Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-error-reporting-04.txt
Magnus Sandberg <mem@fallback.netnod.se> Mon, 06 February 2023 12:26 UTC
Return-Path: <mem@fallback.netnod.se>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17779C1522AF for <dnsop@ietfa.amsl.com>; Mon, 6 Feb 2023 04:26:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UQsLuHeckDw3 for <dnsop@ietfa.amsl.com>; Mon, 6 Feb 2023 04:26:30 -0800 (PST)
Received: from mail2.netnod.se (mail2.netnod.se [IPv6:2a01:3f0:1:3::75]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25287C14F74B for <dnsop@ietf.org>; Mon, 6 Feb 2023 04:26:30 -0800 (PST)
Received: from [IPV6:2a01:3f0:1:10::1006] (unknown [IPv6:2a01:3f0:1:10::1006]) (Authenticated sender: mem) by mail2.netnod.se (Postfix) with ESMTPSA id B242420000D for <dnsop@ietf.org>; Mon, 6 Feb 2023 13:26:27 +0100 (CET)
Message-ID: <c1a1af67-42a4-b569-7acb-4db3a7f02d16@fallback.netnod.se>
Date: Mon, 06 Feb 2023 13:26:27 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.6.0
Content-Language: sv-SE, en-US
To: dnsop@ietf.org
References: <167544566074.39730.3747181843653974839@ietfa.amsl.com>
From: Magnus Sandberg <mem@fallback.netnod.se>
In-Reply-To: <167544566074.39730.3747181843653974839@ietfa.amsl.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xFM9nD4B5WRAfbvEk0tkkllzlno>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-error-reporting-04.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Feb 2023 12:26:35 -0000
Hi all, Maybe I missed some earlier discussions or decisions, then just ignore my comment. I was thinking if more meta data in the report query. If only one of the authoritative servers for the domain test. is out of sync it may help with some extra data to pinpoint the faulty server. In unicast the IP address of the faulty authoritative server may help. With an anycast setup maybe NSID is better but then the resolver has to include "+NSID" in all queries to auth servers. RFC8914 also has error codes for network error related problems. Would it be helpful to be able to signal what protocol that was used, like UDP53, TCP53, DOT, DOH, DOQ, etc? I understand that this type of error reporting may generate a lot of "false negatives" if the protocols are not supported by the auth servers. But on the other hand it may signal some unknown filtering in the path. Some possible examples: _ip4.192.168.47.11._ip4 _ip6.2001-DB8-F00=53._ip6 (in this example : eq - and :: eq =, maybe not the best) _nsid.server.iata._nsid _proto.doh._proto Regards, // mem Den 2023-02-03 kl. 18:34, skrev internet-drafts@ietf.org: > > A New Internet-Draft is available from the on-line Internet-Drafts directories. > This draft is a work item of the Domain Name System Operations WG of the IETF. > > Title : DNS Error Reporting > Authors : Roy Arends > Matt Larson > Filename : draft-ietf-dnsop-dns-error-reporting-04.txt > Pages : 10 > Date : 2023-02-03 > > Abstract: > DNS error reporting is a lightweight reporting mechanism that > provides the operator of an authoritative server with reports on DNS > resource records that fail to resolve or validate. A domain owner or > DNS hosting organization can use these reports to improve domain > hosting. The reports are based on extended DNS errors as described > in RFC 8914. > > When a domain name fails to resolve or validate due to a > misconfiguration or an attack, the operator of the authoritative > server may be unaware of this. To mitigate this lack of feedback, > this document describes a method for a validating recursive resolver > to automatically signal an error to a monitoring agent specified by > the authoritative server. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-dns-error-reporting/ > > There is also an htmlized version available at: > https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-dns-error-reporting-04 > > A diff from the previous version is available at: > https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-dns-error-reporting-04 > > > Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- [DNSOP] I-D Action: draft-ietf-dnsop-dns-error-re… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-dns-erro… Magnus Sandberg