Re: [DNSOP] Éric Vyncke's No Objection on draft-ietf-dnsop-no-response-issue-20: (with COMMENT)
Ray Bellis <ray@isc.org> Wed, 08 April 2020 14:39 UTC
Return-Path: <ray@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 485333A0E4F; Wed, 8 Apr 2020 07:39:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ekOIGv6Wx4Ci; Wed, 8 Apr 2020 07:39:06 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0ED7D3A0E3D; Wed, 8 Apr 2020 07:39:06 -0700 (PDT)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 7CAEE3AB0AA; Wed, 8 Apr 2020 14:38:40 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id C8698160005; Wed, 8 Apr 2020 14:39:05 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id AAA4316007B; Wed, 8 Apr 2020 14:39:05 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id EgYU2ivoCKgv; Wed, 8 Apr 2020 14:39:05 +0000 (UTC)
Received: from Rays-MacBook-Pro.local (unknown [88.212.170.130]) by zmx1.isc.org (Postfix) with ESMTPSA id 82DA6160005; Wed, 8 Apr 2020 14:39:04 +0000 (UTC)
To: Éric Vyncke <evyncke@cisco.com>, The IESG <iesg@ietf.org>
Cc: draft-ietf-dnsop-no-response-issue@ietf.org, dnsop-chairs@ietf.org, dnsop@ietf.org, Tim Wicinski <tjw.ietf@gmail.com>
References: <158635541503.17090.16242357885883562267@ietfa.amsl.com>
From: Ray Bellis <ray@isc.org>
Autocrypt: addr=ray@isc.org; keydata= mQENBFvQpCgBCAC45A0/pSvEvABX3h2jCFI4wephiJRB7T7kCFlAKeMY5MvEJQ6WtLA4BY+y yAIcQGu0WM71WlwSgYeO1ZSceYVJzPQifSCwlE2CwShaV5sI/EhjpSFEEsTbaL4bMKo8zB09 cWzmcmflL7zG56CjAzdv/pkcZAiuFJ1hhHufg8OI3rsqhG/QiZ56s/ARcxT+JlIiLS5E4Eds lWqE0ys++ZCu17sY7gUJCeV7plDhx7Nt6dVfhnW3evSqwrrQ7vejZvqEwY2Y+MF5bSoNhIfx v9iatycUJ8wYDi4gWpSRgfJHWMOPmDIUnrnVUUtSA1jC4FwjubYLQa6t7vgzt4n/lERDABEB AAG0GFJheSBCZWxsaXMgPHJheUBpc2Mub3JnPokBVAQTAQgAPgIbAwULCQgHAgYVCgkICwIE FgIDAQIeAQIXgBYhBLOUTlyJSPJ5fcTD/PwmgHkDD90rBQJdzeYGBQkD3dEYAAoJEPwmgHkD D90r49MH/0SOH9TuPuKLmOXX07j4AP0CE4Sd8JQdHsgLfh8vG+3IfYya18Erl4YZWFn9tDoz bPTka+0+ndP7P2v7EW/nZkO9Ft2X7EbS99piMF0V8wwJ9JWPB9MQDwjrsHIN7s91MXo5N55X 2PVttGqAOyICp8dNmqDjtPaZW5EfDPHZmVYqsRgkbk8mK6Fv/U7FRGxQ7OHWPgvJNbxUqu0H qT51agVkwxISiJSpxhzUnD2aJQ9hFhYdycKfaemAU7oaIkzlxvy7Vi/zNc7c+YghZV5Da+jh lmQsJl7kyMK2lHUeBuWRsrgnVG6mls822Aw22t8HC+HUffeeuyLLQ+fsiSmSOJu5AQ0EW9Ck QAEIAKOGgRY2Z3ThI/XK69W+UF8r3GUwaCHQsVEW+JXHLsL4Isf/shYtwJWjK4tsIDDpzNx2 Vhi2Z95910e2iQDj2UkRla9v1bUIopy4YTOL9VQdLH0ui0ebusc5xRQS7vU8qjyrio8I86Md DL2Vb7/XGNyRT/q3vNt21k/fEeBgNdkz4BpViMALBXl0593h56Jw2GRDUJUlB40EUE9Sd3aW HXS2OKRYZdTB76KRpGfyRZbwf2fA23lkazZigyD28/STyEU6WS/MjcMqAi1bjjWGZm0mb0CX HwsnGyRcUsjAS/GR7BpTBsBmINMIUkFoWogA80dcKLzWn6wXZ6MhTFXiAlMAEQEAAYkBPAQY AQgAJgIbDBYhBLOUTlyJSPJ5fcTD/PwmgHkDD90rBQJdzeYGBQkD3dEAAAoJEPwmgHkDD90r OpsH/2VcTp7tFrq9UINGlC+qHV66/6FsVltqgS78uzKRF0wxpfw2TpERQ52Piu36R4cMEJSM NPOdW+f5wEWyXO0mGXlKdZyLmTfLrWoHIb9K2aJ2fRn0VoXx7hJE/GoSe/KI9xi9miDKSr5g 6KNc0lLK7ixCqi83jgd7TswuJYv3rIdCKsw84ErI33V3rtMHTHE5aoXmY00ftX1wn1y3xeW/ d++c1z4iQ1wUqBHYBvTTsFgy9qznapAOfM7yiaH0rBeXS6Ej2qdXOyeZJmln0nAoPd6lYIF3 kwm/vjI21kiUm9TvGlqOf33qwUyf2hnoKWWaHsH6k7FDMSM+13D/1HTkR3E=
Message-ID: <74e64dbc-d819-1a95-f77b-4cd099f4baf2@isc.org>
Date: Wed, 08 Apr 2020 15:39:02 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.6.0
MIME-Version: 1.0
In-Reply-To: <158635541503.17090.16242357885883562267@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-GB
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pnOCi7LKjQ7mRv6jB09OY-JQiuc>
Subject: Re: [DNSOP] Éric Vyncke's No Objection on draft-ietf-dnsop-no-response-issue-20: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Apr 2020 14:39:08 -0000
On 08/04/2020 15:16, Éric Vyncke via Datatracker wrote: > > Also, if the firewall is "protecting" the DNS server (cough cough), then as a > security officer I would prefer to block all unknown opcodes/types at the > firewall (possibly with a reply). > See §4. "with a reply" is fine, so long as that reply is consistent with what the real server behind the firewall would have answered (including any DNSSEC records asserting the non-existence of those types). Dropping the queries on the floor with no reply is precisely what the document seeks to prohibit, though. It can cause an otherwise functional server to be tagged by clients as non-responsive. Ray
- [DNSOP] Éric Vyncke's No Objection on draft-ietf-… Éric Vyncke via Datatracker
- Re: [DNSOP] Éric Vyncke's No Objection on draft-i… Ray Bellis
- Re: [DNSOP] Éric Vyncke's No Objection on draft-i… Mark Andrews
- Re: [DNSOP] Éric Vyncke's No Objection on draft-i… Eric Vyncke (evyncke)