:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zl_GrdfOwrls for <dnsop@ietfa.amsl.com>; Tue, 5 Mar 2019 09:07:05 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F6BC13104B for <dnsop@ietf.org>; Tue, 5 Mar 2019 09:07:05 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 44DNbp21k2zDts for <dnsop@ietf.org>; Tue, 5 Mar 2019 18:07:02 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1551805622; bh=FhwiPhey12wLMyDdIWGJSdP6M6t+hU3PyGBfjfklMB4=; h=Date:From:To:Subject:In-Reply-To:References; b=pGjEKJwvDrWMEFPCjAGRPvxjM0e6TKFWBLqJe7TekI7Jv8R0ruvEGXD7d4IGY07rT x8W0Ck/6jlwmSidiN6dOGKY3xjv4uY16xCGoO36XzAUydUMNs7smQZV5Toz16KUvQd 1cAuhSGCXNslcYe02XiEgyMEUxH4coG0Ak6X3bYE=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id RU7MPFfAqzeS for <dnsop@ietf.org>; Tue, 5 Mar 2019 18:07:00 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <dnsop@ietf.org>; Tue, 5 Mar 2019 18:06:59 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id CC6D439A5BC; Tue, 5 Mar 2019 12:06:58 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca CC6D439A5BC
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id C49B44116024 for <dnsop@ietf.org>; Tue, 5 Mar 2019 12:06:58 -0500 (EST)
Date: Tue, 5 Mar 2019 12:06:58 -0500 (EST)
From: Paul Wouters <paul@nohats.ca>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <3E7AF476-0989-4FA8-8186-F5AAFC87317A@icann.org>
Message-ID: <alpine.LRH.2.21.1903051202360.1124@bofh.nohats.ca>
References: <155094804613.28045.8648150477440044197@ietfa.amsl.com> <CA+9_gVscCzr0S8A0Z23q0V1B+BZeLtDoZRSKyEJDPZ3P=KT-tw@mail.gmail.com> <CAL9jLaYo5JH6vf+djEn0O=YGhLV2AkytMg_eKQmWn=Pma5yBFQ@mail.gmail.com> <4253851.Zqd2zPpPcC@linux-9daj> <92355508-D5AC-46DC-8FF5-C1C4155601D8@isc.org> <alpine.LRH.2.21.1903042240330.32161@bofh.nohats.ca> <23678.40176.492174.37630@gro.dd.org> <3E7AF476-0989-4FA8-8186-F5AAFC87317A@icann.org>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/lxCB9b4IIio2wBImeGVaP3rOJfw>
Subject: Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-serve-stale-03.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2019 17:07:08 -0000

On Tue, 5 Mar 2019, Paul Hoffman wrote:

> On Mar 5, 2019, at 7:59 AM, Dave Lawrence <tale@dd.org> wrote:
>>
>> Paul Wouters writes:
>>> In the non-DDOS case, the auth server is reachable and none of the data
>>> is getting additional TTL added:
>>>
>>>    Answers from authoritative servers that have a DNS Response Code of
>>>    either 0 (NOERROR) or 3 (NXDOMAIN) MUST be considered to have
>>>    refreshed the data at the resolver.  In particular, this means that
>>>    this method is not meant to protect against operator error at the
>>>    authoritative server that turns a name that is intended to be valid
>>>    into one that is non-existent, because there is no way for a resolver
>>>    to know intent.
>>>
>>> Although perhaps it should also explicitely state this regarding
>>> ServFail ?
>>
>> I personally have a very strong opposition to including servfail.
>> Servfail is an extremely clear indication that the authority that was
>> contacted is having some sort of structural problem.  It is a very
>> distinct condition from being told by the authority that the name does
>> or does not exist.
>
> I agree with David on this. This has been clear since RFC 1035.

I am a bit confused here. The goal of the draft is to keep data past the
TTL in case you cannot reach the authoritative servers during a DDOS
attack.

If you reach the authoritiatve server, and it gives ServFail, you did
reach the server. You might have "structural problems" but not in the
way of a denial of service attack. Unless you are saying DNS
implementations that are overloaded return ServFail instead of dropping
the packets?

Misconfiguring your authoritative server by removing the zone is not
meant to be covered by this draft if I understood it correctly. If it
is, then introduction will need to add text to cover that use case.

Paul