Re: [DNSOP] Genart last call review of draft-ietf-dnsop-caching-resolution-failures-06
Lucas Pardue <lucaspardue.24.7@gmail.com> Mon, 21 August 2023 21:56 UTC
Return-Path: <lucaspardue.24.7@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FF63C14CF1B; Mon, 21 Aug 2023 14:56:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.854
X-Spam-Level:
X-Spam-Status: No, score=-1.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lJWYe2yuuson; Mon, 21 Aug 2023 14:56:03 -0700 (PDT)
Received: from mail-oo1-xc32.google.com (mail-oo1-xc32.google.com [IPv6:2607:f8b0:4864:20::c32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F16F7C14F73F; Mon, 21 Aug 2023 14:56:02 -0700 (PDT)
Received: by mail-oo1-xc32.google.com with SMTP id 006d021491bc7-570f6c17c55so34745eaf.2; Mon, 21 Aug 2023 14:56:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1692654962; x=1693259762; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=JF9oza5lK8he25j1dS8zE5i2HLuRpyFeb7zMF3ra3XA=; b=saiSu+LZNu5+6V/lGanEvUZAeE95akGyqS/DUtTXcndELuue6VDCKFNDDX9htrBQKg fmktgixz1o4aDrjYrsrnht5C2Z2cH0sPgkLDV72TrBUgvJ59AhKpm7xGJkadV4HstGPW AvZB+P6q1DR0YGNEpxgeiFrwHYaIVEiiNSH4nre9nReo5G+PsBCueiN7iY9utKpYuu7U MvYotp/PZf8aTHxnkWo5Uk7qpN3nPr2VoYGRXKwLbU3LAMVdObBSKioKGXEho9BATKQm 3ltgo7w50HXQbRjXnyvbOk3GKKtJmOtAHrpjNIE434r4q4OOSSHM6FpTTAdOc0wA2WzC lWfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692654962; x=1693259762; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=JF9oza5lK8he25j1dS8zE5i2HLuRpyFeb7zMF3ra3XA=; b=QBgBFXxh2OUHLmJx7WWA9+BqVxeMFRgM9revGZdSpHFCWmngnTeKMOzpmvnSMrfX4j LmZBq4CFz9ywWFDZ14x6g13iXQcaEGmG1qcTM749K1SgsBopqaPVg7+Dz/SPS8U4qDHR kTUf4ZXSqykhwQSwJdkxB6VpOKSMJqfli5lnR/YQRjwHh9EZWqhGnettcv+VLuoGsjLn uY3ygEOaGY7Q7EJGrpk1pfUnqkywZi2CPw2twW93ptEj6bHaQwum3fH0umMmcVcaBRZ0 pIoJHKBsPeNU3XNLTV3CeEVTKCQa2tYiTuy4netJD418SiZOzRWWxrarddPV0Vx1UcOj rmAg==
X-Gm-Message-State: AOJu0Yw1WpBO5fVfmYv7C4lkx3x+9rUry6meSd7wPZClI/3Xp/M3Lqh/ +vo0Z0j+9dAnFY0TY4kV7SG0v3tlWK2d8SPhCSRSa29v
X-Google-Smtp-Source: AGHT+IGiGvBk/VdcJWsJCjyQAPgBlt1maEJurwdJD4Ivr1nBTYH/SfvJDW89CrP1i+3iGlPp8KLY14DRY6aM8XN6/8Y=
X-Received: by 2002:a05:6820:41:b0:56c:699c:79a6 with SMTP id v1-20020a056820004100b0056c699c79a6mr6542767oob.9.1692654961638; Mon, 21 Aug 2023 14:56:01 -0700 (PDT)
MIME-Version: 1.0
References: <169175737767.37063.4458393955343190137@ietfa.amsl.com> <509DC3AD-AA85-443C-ACE8-8CCF1C903BB2@verisign.com>
In-Reply-To: <509DC3AD-AA85-443C-ACE8-8CCF1C903BB2@verisign.com>
From: Lucas Pardue <lucaspardue.24.7@gmail.com>
Date: Mon, 21 Aug 2023 22:55:50 +0100
Message-ID: <CALGR9obrYhOoj6S1CEO5=7hyDdhL=q-EpUVrehRNd4qzRk9Dgg@mail.gmail.com>
To: "Wessels, Duane" <dwessels@verisign.com>
Cc: "gen-art@ietf.org" <gen-art@ietf.org>, "dnsop@ietf.org" <dnsop@ietf.org>, "draft-ietf-dnsop-caching-resolution-failures.all@ietf.org" <draft-ietf-dnsop-caching-resolution-failures.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b73ff1060375f1c5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/wSBlY5VLQcqTcJcAn9uf6FFzSZI>
Subject: Re: [DNSOP] Genart last call review of draft-ietf-dnsop-caching-resolution-failures-06
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Aug 2023 21:56:07 -0000
Hi Wesley, Thanks for the response, see mine in-line. On Mon, Aug 21, 2023 at 10:07 PM Wessels, Duane <dwessels@verisign.com> wrote: > > > > On Aug 11, 2023, at 5:36 AM, Lucas Pardue via Datatracker < > noreply@ietf.org> wrote: > > > > Caution: This email originated from outside the organization. Do not > click links or open attachments unless you recognize the sender and know > the content is safe. > > > > Reviewer: Lucas Pardue > > Review result: Ready with Issues > > > > I am the assigned Gen-ART reviewer for this draft. The General Area > > Review Team (Gen-ART) reviews all IETF documents being processed > > by the IESG for the IETF Chair. Please treat these