Re: [DNSOP] opportunistic semi-authoritative caching (Re: DNSOP Call for Adoption - draft-tale-dnsop-serve-stale)

Evan Hunt <each@isc.org> Sat, 09 September 2017 02:49 UTC

Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CA9113208E for <dnsop@ietfa.amsl.com>; Fri, 8 Sep 2017 19:49:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iGUbAomlrb3A for <dnsop@ietfa.amsl.com>; Fri, 8 Sep 2017 19:49:21 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B32412ECEC for <dnsop@ietf.org>; Fri, 8 Sep 2017 19:49:21 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [149.20.48.19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 1A8FC34B9D1; Sat, 9 Sep 2017 02:49:18 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id 0E6B6216C1E; Sat, 9 Sep 2017 02:49:18 +0000 (UTC)
Date: Sat, 9 Sep 2017 02:49:18 +0000
From: Evan Hunt <each@isc.org>
To: Paul Vixie <paul@redbarn.org>
Cc: dnsop@ietf.org, Joe Abley <jabley@hopcount.ca>
Message-ID: <20170909024918.GA48842@isc.org>
References: <59B1F467.9010308@redbarn.org> <FAC87A99-5558-4369-ADC0-57E2B7BF0429@hopcount.ca> <8183111.Lxug4lBFgO@localhost.localdomain> <20170909003248.GD44967@isc.org> <59B34758.8020105@redbarn.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <59B34758.8020105@redbarn.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/qigpkIlYXgIGWNujQc4JOUXhico>
Subject: Re: [DNSOP] opportunistic semi-authoritative caching (Re: DNSOP Call for Adoption - draft-tale-dnsop-serve-stale)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Sep 2017 02:49:22 -0000

On Fri, Sep 08, 2017 at 06:43:52PM -0700, Paul Vixie wrote:
> not so fast. nxdomain redirection is an attack. censorship is an attack. 
> i don't think you mean to group ttl stretching in with those attacks. 
> because if you do, then we agree, it is an attack, and ought not be 
> done, and certainly ought not be standardized in any form.

They're both lies, and TTL stretching is a lie, and in principle I
believe the DNS should not lie, but filter-aaaa and dns64 and RPZ all
had good and worthy reasons, and nxdomain redirection had bad reasons
with dollar signs next to them, and here we are.

Just as with RPZ, it seems reasonable to publish guidance on how to
do the kind-of-bad thing in the least bad way.

-- 
Evan Hunt -- each@isc.org
Internet Systems Consortium, Inc.