[DNSOP] Two Resurrected WG I-Ds: Don't Switch Resolvers & Auth DNS Mistakes

"Livingood, Jason" <Jason_Livingood@comcast.com> Wed, 20 February 2019 14:54 UTC

Return-Path: <Jason_Livingood@comcast.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 608F8130E09 for <dnsop@ietfa.amsl.com>; Wed, 20 Feb 2019 06:54:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4FV2hLpKjZrI for <dnsop@ietfa.amsl.com>; Wed, 20 Feb 2019 06:54:22 -0800 (PST)
Received: from copdcmhout02.cable.comcast.com (copdcmhout02.cable.comcast.com [96.114.158.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACDB0129741 for <dnsop@ietf.org>; Wed, 20 Feb 2019 06:54:22 -0800 (PST)
X-AuditID: 60729ed4-2cdff700000044dc-8e-5c6d6a17a870
Received: from COPDCEXC37.cable.comcast.com (copdcmhoutvip.cable.comcast.com [96.114.156.147]) (using TLS with cipher AES256-SHA256 (256/256 bits)) (Client did not present a certificate) by copdcmhout02.cable.comcast.com (SMTP Gateway) with SMTP id 28.C7.17628.71A6D6C5; Wed, 20 Feb 2019 07:54:15 -0700 (MST)
Received: from COPDCEXC37.cable.comcast.com (147.191.125.136) by COPDCEXC37.cable.comcast.com (147.191.125.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Wed, 20 Feb 2019 09:54:14 -0500
Received: from COPDCEXC37.cable.comcast.com ([fe80::3aea:a7ff:fe36:8a94]) by COPDCEXC37.cable.comcast.com ([fe80::3aea:a7ff:fe36:8a94%15]) with mapi id 15.01.1466.012; Wed, 20 Feb 2019 09:54:14 -0500
From: "Livingood, Jason" <Jason_Livingood@comcast.com>
To: dnsop <dnsop@ietf.org>
Thread-Topic: Two Resurrected WG I-Ds: Don't Switch Resolvers & Auth DNS Mistakes
Thread-Index: AQHUySwllowhtJeSHEyZ4LYxWbk+Lw==
Date: Wed, 20 Feb 2019 14:54:14 +0000
Message-ID: <343FC655-8CC4-4B6A-A258-760AA699EBE2@cable.comcast.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.15.0.190115
x-originating-ip: [96.114.156.7]
Content-Type: multipart/alternative; boundary="_000_343FC6558CC44B6AA258760AA699EBE2cablecomcastcom_"
MIME-Version: 1.0
X-CFilter-Loop: Forward
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrLIsWRmVeSWpSXmKPExsWSUDRnsq54Vm6Mwf+LshZ331xmcWD0WLLk J1MAY1S4TVFqcWlSbmaJQnFqUVlmcqqtUnJisZIdlwIGACrNSU0sTnVMLsnMzyvWx1Bjow8z zC4hPGPX1u+MBec8K268X8vWwHjUvYuRk0NCwETi9Pn1jF2MXBxCAruYJCZMPcAM4bQwSfS+ WQ3lnGaUWPWrlx2khU3ATOLuwivMILaIgJTEs1mPWEBsYQEfiZMn1kLFgyW+fehmg7D1JK5M vMMEYrMIqEo8mHEIbA6vgIvE4T9zwOKMAmIS30+tAbOZBcQlbj2ZzwRxnoDEkj3nmSFsUYmX j/+xgtiiAvoSrd9/sELEFSR6JkxnhuhNl2ja18UGMV9Q4uTMJywQNeISh4/sYJ3AKDILyYpZ SFpmIWmZxcgBFNeUWL9LH6JEUWJK90N2CFtDonXOXCjbSuLg8T5GZDULGDlWMfJZmukZGpro GZpa6BkZGm1iBEf6vCs7GC9P9zjEKMDBqMTDyxKfGyPEmlhWXJl7iFGCg1lJhPdjIlCINyWx siq1KD++qDQntfgQozQHi5I474ljOTFCAumJJanZqakFqUUwWSYOTqkGRkn/ilmT+e/YfXxr ZN5q8cdkJsvW7i/pqXOfCMyKPetz+wnf19wNtj2JUbV94l88WB1VPuyUXmsV/O7YtnsR/kHS n3rnW5mdanrKu6FLba6AknKLmMu22DsrFG4kFQgary7ovMzVtLhjirl+Ysrz5JQzwpM0pt6X b1nVrCG/pV92x6uPnMd4lFiKMxINtZiLihMBCS04ifACAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pneLQUuZZlgIQ2bJhfEuSmmPaE0>
Subject: [DNSOP] Two Resurrected WG I-Ds: Don't Switch Resolvers & Auth DNS Mistakes
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Feb 2019 14:54:25 -0000

A few years ago I had somehow succeeded in getting WG adoption of 2 documents that addressed some pet peeves I had as a recursive DNS operator. Things got busy and my attention wandered elsewhere and I did not advance them. Since these issues continue to haunt RDNS operators, I have decided to update these documents. The first says that DNSSEC errors (and other auth RR issues) are the operational responsibility of and must be solved by auth DNS admins. The second says that people should not change to non-validating resolvers when a DNSSEC failure occurs. Both are likely obvious to us in the WG, but no so much to anyone else. ;-)

Just a week or so ago, Windows Update started to fail seemingly due to a bad delegation to a CDN from Microsoft and the TTL on the bad RR was long-ish (details are scant). So reporters and even Microsoft support started suggesting that people change their DNS resolvers. Only later did people figure out the problem was on Microsoft’s auth DNS end (see https://www.zdnet.com/article/windows-update-problems-fixed-now-but-heres-what-went-wrong-says-microsoft/ and 1st story at https://www.zdnet.com/article/windows-10-updates-are-broken-again-but-this-time-its-not-microsofts-fault/). And we also see the issue of “DNSSEC validation failed, so switch to a non-validator” on a regular basis.

So I just submitted these again / updated them. I have asked the WG chairs to let me know how they’d like me to proceed with them, but haven’t yet heard back. In the meantime, I’m happy to continue to once again take input and comment from the WG.

https://datatracker.ietf.org/doc/draft-livingood-dnsop-dont-switch-resolvers/
https://datatracker.ietf.org/doc/draft-livingood-dnsop-auth-dnssec-mistakes/

Thanks!
Jason