Re: [DNSOP] I-D Action: draft-ietf-dnsop-no-response-issue-08.txt

Petr Špaček <> Tue, 07 March 2017 17:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5453F1295BF for <>; Tue, 7 Mar 2017 09:40:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -7
X-Spam-Status: No, score=-7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cTzoAMO3i_r8 for <>; Tue, 7 Mar 2017 09:40:51 -0800 (PST)
Received: from ( [IPv6:2001:1488:800:400::400]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2AF4612959B for <>; Tue, 7 Mar 2017 09:40:51 -0800 (PST)
Received: from [] ( []) by (Postfix) with ESMTPSA id 3D13260CAB; Tue, 7 Mar 2017 18:40:48 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=default; t=1488908449; bh=xznfla/RN2ZwYRcWvnPaD7wcDC+tkVguhqH4Mkstm4Y=; h=From:To:Date; b=Pm99v9Fwm+ZToyq/MU7f5vVKLHNElTi6t75qX97oKuUA9Imz5JXObh6xXvaAJWXUg S5lfcV9KK+fJuKGTfLzsgnmSRe2C3RzBAiWb/5p4d64m+LnncJ7oCphMw4/dZ+W4Fd lMW8Q9Kayzn9JvcTTK9DFvXqDUmxymLZnyGs7Xck=
From: Petr Špaček <>
References: <> <>
Organization: CZ.NIC
Message-ID: <>
Date: Tue, 07 Mar 2017 18:40:47 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.99.2 at mail
X-Virus-Status: Clean
Archived-At: <>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-no-response-issue-08.txt
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 07 Mar 2017 17:40:53 -0000


version 08 is the first one I reviewed so this should be viewed as
first-time-reader's point of view.

Let me express my support for this work before we dive into deficiencies
of version 08:
I support moving this forward because I believe that this document has
potential to serve as an excellent checklist for diligent DNS
implementors and important reference usable by users to bash .

To serve this purpose, it first needs to be extensively rewritten to
improve readability and structure of the document.

Besides other things, the text needs clarification what parts are
applicable to resolvers and what is specific for authoritative servers.
If I had to guess, section 3.1.5.  Recursive Queries suggests that this
is about authoritative servers but term "non-recursive server" is not
defined in DNS Terminology [RFC7719].

Further, the text in section 3 is missing regular structure and thus is
hard to follow. I think that many Ondrej's suggestions from 20 September
2016 are very good and would improve the draft *a lot*. Please see:

Some of these suggestions overlap with suggestions in
and I agree with them as well. Please incorporate this feedback, it will
IMHO improve the document *a lot*.

I will add couple more suggestions to what was said already:

Section 6.  Whole Answer Caches deserves an additional note that this
section is a warning for DNS implementers. The name got me thinking what
software is an implementation of "Whole Answer Cache" before I realized
that it is (I guess) just note about one possible trap while
implementing DNS .

My attempt to find whether this was discussed already returned e-mail:
Apparently I'm not the only one who got confused by current text. Please
clarify the text. Proposal:
   Some of mentioned problems may be caused by DNS implementations
   caching whole answers, just updating the query id field and possibly
   the qname to match the incoming query to avoid constructing each
   response individually.

   This is not a good idea because whole answer caches can return ...
[the original text from paragraph 2 on continues here]

Section 7.  Response Code Selection confused me when I encountered
following paragraph:
   Unimplemented type codes, Name Error (NXDOMAIN) and NOERROR (no data)
   are the expected response codes.  A server is not supposed to serve a
   zone which contains unsupported types ([RFC1034]) so the only thing
   left is return if the QNAME exists or not.  NOTIMP and REFUSED are
   not useful responses as they force the clients to try the other
   authoritative servers for a zone looking for a server which will
   answer the query.
It took me a while to find out that *previous* paragraph starts with
"For unimplemented opcodes". Judging from this I guess that the
paragraph in question should start with "For unimplemented type codes".
Or even better, "for unimplemented query type codes".

Still, following sentence seems torn out of context:
  "A server is not supposed to serve a
   zone which contains unsupported types ([RFC1034])"
What part of RFC 1034 is referenced in here? I'm clearly missing
something and it seems that I'm not the only one:
Judging from repeated confusion, this part of text needs clarification.


  Requests with unknown EDNS options is expected client behaviour and
  should not be construed as an attack.  The correct behaviour for
  unknown EDNS options is to ignore *there* presence when constructing a

Subsection 8.3.  When EDNS Is Not Supported would be more logically
placed as very first or very last sub-subsection of 8.2.  Testing -
Extended DNS.

I hope we can get the document into a good shape and publish it as BCP.
Let me know if there is a repo with source code, I would be happy to
contribute changes so we can move this forward.

Petr Špaček  @  CZ.NIC