comments just > > like any other last call comments. > > > > For more information, please see the FAQ at > > > > < > https://secure-web.cisco.com/1UZHZEsg_CD0wKCgJum89JtRWBIKuWfAMrOAeNCDx_noxdIVT0xTFtSDKvvkTvjoqt0318tJcX06nwaM58f9XNMDWWilDoqIENqL_gk262YdZle75QHHoW2s2KdRaGCdQkKG8uKUbDRRY655t-OOuxr0Yfd1eJmBdp5KBeJs1-XyEcQI-c_JeFcXJ8taygT-DnCUz-awp_q3J8yJneseERQtJ7GDzNxDcvYbgsJO-fPPCB7ErC401Qq9bP2qWs07AET3l4jK5lmNnyR4yBeDa5NBFgyzdWwC8DOQ9c2t6FPY/https%3A%2F%2Fwiki.ietf.org%2Fen%2Fgroup%2Fgen%2FGenArtFAQ > >. > > > > Document: draft-ietf-dnsop-caching-resolution-failures-?? > > Reviewer: Lucas Pardue > > Review Date: 2023-08-11 > > IETF LC End Date: 2023-08-17 > > IESG Telechat date: Not scheduled for a telechat > > > > Summary: The document was well-written with clear motivation statements > and > > normative text for addressing the indicated problems > > Hi Lucas, thanks for the detailed review. > > > > > > Major issues: None > > > > Minor issues: > > > > * Section 3.1 describes retries and places the normative requirement "A > > resolver MUST NOT retry a given query to a server address over a given > > transport protocol more than ...". However, the definition of "transport > > protocol" is not 100% clear to me, and the terms "transport" and > "transport > > layer protocol" seem to be used interchangeably through the document. > Perhaps > > this is clearer to those in the DNS area, but as a transport area > person, DNS > > over TCP and DNS over TLS both use the same transport protocol. Section > 2.3 > > would seem to imply that DNS over TCP and DNS over TLS are treated as > different. > > > > I think it would help to better define exactly what "a given transport > > protocol" in section 3.1 means. Perhaps that definition already exists > > somewhere that can be cited and imported into the terminology section. > > You’re right that we have not been especially precise when using the word > “transport.” > The authors did intend for DNS over UDP, over TCP, and over TLS, etc to > essentially > be treated as separate transports, or separate ways a client can talk to a > server. > > I’m not sure how best to fix this. On one hand, as far as we know, there > is > currently not a good term that collectively refers to DNS over UDP, TCP, > TLS, HTTPS, > QUIC, and whatever else may come our way. So maybe we need to define > one. I’m > hesitant, though, because I’m not sure this document is where such a term > should > be introduced, and because definitions often turn out to be like cans of > worms. > > Nonetheless, we have taken a stab at it: > > * DNS Transport: In this document, DNS transport means a protocol > used to transport DNS messages between a client and a server. > This includes "classic DNS" transports, i.e., DNS-over-UDP and > DNS-over-TCP [RFC1034] [RFC7766], as well as newer encrypted DNS > transports such as DNS-over-TLS [RFC7858], DNS-over-HTTPS > [RFC8484], DNS-over-QUIC [RFC9250], and similar communication of > DNS messages using other protocols. NOTE: at the time of this > writing not all DNS transports are standardized for all types of > servers, but may become standardized in the future. > This text is much more explicit and clear, thanks. It addresses my issue, so consider my review status as "Ready" for the draft where the change lands. > … > > 3.1. Retries and Timeouts > > A resolver MUST NOT retry a given query to a server address over a > given DNS transport more than twice (i.e., three queries in total) > before considering the server address unresponsive over that DNS > transport for that query. > > A resolver MAY retry a given query over a different DNS transport to > the same server if it has reason to believe the DNS transport is > available for that server and is compatible with the resolver's > security policies. > > > > > > > > > > > Nits/editorial comments: > > > > * In section 1, there exists "section 5" and "section 7" usages that do > make it > > clear if these are internal or external references. > > We propose to just remove those section references. > Sounds good > > > > * I appreciated the text in sections 1.1 and 1.2, dealing with > motivation and > > related use cases respectively. However, as a generalist reviewer, the > most > > useful part of Section 1.1 was the first sentence. The remainder of the > text in > > 1.1 feels like case studies, that while interesting manifestations, are > not > > pure motivation. As a purely editorial suggestion you can take or leave, > > consider modifying the last paragraph of Section 1 to something like > > > > "Operators of DNS services have known for some time that recursive > resolvers > > become more aggressive when they experience resolution failures; see > Appendix A > > for a collection of anecdotes, experiments, and incidents support this > claim. > > This document updates [RFC2308] to require negative caching of DNS > resolution > > failures, which can help to mitigate the operational problems failures > might > > generate. Examples of resolution failures are provided in Section 2. > Related > > work is described in Appendix B." > > > > then move the text from sections 1.1 and 1.2 in appendix A and appendix > B. > > That is an interesting suggestion. Among discussion with my coauthors we > have > a slight preference to leave it as-is, but would also like to take advice > on > this from the RFC editor. > Yep this is an editorial call, so ultimately your decision. Thanks for giving it some consideration though. > > > > > * TOC - "Conditions That Lead To DNS Resolution Failures" vs > "Requirements for > > Caching Resolution Failures". Presumably the same thing, so consistency > might > > help > > I’m not sure I understand this comment. Can you explain further what you > mean? > It's very minor. I read one as "DNS Resolution Failures" and the other as "Resolution Failures". Are these the same thing or different? Maybe you could change them both to "DNS Resolution Failures" or "Resolution Failures". > > > > > * Section 3.2 - regarding the 1 second minimum requirement, the text that > > follows says "Resolvers MAY cache different types of resolution failures > for > > different (i.e, longer) amounts of time." and then later "Consistent with > > [RFC2308], resolution failures MUST NOT be cached for longer than 5 > minutes.". > > These statements are all logically consistent but could be made simpler > with > > some editorial work. For example, something like > > > > "Resolvers MUST cache resolution failures for at least 1 second. > Resolvers MAY > > cache failures for a longer time, up to a maximum of 5 minutes (per the > > requirements of [RFC2308]). Resolvers MAY cache different types of > failures > > using different time periods within this range." > > I see what you’re saying. We propose to move the maximim caching time up > and split that paragraph into two, as follows: > > Resolvers MUST cache resolution failures for at least 1 second. > Resolvers MAY cache different types of resolution failures for > different (i.e., longer) amounts of time. Consistent with [RFC2308], > resolution failures MUST NOT be cached for longer than 5 minutes. > > The minimum cache duration SHOULD be configurable by the operator. A > longer cache duration for resolution failures will reduce the > processing burden from repeated queries, but may also increase the > time to recover from transitory issues. > > LGTM, thanks! > > > DW > >
- [DNSOP] Genart last call review of draft-ietf-dns… Lucas Pardue via Datatracker
- Re: [DNSOP] Genart last call review of draft-ietf… Wessels, Duane
- Re: [DNSOP] Genart last call review of draft-ietf… Joe Abley
- Re: [DNSOP] Genart last call review of draft-ietf… Lucas Pardue