Re: [DNSOP] DNSOP Call for Adoption - draft-tale-dnsop-serve-stale

Tony Finch <> Fri, 08 September 2017 14:16 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E2A0313291C for <>; Fri, 8 Sep 2017 07:16:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id U_PvTwtAh163 for <>; Fri, 8 Sep 2017 07:16:54 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B4083132153 for <>; Fri, 8 Sep 2017 07:16:54 -0700 (PDT)
X-Cam-AntiVirus: no malware found
Received: from ([]:41566) by ( []:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1dqK5U-00006o-0d (Exim 4.89) (return-path <>); Fri, 08 Sep 2017 15:16:52 +0100
Date: Fri, 08 Sep 2017 15:16:52 +0100
From: Tony Finch <>
To: Stephane Bortzmeyer <>
cc: tjw ietf <>, dnsop <>
In-Reply-To: <>
Message-ID: <>
References: <> <>
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Archived-At: <>
Subject: Re: [DNSOP] DNSOP Call for Adoption - draft-tale-dnsop-serve-stale
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 08 Sep 2017 14:16:57 -0000

Stephane Bortzmeyer <> wrote:
> I'm not enthousiastic. We should focus on making the DNS infrastructure
> more reliable, not on adding something to a pile of already fragile
> protocols.

I like this draft because it should help if we lose off-campus
connectivity. We've had a few incidents in recent years such as flooded
comms rooms and DDoS attacks on our providers. Those problems have been
addressed at the network layer, but if we have another outage for whatever
reason I would like our recursive servers to be able to handle it more

We have set things up so it should be possible to resolve on-site names in
our own domains when there is an outage - but not if the client does
DNSSEC validation. It isn't possible to distribute trust anchors to BYOD
clients with validating stubs, so the only way to keep going through an
outage is to retain the DS/DNSKEY chain in the cache.

It's also mildly annoying that loss of connectivity often looks like a DNS
problem, since client software never gets as far as trying to connect off
site. I would selfishly prefer it if our users would blame the network
rather than the DNS :-)

f.anthony.n.finch  <>  -  I xn--zr8h punycode
Shannon: Northwest 5 to 7, occasionally gale 8 later. Rough or very rough.
Showers. Good.