Re: [DNSOP] What should ANAME-aware servers do when target records are verifiably missing?
Richard Gibson <richard.j.gibson@oracle.com> Wed, 10 April 2019 20:42 UTC
Return-Path: <richard.j.gibson@oracle.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F13441203F2 for <dnsop@ietfa.amsl.com>; Wed, 10 Apr 2019 13:42:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sGkdAqV7Tp05 for <dnsop@ietfa.amsl.com>; Wed, 10 Apr 2019 13:42:51 -0700 (PDT)
Received: from userp2130.oracle.com (userp2130.oracle.com [156.151.31.86]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 090C4120676 for <dnsop@ietf.org>; Wed, 10 Apr 2019 13:42:49 -0700 (PDT)
Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x3AKYDCo025157; Wed, 10 Apr 2019 20:42:49 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : to : cc : references : from : message-id : date : mime-version : in-reply-to : content-type; s=corp-2018-07-02; bh=JlD4Jtn9ijZQKYGpuiJEy7HXob0hjjri4duKH+rfF4o=; b=fYPWTT0Nsd8XG1knGF1hAkVGR3ldJp7xVYut0bi0NcopHaH+yLbBnKhWwJmarJpNY4hR uEKs6HVUlyTgKqv4qVEp5hE9Wtd42OU1zgTmjlrdNksxdwMMnZznVfczBDuIOQyPJOdj OGe59PkXDddGvyRNCLPiCTXHJq76xy7Rake9b+hWERp0QswzUrIu3cfrby/02DvuqGzH qVtD7hBSpur4a+ShtCxC9KZbL+j5UEB9az07R2J5Lvc/pxQK9p0yVTjOgQkyOZv6ARfG 1ltftuuCRLvtUtrnNkCXgnDaqWBoNEtunrSLHFvyc3YUk9cFc4WLvVmbRinuNFycvqr8 +g==
Received: from userp3020.oracle.com (userp3020.oracle.com [156.151.31.79]) by userp2130.oracle.com with ESMTP id 2rpkht5e7m-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 10 Apr 2019 20:42:48 +0000
Received: from pps.filterd (userp3020.oracle.com [127.0.0.1]) by userp3020.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x3AKfuAL194656; Wed, 10 Apr 2019 20:42:48 GMT
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userp3020.oracle.com with ESMTP id 2rpkek4bcf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 10 Apr 2019 20:42:48 +0000
Received: from abhmp0002.oracle.com (abhmp0002.oracle.com [141.146.116.8]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id x3AKglAT026760; Wed, 10 Apr 2019 20:42:47 GMT
Received: from [172.19.128.66] (/216.146.45.33) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 10 Apr 2019 13:42:47 -0700
To: Bob Harold <rharolde@umich.edu>
Cc: dnsop <dnsop@ietf.org>
References: <d8ccad4a-cd0c-4c97-b4d7-2099657351dc@oracle.com> <CA+nkc8BM+mfTBm3XyOaZUF5hMg23t9aSY4nq4Y4=BQ-sjcjkVg@mail.gmail.com>
From: Richard Gibson <richard.j.gibson@oracle.com>
Message-ID: <25b38d21-c572-d782-6b35-a187fa0caae8@oracle.com>
Date: Wed, 10 Apr 2019 16:42:45 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <CA+nkc8BM+mfTBm3XyOaZUF5hMg23t9aSY4nq4Y4=BQ-sjcjkVg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------5C6DF636D9136C6F2D3FEBE2"
Content-Language: en-US
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9223 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904100134
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9223 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1904100134
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/rdbaUM8BJRPH3LGqe1b6le4XG28>
Subject: Re: [DNSOP] What should ANAME-aware servers do when target records are verifiably missing?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Apr 2019 20:42:54 -0000
Responses below. On 4/9/19 16:04, Bob Harold wrote: > If it gets an authoritative answer saying that there are no address > records, then it should respect that answer. If that is incorrect, > then whatever gave that answer is broken or misconfigured and should > be fixed. > > Perhaps I am missing something. In what cases can you imagine getting > a response with no errors and no records? Misconfiguration is precisely the case, but quite possibly misconfiguration in the zone of /target/ records as opposed to the zone containing the ANAME. And there are two problems with respecting that [negative] answer. The first problem is for the owner of the ANAME-containing zone, for whom the upstream misconfiguration will result in downtime and be extended by caching to the MINIMUM value from their SOA, which in many cases will be one to three orders of magnitude greater than the TTL of the ANAME itself. The second problem is for the query originator and their ANAME-aware resolver, which will be forced to resolve the SOA of the ANAME-containing zone in order to issue a proper RFC 2308 Type 2 NODATA response <https://tools.ietf.org/html/rfc2308#section-2.2.1>—and such resolution must take place synchronously, tying up resolver resources and increasing end-user latency (insignificantly when the SOA is already cached, significantly when it is not). Both of these problems can be addressed by allowing/recommending/requiring ANAME-aware servers to preserve ANAME siblings when resolution of ANAME targets results in NXDOMAIN or NODATA responses, rather than replacing them with an empty RRSet... which, to be honest, seems to be always-undesirable behavior anyway—if anyone can think of a scenario where it would be /beneficial/ to dynamically remove ANAME siblings, please share it.
- [DNSOP] What should ANAME-aware servers do when t… Richard Gibson
- Re: [DNSOP] What should ANAME-aware servers do wh… Bob Harold
- Re: [DNSOP] What should ANAME-aware servers do wh… Richard Gibson
- Re: [DNSOP] What should ANAME-aware servers do wh… Bob Harold
- Re: [DNSOP] What should ANAME-aware servers do wh… Matthew Pounsett
- Re: [DNSOP] What should ANAME-aware servers do wh… Richard Gibson
- Re: [DNSOP] What should ANAME-aware servers do wh… Matthew Pounsett
- Re: [DNSOP] What should ANAME-aware servers do wh… Tony Finch
- Re: [DNSOP] What should ANAME-aware servers do wh… Matthijs Mekking
- Re: [DNSOP] What should ANAME-aware servers do wh… Richard Gibson
- Re: [DNSOP] What should ANAME-aware servers do wh… Joe Abley
- Re: [DNSOP] What should ANAME-aware servers do wh… Richard Gibson
- Re: [DNSOP] What should ANAME-aware servers do wh… Richard Gibson