Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-error-reporting-00.txt
"libor.peltan" <libor.peltan@nic.cz> Wed, 20 October 2021 13:15 UTC
Return-Path: <libor.peltan@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48F9D3A08EC for <dnsop@ietfa.amsl.com>; Wed, 20 Oct 2021 06:15:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.402
X-Spam-Level:
X-Spam-Status: No, score=-4.402 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZqfGWP07KPSS for <dnsop@ietfa.amsl.com>; Wed, 20 Oct 2021 06:15:21 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92D5B3A0B72 for <dnsop@ietf.org>; Wed, 20 Oct 2021 06:15:06 -0700 (PDT)
Received: from [172.20.6.138] (unknown [172.20.6.138]) by mail.nic.cz (Postfix) with ESMTPSA id EB65C140CC0 for <dnsop@ietf.org>; Wed, 20 Oct 2021 15:15:03 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1634735704; bh=BJ3sZBfEXaKl9TGZ+A7KeeQC/l//Zz2qXTbq4BT5PKk=; h=To:From:Date; b=MDbR8fPfsW1ps/oHaJkoCjDe3zLchSnejIs+ExFnDcZtpTs6S6DbHBfm+UMCUN9CH qXBeDrIOA74rV/sPOaPlGtwzFvgBBHUsCwQ7GBhzTqGJumKYr+d8XotRgD4+EsrE4V Ogtx6PSVBqgitwuZTjDAxz6qn1hT9h/7VT+tc31k=
To: dnsop@ietf.org
References: <161953482575.7668.10479553059119648994@ietfa.amsl.com>
From: "libor.peltan" <libor.peltan@nic.cz>
Message-ID: <f9f4dcfc-3bc4-3859-7aab-568c3f5d0a29@nic.cz>
Date: Wed, 20 Oct 2021 15:14:40 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0
MIME-Version: 1.0
In-Reply-To: <161953482575.7668.10479553059119648994@ietfa.amsl.com>
Content-Type: text/plain; charset="iso-8859-2"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
X-Virus-Scanned: clamav-milter 0.102.4 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/mL_F-JIRfg_XcUJF1epTBAByt9o>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-error-reporting-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Oct 2021 13:15:36 -0000
Hi all, although for me, as an implementer of an auth server, it's not too important, I'd like to ask for clarification regarding the foreseen reporting domain(s) setup in the (usual) case of many secondary auth servers. The draft says: "Each authoritative server SHOULD be configured with a unique reporting agent domain." I see two possible error situations: 1) the zone itself is wrongly signed, so all secondaries share the same error 2) some of the secondaries respond wrongly from correctly signed zone, so the error is slave-specific IMHO the case (2) is far less common. And the case (1) doesn't require per-secondary reporting domain, just per-zone. Is it really recommended (in capitals) that the zone operator prepares extra reporting domain for each secondary around the world (it can be hundreds)? If so, it can cause a disclosure about which secondary the answer is comming from, dunno if some zone operators are not willing to conceal this. Thanks! Libor Dne 27. 04. 21 v 16:47 internet-drafts@ietf.org napsal(a): > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Domain Name System Operations WG of the IETF. > > Title : DNS Error Reporting > Authors : Roy Arends > Matt Larson > Filename : draft-ietf-dnsop-dns-error-reporting-00.txt > Pages : 12 > Date : 2021-04-27 > > Abstract: > DNS Error Reporting is a lightweight error reporting mechanism that > provides the operator of an authoritative server with reports on DNS > resource records that fail to resolve or validate, that a Domain > Owner or DNS Hosting organization can use to improve domain hosting. > The reports are based on Extended DNS Errors [RFC8914]. > > When a domain name fails to resolve or validate due to a > misconfiguration or an attack, the operator of the authoritative > server may be unaware of this. To mitigate this lack of feedback, > this document describes a method for a validating recursive resolver > to automatically signal an error to an agent specified by the > authoritative server. DNS Error Reporting uses the DNS to report > errors. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-error-reporting/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-dnsop-dns-error-reporting-00 > https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-error-reporting-00 > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- [DNSOP] I-D Action: draft-ietf-dnsop-dns-error-re… internet-drafts
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Paul Hoffman
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Bill Woodcock
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… libor.peltan
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Roy Arends
- Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-dn… Brian Dickson
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Roy Arends
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Vladimír Čunát
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Matthijs Mekking
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Petr Špaček
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Roy Arends
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Vladimír Čunát
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Roy Arends
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Vladimír Čunát