Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidation-02.txt
Shumon Huque <shuque@gmail.com> Tue, 06 September 2022 00:56 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C77D8C1522C6 for <dnsop@ietfa.amsl.com>; Mon, 5 Sep 2022 17:56:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NB-sgDSMQzNl for <dnsop@ietfa.amsl.com>; Mon, 5 Sep 2022 17:56:11 -0700 (PDT)
Received: from mail-io1-xd29.google.com (mail-io1-xd29.google.com [IPv6:2607:f8b0:4864:20::d29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B1F7C14F725 for <dnsop@ietf.org>; Mon, 5 Sep 2022 17:56:11 -0700 (PDT)
Received: by mail-io1-xd29.google.com with SMTP id g1so2100038iob.13 for <dnsop@ietf.org>; Mon, 05 Sep 2022 17:56:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=c/ZA+87l2qX3PApcKs3gWc0vq/77ldL6OLtZMup6r/Y=; b=giCZ/PR7eRSAm/KPZ2UwbOT3C7OSsmu6LGsEF9q20Eed1AcpWiXkDGu4WVbEk56vWm OA4rGsqGmt3Sx1h029WD08n65JEFqATHZuS3LfGXwZHhYCFuGShHCP2pe9ynaablbBQL pOTaNdk5MjcOAWIAPfsVkS88ozgjexWqlRq7GDXY/9A9fm5TiPFcFgE9yGujdJB7I/OI aIkWYUF8hFfMMb6Xj32D6GEgHRrJ8GpU1Qr894hzsDb/U0chXQPlpbabZHu7MTpx3c5c 0c+TbYfSMOmHLPbMogIRd4EKaGfPMD0vXYToY5EzR7dkT5/s3kZJ87x8aow0E2g9YXwf oK2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=c/ZA+87l2qX3PApcKs3gWc0vq/77ldL6OLtZMup6r/Y=; b=E3QoggXff8+8Fwzq3gN5ZvD1GnBxVU5HjBd6L2iw1cbDLH4grOtrRgGoWrxGqDRyGO 0j5JdNC/Qxzm15X3jtLp4C3NJYlFDEXkFdOk5WdZQ9jesxqmmeBc6g54xGdLv2B9ZBLn Xmw5KImGRihCeD3gRx3TWbNh6dBL98qrQc4tNqN9D0Rukcl5Raa5pRMIDEwFu94hEk7C szqP3xazYW0MBM3Kulvc0exJkvXK7dYqAIhevN8oHFCv3KGUSN1fTe/oACUYjUfCKj+u zQuKA60v0nQ+4z2CK0KcHGuVYNO1eDL2IEmXedXChmVBKhKb6YcM2XxwcMX9PUxUudn4 jmVQ==
X-Gm-Message-State: ACgBeo1yr8L2rblXJoHnnVuzOpDrRMwigjY/qkS1vGcVE88V+pkAGFIE ZftpI/NoP2uKgPLJep53bxBPKRuitGseYjdu9Gs=
X-Google-Smtp-Source: AA6agR4PI76wauqSQwvNOAHG28+rnJ/vWnodg+07/kfrPdeEyWOLyR63VAVBMJrpqKoI/PnIKYBwtmDG+ny/TIbanXU=
X-Received: by 2002:a02:cbb4:0:b0:34c:d42:ac34 with SMTP id v20-20020a02cbb4000000b0034c0d42ac34mr14404533jap.249.1662425770090; Mon, 05 Sep 2022 17:56:10 -0700 (PDT)
MIME-Version: 1.0
References: <164668869128.9050.17922186658317778247@ietfa.amsl.com> <YvwJ+RT8kpSxcrXH@pepino> <79a0b47e-0c0e-55e8-b44e-a5ffcf89b824@redbarn.org>
In-Reply-To: <79a0b47e-0c0e-55e8-b44e-a5ffcf89b824@redbarn.org>
From: Shumon Huque <shuque@gmail.com>
Date: Mon, 05 Sep 2022 20:55:58 -0400
Message-ID: <CAHPuVdXCWdfc0BjWkaZHOHXsZ_8s8hK+afHR0Jt7UHGu3xPw2Q@mail.gmail.com>
To: Paul Vixie <paul=40redbarn.org@dmarc.ietf.org>
Cc: Hugo Salgado <hsalgado@nic.cl>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007de89505e7f7a9c9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/sBPUs5cWf-7AlH7Udorru5re1PQ>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidation-02.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Sep 2022 00:56:11 -0000
On Tue, Aug 16, 2022 at 7:02 PM Paul Vixie <paul= 40redbarn.org@dmarc.ietf.org> wrote: > > Hugo Salgado wrote on 2022-08-16 14:19: > > Dear authors. > > In the second paragraph of section 3 "Upgrading NS RRset Credibility" > > there is a mention of "Positive responses...", which I am not sure of > > its exact meaning. Do you mean ANSWERS>0? Or AA=1? > i think if the text were "positive responses" then your question would > be a nonsequitur, but the actual text i see is "positive answers" which > does indeed raise your questions. > Thanks for the question Hugo. To address Paul's comment first, I think it might be simplest to change "positive answer" in the text to "positive response" to avoid potential ambiguity (although in my view they are synonymous). Barring objections, I'll make that update in the text. Even the term "positive response" is not precisely defined in the specs. DNS Terminology (RFC 8499) does define "Negative response", so we could argue that it is simply the antonym, i.e. a NOERROR response that isn't a NODATA (with ANCOUNT > 0, or in the case of referrals, with an NS set in the authority section). > > I'm thinking of a (broken) nameserver that responds to NSs queries with > > NXDOMAIN (but does answer to other types)[1]. Is that a positive > > response, which should be cached with an authoritative data ranking? > We cover this case in the 3rd paragraph of section 3 with the following: " ... that there are number of nameservers in the field that (incorrectly) fail to answer explicit queries for NS records, and thus the revalidation logic may need to be applied lazily and opportunistically to deal with them." Applying the logic "opportunistically" means that the resolver falls back to using the delegation information in the referral from the parent. We should make that clearer in the draft. Or we could propose to have another "flag day" to try to root out these broken nameservers :) i think we're sending an RD=0 question to a server we think is the > closest enclosing delegator for the zone we are revalidating, and that > it has to answer AA=0 (because it is a delegated name) with an RRset of > type NS, or else it's nonresponsive. i leave it to my coauthors to find > a way using only english words to best express that constraint. > Paul - the specific text from the draft that Hugo is quoting is about upgrading NS set credibility, and not about revalidation (which is in section 4). If there are other ambiguities in that section that need to be addressed, please discuss. Shumon.
- [DNSOP] I-D Action: draft-ietf-dnsop-ns-revalidat… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Paul Wouters
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Shumon Huque
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Paul Vixie
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Paul Wouters
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Joe Abley
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Shumon Huque
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Hugo Salgado
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Paul Vixie
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Shumon Huque
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-ns-reval… Hugo Salgado