Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-serve-stale-03.txt

Dave Lawrence <tale@dd.org> Tue, 05 March 2019 15:59 UTC

Return-Path: <tale@dd.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9500E131268 for <dnsop@ietfa.amsl.com>; Tue, 5 Mar 2019 07:59:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RKtjr4fr4SoC for <dnsop@ietfa.amsl.com>; Tue, 5 Mar 2019 07:59:52 -0800 (PST)
Received: from gro.dd.org (host2.dlawren-3-gw.cust.sover.net [207.136.201.30]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFFB61311DD for <dnsop@ietf.org>; Tue, 5 Mar 2019 07:59:45 -0800 (PST)
Received: by gro.dd.org (Postfix, from userid 102) id 7DFEA28604; Tue, 5 Mar 2019 10:59:44 -0500 (EST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <23678.40176.492174.37630@gro.dd.org>
Date: Tue, 5 Mar 2019 10:59:44 -0500
From: Dave Lawrence <tale@dd.org>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <alpine.LRH.2.21.1903042240330.32161@bofh.nohats.ca>
References: <155094804613.28045.8648150477440044197@ietfa.amsl.com> <CA+9_gVscCzr0S8A0Z23q0V1B+BZeLtDoZRSKyEJDPZ3P=KT-tw@mail.gmail.com> <CAL9jLaYo5JH6vf+djEn0O=YGhLV2AkytMg_eKQmWn=Pma5yBFQ@mail.gmail.com> <4253851.Zqd2zPpPcC@linux-9daj> <92355508-D5AC-46DC-8FF5-C1C4155601D8@isc.org> <alpine.LRH.2.21.1903042240330.32161@bofh.nohats.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/vngUVvMVHrhUu4G3i_amqnVM2yU>
Subject: Re: [DNSOP] [Ext] I-D Action: draft-ietf-dnsop-serve-stale-03.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2019 15:59:55 -0000

Paul Wouters writes:
> In the non-DDOS case, the auth server is reachable and none of the data
> is getting additional TTL added:
> 
>     Answers from authoritative servers that have a DNS Response Code of
>     either 0 (NOERROR) or 3 (NXDOMAIN) MUST be considered to have
>     refreshed the data at the resolver.  In particular, this means that
>     this method is not meant to protect against operator error at the
>     authoritative server that turns a name that is intended to be valid
>     into one that is non-existent, because there is no way for a resolver
>     to know intent.
> 
> Although perhaps it should also explicitely state this regarding
> ServFail ?

I personally have a very strong opposition to including servfail.
Servfail is an extremely clear indication that the authority that was
contacted is having some sort of structural problem.  It is a very
distinct condition from being told by the authority that the name does
or does not exist.