Re: [DNSOP] I-D Action: draft-ietf-dnsop-no-response-issue-08.txt
Petr Špaček <petr.spacek@nic.cz> Tue, 07 March 2017 17:40 UTC
Return-Path: <petr.spacek@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5453F1295BF for <dnsop@ietfa.amsl.com>; Tue, 7 Mar 2017 09:40:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7
X-Spam-Level:
X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cTzoAMO3i_r8 for <dnsop@ietfa.amsl.com>; Tue, 7 Mar 2017 09:40:51 -0800 (PST)
Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AF4612959B for <dnsop@ietf.org>; Tue, 7 Mar 2017 09:40:51 -0800 (PST)
Received: from [10.102.55.177] (cz10.datarail.eu [77.93.192.43]) by mail.nic.cz (Postfix) with ESMTPSA id 3D13260CAB; Tue, 7 Mar 2017 18:40:48 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1488908449; bh=xznfla/RN2ZwYRcWvnPaD7wcDC+tkVguhqH4Mkstm4Y=; h=From:To:Date; b=Pm99v9Fwm+ZToyq/MU7f5vVKLHNElTi6t75qX97oKuUA9Imz5JXObh6xXvaAJWXUg S5lfcV9KK+fJuKGTfLzsgnmSRe2C3RzBAiWb/5p4d64m+LnncJ7oCphMw4/dZ+W4Fd lMW8Q9Kayzn9JvcTTK9DFvXqDUmxymLZnyGs7Xck=
From: Petr Špaček <petr.spacek@nic.cz>
To: dnsop@ietf.org
References: <148853300022.10133.1786841727275160096.idtracker@ietfa.amsl.com> <20170303095706.ABA6465D917E@rock.dv.isc.org>
Organization: CZ.NIC
Message-ID: <04ef4b96-a363-2b34-ba4f-ef6efcba9429@nic.cz>
Date: Tue, 07 Mar 2017 18:40:47 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <20170303095706.ABA6465D917E@rock.dv.isc.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/n4U9osEGgVcR_mYL8gt1tSAsOFE>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-no-response-issue-08.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 17:40:53 -0000
Hello, version 08 is the first one I reviewed so this should be viewed as first-time-reader's point of view. Let me express my support for this work before we dive into deficiencies of version 08: I support moving this forward because I believe that this document has potential to serve as an excellent checklist for diligent DNS implementors and important reference usable by users to bash . To serve this purpose, it first needs to be extensively rewritten to improve readability and structure of the document. Besides other things, the text needs clarification what parts are applicable to resolvers and what is specific for authoritative servers. If I had to guess, section 3.1.5. Recursive Queries suggests that this is about authoritative servers but term "non-recursive server" is not defined in DNS Terminology [RFC7719]. Further, the text in section 3 is missing regular structure and thus is hard to follow. I think that many Ondrej's suggestions from 20 September 2016 are very good and would improve the draft *a lot*. Please see: https://mailarchive.ietf.org/arch/msg/dnsop/bpE9T0olLrtQqvdt7qsbMFFRXvY Some of these suggestions overlap with suggestions in https://mailarchive.ietf.org/arch/msg/dnsop/z5OqfuJIgwssxsqCqDOFnazIgME and I agree with them as well. Please incorporate this feedback, it will IMHO improve the document *a lot*. I will add couple more suggestions to what was said already: Section 6. Whole Answer Caches deserves an additional note that this section is a warning for DNS implementers. The name got me thinking what software is an implementation of "Whole Answer Cache" before I realized that it is (I guess) just note about one possible trap while implementing DNS . My attempt to find whether this was discussed already returned e-mail: https://mailarchive.ietf.org/arch/msg/dnsop/_uO-eIImbFysAD_-UcDFbdh4zlw Apparently I'm not the only one who got confused by current text. Please clarify the text. Proposal: Some of mentioned problems may be caused by DNS implementations caching whole answers, just updating the query id field and possibly the qname to match the incoming query to avoid constructing each response individually. This is not a good idea because whole answer caches can return ... [the original text from paragraph 2 on continues here] Section 7. Response Code Selection confused me when I encountered following paragraph: Unimplemented type codes, Name Error (NXDOMAIN) and NOERROR (no data) are the expected response codes. A server is not supposed to serve a zone which contains unsupported types ([RFC1034]) so the only thing left is return if the QNAME exists or not. NOTIMP and REFUSED are not useful responses as they force the clients to try the other authoritative servers for a zone looking for a server which will answer the query. It took me a while to find out that *previous* paragraph starts with "For unimplemented opcodes". Judging from this I guess that the paragraph in question should start with "For unimplemented type codes". Or even better, "for unimplemented query type codes". Still, following sentence seems torn out of context: "A server is not supposed to serve a zone which contains unsupported types ([RFC1034])" What part of RFC 1034 is referenced in here? I'm clearly missing something and it seems that I'm not the only one: https://mailarchive.ietf.org/arch/msg/dnsop/UmTnGzmjijKY4mGuwfuxor6WvoY Judging from repeated confusion, this part of text needs clarification. Nits Typo: Requests with unknown EDNS options is expected client behaviour and should not be construed as an attack. The correct behaviour for unknown EDNS options is to ignore *there* presence when constructing a reply. Subsection 8.3. When EDNS Is Not Supported would be more logically placed as very first or very last sub-subsection of 8.2. Testing - Extended DNS. I hope we can get the document into a good shape and publish it as BCP. Let me know if there is a repo with source code, I would be happy to contribute changes so we can move this forward. -- Petr Špaček @ CZ.NIC
- [DNSOP] I-D Action: draft-ietf-dnsop-no-response-… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-no-respo… Mark Andrews
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-no-respo… Petr Špaček
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-no-respo… Stephane Bortzmeyer