Re: [DNSOP] I-D Action: draft-ietf-dnsop-no-response-issue-14.txt
Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 06 November 2019 02:03 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F705120274 for <dnsop@ietfa.amsl.com>; Tue, 5 Nov 2019 18:03:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B_vB7Gn2PA73 for <dnsop@ietfa.amsl.com>; Tue, 5 Nov 2019 18:03:30 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93845120154 for <dnsop@ietf.org>; Tue, 5 Nov 2019 18:03:29 -0800 (PST)
Received: from [10.200.2.180] (sdzac10-108-1-nat.nje.twosigma.com [8.2.105.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id DB8F831BCEB for <dnsop@ietf.org>; Tue, 5 Nov 2019 21:03:28 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <157289952539.13851.12121504796430856747@ietfa.amsl.com>
Date: Tue, 05 Nov 2019 21:03:28 -0500
Content-Transfer-Encoding: quoted-printable
Reply-To: dnsop@ietf.org
Message-Id: <3CDFA5D6-79A5-4156-AEEF-967FDCC94E47@dukhovni.org>
References: <157289952539.13851.12121504796430856747@ietfa.amsl.com>
To: dnsop@ietf.org
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/oPOD9p3xKeEko0v0Mc85ygKfJ4Q>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-no-response-issue-14.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Nov 2019 02:03:33 -0000
> On Nov 4, 2019, at 3:32 PM, internet-drafts@ietf.org wrote: > > https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-no-response-issue-14 Two comments: ----------- Section 3.1.2 discusses non-response to unexpected qtypes, but there is a closely related case that I think warrants a mention. For example, the nameservers for mail.protection.outlook.com (which don't support EDNS, returning FORMERR, hence "+noends") mishandle TLSA and other unexpected queries: i. A TLSA (unexpected qtype) query elicits an incorrect "NOTIMP" response: $ dig +norecur +noedns -t tlsa _25._tcp.mail.protection.outlook.com @ns1-proddns.glbdns.o365filtering.com. ;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id: 5167 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;_25._tcp.mail.protection.outlook.com. IN TLSA ii. An "A" query for the same qname correctly returns "NXDOMAIN": $ dig +norecur +noedns -t a _25._tcp.mail.protection.outlook.com @ns1-proddns.glbdns.o365filtering.com. ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23790 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;_25._tcp.mail.protection.outlook.com. IN A This demonstrates misuse of "NOTIMP" to signal an unknown qtype, where a simple NODATA or NXDOMAIN suffices. The NOTIMP rcode is only appropriate for unsupported opcodes as explained in section 3.1.4. While I got a response, it is a "bad" response, not substantively better than no response at all. So I'd like to see text that makes it clear that unexpected qtypes MUST return the same RCODE as would be returned if the qtype were some expected value, for which no RRset is present in the zone at the requested qname. If the zone is signed, and the EDNS "DO" bit is set in the request, any (untruncated) NODATA or NXDOMAIN response MUST of course include the requisite denial of existence proof. ----------- In section 8.2.3, the correction from: OLD: Any unassigned EDNS option code could have be choose for this test. to NEW: Any unassigned EDNS option code could have been choose for this test. was incomplete, it needed to also s/choose/chosen/, to match an identical sentence in 8.2.6. -- Viktor.
- [DNSOP] I-D Action: draft-ietf-dnsop-no-response-… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-no-respo… Viktor Dukhovni
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-no-respo… Mark Andrews
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-no-respo… Matthew Pounsett
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-no-respo… Ray Bellis
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-no-respo… Matthew Pounsett