IETF Logo Mail Archive

Re: [DNSOP] Call for Adoption: draft-wkumari-dnsop-extended-error

神明達哉 <jinmei@wide.ad.jp> Sat, 29 July 2017 01:09 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85F2D1321FA for <dnsop@ietfa.amsl.com>; Fri, 28 Jul 2017 18:09:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Level:
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l2M09WHmXX_K for <dnsop@ietfa.amsl.com>; Fri, 28 Jul 2017 18:09:34 -0700 (PDT)
Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A235C132001 for <dnsop@ietf.org>; Fri, 28 Jul 2017 18:09:34 -0700 (PDT)
Received: by mail-qk0-x22a.google.com with SMTP id u139so65344581qka.1 for <dnsop@ietf.org>; Fri, 28 Jul 2017 18:09:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=tkDULE+EniOstxO0ZXOVw3oNzUpQUF1mSv3nzswughA=; b=o0MvKo2Wm3r3U9pds604f8CgbWQ9KiG5WGecTGvLgzmST3LEuZrYjPBmHehz7cVoH7 gY3+OkDsUZ68hMhL/AFc35aYXhp/y/vXwp0c5hHuVDxNiL0KM+OAhbbgQ65RVJoBo36r INlBk2rS3EVLOb7sJIw1Prtj3Uximrgw5KWhyVmSLlz5IAmLLV6mlu8IfsKozfbtgXOp Fzml9rcCGVDZotpLCAS08ostHTtZFzqsFIp8iNXNreYf1dGiXnMnRgS9ruHfzARVFON4 XRrvZbJSIY8ToYq0UC44JrMHwLetNw9zsfYqbAMv6BBJjO2dYwbAQ4l0nbfkfoZJM06M 21JA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=tkDULE+EniOstxO0ZXOVw3oNzUpQUF1mSv3nzswughA=; b=N3kPHkxGRJqMAwcbjrRcWjVw8xt2489jOa17vxhYQdd0l9tFnQt8nZLjmzZjFPgCpk rhUz1PN1Be3qnPaZSNApR2hCBnqiiNDZDX9yEMj6aMdTxkqyVLd7+TUg/wedk4aWOA2F gj/U7wp0ZUx7LJSNB0WnNKl9N8kXxiK/ud9sMEAK1Nqr2kxOw6I4lr3wHHI3pMYgBzIm v6FBvH26ycd1kJRl2ZDmUDpVC/pigBi54oxlNbIRQA04Z0FjI7HSQbTsjPWlC5+ZfTm+ RXm6aD8RusTQ9w8haAP88a7vXBuO2kiPC6HirP/+Od4YA9TrlMg2nNvCYbid1W2SOL9H 5wqg==
X-Gm-Message-State: AIVw110Gd+b9Tqg0IpjPxlunDotBdbnI9hs6c3xMOinesP69UP8axBAv cTOLeixc6lmagBlK/gU5nklzdNNd1Q==
X-Received: by 10.55.19.152 with SMTP id 24mr12090836qkt.78.1501290573487; Fri, 28 Jul 2017 18:09:33 -0700 (PDT)
MIME-Version: 1.0
Sender: jinmei.tatuya@gmail.com
Received: by 10.237.60.60 with HTTP; Fri, 28 Jul 2017 18:09:32 -0700 (PDT)
In-Reply-To: <CADyWQ+Ffu8JOn6co184PC-Uvv4G1qYU3d0ZchupRJEDDmfYKaw@mail.gmail.com>
References: <CADyWQ+Ffu8JOn6co184PC-Uvv4G1qYU3d0ZchupRJEDDmfYKaw@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
Date: Fri, 28 Jul 2017 18:09:32 -0700
X-Google-Sender-Auth: GS5yzvcKjfrm0acozj2aoktSiOw
Message-ID: <CAJE_bqf7R7ZW5ixcZdOcaHDso+C5QbtGbz+Z1mOs+p9_C2_cAg@mail.gmail.com>
To: tjw ietf <tjw.ietf@gmail.com>
Cc: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/qagUGZth6Dk5RKvPXmkiDk5e3bw>
Subject: Re: [DNSOP] Call for Adoption: draft-wkumari-dnsop-extended-error
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Jul 2017 01:09:36 -0000

At Tue, 25 Jul 2017 12:04:04 -0400,
tjw ietf <tjw.ietf@gmail.com> wrote:

> This starts a Call for Adoption for draft-wkumari-dnsop-extended-error
>
> The draft is available here:
> https://tools.ietf.org/html/draft-wkumari-dnsop-extended-error-02
>
> Please review this draft to see if you think it is suitable for adoption by
> DNSOP, and comments to the list, clearly stating your view.

I support the adoption of the draft, if only to provide a way of
signalling more helpful DNSSEC-related errors than a plain SERVFAIL.
I may or may not support the specific proposal for that goal in the
end, though (I simply don't know at this moment).

I've reviewed draft-wkumari-dnsop-extended-error-02 and am willing to
review followup versions.

My comments on 02:

- I wonder what if a forwarding recursive server receives a response
  containing an extended error (especially from an upstream validating
  resolver sending an error regarding DNSSEC validation).  Is it
  expected to forward it back to the downstream client?

- Can more than one extended error code be included in a single
  message?

- One possible idea of another extended error code: one that indicates
  a type-ANY query is responded with just one type of RRset when there
  can be more.  Technically it may not be considered to be an "error",
  but at least it indicates some special condition, so I think it's
  worth discussing.  (This may also be related to question 1 of
  Section 6).

- Section 1

Editorial

- Section 1

   When a
   stub resolver queries a DNSSEC bogus name (using a validating
   resolver), the stub resolver receives only a SERVFAIL in response.
   [...]

  If this is a major motivation of this proposal, it may not be very
  effective depending on how modern the stub resolver is.  I suspect
  many existing stub resolver implementations still don't even include
  EDNS(0) in their queries (at least by default).  It doesn't
  necessarily mean this proposal is completely useless, but we may
  have to note it won't be as effective until and unless the majority
  of stub resolvers become more modern.

- Section 2

   o  FLAGS, 2 octets.

  We might just define the R bit and keep the remaining 15 bits
  "reserved", unless we know we'll definitely use these as "flags".

Editorial nits:

- Section 1

   - e.g the answer was marked REFUSED because of a lame delegation, or
   because there is a lame delegation or because the nameserver is still

  "or because there is a lame delegation" is redundant and should be
  removed?

- Section 7

   and do don't get any of the protections which DNSSEC should provide.

  s/do don't/don't/

--
JINMEI, Tatuya

v2.23.0 | Report a Bug | By Email