IETF Logo Mail Archive

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

Jared Mauch <jared@puck.nether.net> Mon, 09 March 2015 15:29 UTC

Return-Path: <jared@puck.nether.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B65C71A8A95 for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2015 08:29:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.212
X-Spam-Level:
X-Spam-Status: No, score=-4.212 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i4anW1Ixpn8Q for <dnsop@ietfa.amsl.com>; Mon, 9 Mar 2015 08:29:42 -0700 (PDT)
Received: from puck.nether.net (puck.nether.net [204.42.254.5]) by ietfa.amsl.com (Postfix) with ESMTP id 7EBD11A9054 for <dnsop@ietf.org>; Mon, 9 Mar 2015 08:23:30 -0700 (PDT)
Received: from [IPv6:2601:4:f02:6c00:6007:e340:a853:78b7] (unknown [IPv6:2601:4:f02:6c00:6007:e340:a853:78b7]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by puck.nether.net (Postfix) with ESMTPSA id 1E7E6540905; Mon, 9 Mar 2015 11:23:30 -0400 (EDT)
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2087\))
Content-Type: text/plain; charset="utf-8"
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <alpine.LSU.2.00.1503091438050.23307@hermes-1.csi.cam.ac.uk>
Date: Mon, 09 Mar 2015 11:23:29 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <C1E660E6-CA88-4B7B-9567-5AC010F48304@puck.nether.net>
References: <20150309110803.4516.qmail@cr.yp.to> <alpine.LSU.2.00.1503091438050.23307@hermes-1.csi.cam.ac.uk>
To: Tony Finch <dot@dotat.at>
X-Mailer: Apple Mail (2.2087)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.11 (puck.nether.net [0.0.0.0]); Mon, 09 Mar 2015 11:23:30 -0400 (EDT)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/qLcem6_5EEubOkg4h8OAJKGDuuw>
Cc: dnsop@ietf.org, "D. J. Bernstein" <djb@cr.yp.to>, dns-operations@dns-oarc.net
Subject: Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2015 15:29:43 -0000

> On Mar 9, 2015, at 10:54 AM, Tony Finch <dot@dotat.at> wrote:
> 
> D. J. Bernstein <djb@cr.yp.to> wrote:
> 
>> My "qmail" software is very widely deployed (on roughly 1 million SMTP
>> server IP addresses) and, by default, relies upon ANY queries in a way
>> that is guaranteed to work by the mandatory DNS standards.
> 
> There are three bugs in the way qmail uses ANY queries.
> 
> (1) qmail uses ANY queries for domain canonicalization on outgoing
> messages, as specified by RFC 1123. But canonicalization is not required
> by the current SMTP specification. It is a waste of time. Fixing this bug
> would make bug (3) moot.
> 
> (2) qmail's DNS response buffer is too small to accommodate a complete DNS
> message, so it fails if it gets a large response. It uses the low-level
> libc resolver API which can easily handle large responses, including
> fallback to TCP, so it is a pity that qmail breaks this part of the
> resolver's functionality. This bug means it is not guaranteed to work.
> 
> (3) Using an ANY query suppresses alias processing, so qmail makes a
> series of queries to follow CNAME chains. This is inefficient and
> wasteful. If you make an A or MX query, the DNS server will chase the
> CNAME chain for you, so you only need to make one query to get the
> canonical name.

Even ignoring if qmail is “broken”.  (I would rather classify it as, could do
better), depreciating the ANY qtype is going to have some significant side
effects of users troubleshooting DNS problems.

I’m very sensitive to the abuse of ANY queries, but this is something that
I feel there are sufficient controls that exist to mitigate the issues,
namely using TC=1 to direct well behaving clients to receive a valid response.

dnsop-any-notimp violates the principle of least surprise in technology by
returning NOTIMP where Paul Vixie suggested NOERROR/ANCOUNT=0 would be more
appropriate with the existing definitions.

Much of this is triggered by bad coding practices and bad networking examples
that are littered around codebases, e.g.: gethostbyname() vs getnameinfo() and
by broken behaviors by nscd and other OS/LIBC implementations that also violate
the principle of least surprise.

- Jared

v2.23.0 | Report a Bug | By Email