Re: [DNSOP] Setting of the RD bit in queries in draft-ietf-dnsop-resolver-priming-06.txt
Suzanne Woolf <suzworldwide@gmail.com> Sat, 23 January 2016 22:17 UTC
Return-Path: <suzworldwide@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 355BF1B29AD for <dnsop@ietfa.amsl.com>; Sat, 23 Jan 2016 14:17:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oZlPxESleUFb for <dnsop@ietfa.amsl.com>; Sat, 23 Jan 2016 14:17:01 -0800 (PST)
Received: from mail-qg0-x229.google.com (mail-qg0-x229.google.com [IPv6:2607:f8b0:400d:c04::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E78E1B29A8 for <dnsop@ietf.org>; Sat, 23 Jan 2016 14:17:01 -0800 (PST)
Received: by mail-qg0-x229.google.com with SMTP id b35so83544541qge.0 for <dnsop@ietf.org>; Sat, 23 Jan 2016 14:17:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=e4YN1bZb/uhqsO6na1a9stReaAzyWvYZvV0m0n3u8KA=; b=nKXGhD/WAbzJuo9VKxCFO/RjetFNAkfvqcuJEibvxC9Nu3zY2ctJu2UJKckQQ3U3/V RFGK/nHxJaeir/yHLkYoE8usj1+JCDsj0d+XQwvjnWMXrFTwPmG4+BRsK3wIRm/SUFl1 iLB9jBWKFb1T+koIBjAjV5dVlemrnt3z0IvzXd3U4+Y2pT8/HJ85lwkkWktgekQjhthy 4BSWfUSaPuMovvYnYuR4nG0X1ylldJy6AbzaWt0/kJyF38esQmx4MMwYyhJYGDBIMwjj 9l3wZafXglNMra2JU16tZO0epIF+6SQ1iBaiVGAQ80l3bqwGT4JbA6n3MMYsM/PDBq+U 0BzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=e4YN1bZb/uhqsO6na1a9stReaAzyWvYZvV0m0n3u8KA=; b=l3/7n0GfUcirrKAxfsNAQE8FqONITepOlHmidQ+o40wyjAq2iXNDzMMOxTQNKb834L +XA84euU31VhI45cRb/eul9uUnizy3NQjpwPXerf+yy6EcpF6TpSj529OpDMeNYovi61 Ngsd/EUJ/MGCET9Oo/32QbKd9t9EVZc09qL+/L7vkrE/sKzqk7qCs2BLWj3v5wNccIOV 6/ymTyCteMpEPFRTTgtTxpHnRWYOK30kguYapc62H4AMSYcMAFqpHHYcsisVr/Ns9Ci7 929jLuK5N6XGcc9Jhk2uDdl3sRjcSQ3q9q1/gG6qeOo4zw1UWubtRRqaVQkrvQ1O26sR b+ag==
X-Gm-Message-State: AG10YOR+aof1d/XlZiIiEXfGfd9LbvglCNay37bkqDvjkUPwRfU5LvyU2xQG8VP2BeLTJg==
X-Received: by 10.140.94.168 with SMTP id g37mr12700612qge.78.1453587420568; Sat, 23 Jan 2016 14:17:00 -0800 (PST)
Received: from ?IPv6:2601:181:c002:25ee:88c4:bc1a:f9cd:7a22? ([2601:181:c002:25ee:88c4:bc1a:f9cd:7a22]) by smtp.gmail.com with ESMTPSA id 63sm5692272qhs.22.2016.01.23.14.16.59 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sat, 23 Jan 2016 14:16:59 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_EADC4CD0-35C6-46E5-8882-9D2AAFC5C52A"
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Suzanne Woolf <suzworldwide@gmail.com>
In-Reply-To: <7BCEFBC2-0F3B-466C-B1D0-BA447C15E0BD@vpnc.org>
Date: Sat, 23 Jan 2016 17:17:23 -0500
Message-Id: <7CC54325-FABD-4FC9-88D0-6F6378406AF6@gmail.com>
References: <7BCEFBC2-0F3B-466C-B1D0-BA447C15E0BD@vpnc.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>
X-Mailer: Apple Mail (2.1510)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/zeoVOQp95nO1FkSZxW2KOBOldeU>
Cc: IETF DNSOP WG <dnsop@ietf.org>
Subject: Re: [DNSOP] Setting of the RD bit in queries in draft-ietf-dnsop-resolver-priming-06.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jan 2016 22:17:04 -0000
(no hats except a long-time acquaintance with root server operations) Not sure it helps determine what resolvers should do in anomalous situations, but per Stephane's quasi-question about the "good practice" of root servers being configured as auth-only: "Service Expectations of Root Servers" (https://www.icann.org/en/system/files/files/rssac-001-root-service-expectations-04dec15-en.pdf), cited in RFC 7720 as reference RSSAC-01, does specify that "From a protocol perspective, a Root Server is a DNS name server that provides authoritative-only DNS service for the root zone," and cites RFC 1034. I can't find this directly asserted in RFC 1034 but only spent a few minutes looking. As a practical matter, I'm OK with a general expectation that if an answer can be validated, the resolver doesn't care if it's non-authoritative.This also suggests that getting a non-authoritative answer where an authoritative answer was expected should perhaps be treated the same way at the root that it's treated anywhere else (it's functionally a lame delegation). What does widely deployed code do? Suzanne On Jan 21, 2016, at 10:07 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote: > This is the summary of the thread about the following sentence in the section on priming queries: > > The RD bit MAY be set to 0 or 1, although the meaning of it being set to 1 is > undefined for priming queries. > > There were four replies with what seems like four different takes on it. Can others in the WG weigh in so we might get consensus? > > --Paul Hoffman > > On 15 Jan 2016, at 2:50, Stephane Bortzmeyer wrote: > >> On Thu, Jan 14, 2016 at 11:09:36AM -0800, >> Paul Hoffman <paul.hoffman@vpnc.org> wrote >> a message of 34 lines which said: >> >>> Setting the RD bit to 1 could result in non-authoritative answers. >> >> Today, all root name servers are not recursive. It seems good >> practice, even if I'm not sure it's formally written somewhere (I do >> not find it in RFC 7720). >> >>> If the response to a priming query is non-authoritative, should the >>> resolver reject it and try more queries? >> >> I would say yes, since it is supposed to be sent to authoritative >> servers. >> >> If a name server is deprecated and replaced by a resolver, not >> authoritative for the root, I tend to think that its response cannot >> be trusted. > > > > On 15 Jan 2016, at 5:03, Tony Finch wrote: > >> Paul Hoffman <paul.hoffman@vpnc.org> wrote: >>> >>> If the response to a priming query is non-authoritative, should the >>> resolver reject it and try more queries? Or is it OK for a priming >>> response to be non-authoritative? >> >> If you are unlucky enough to be on a network that intercepts DNS queries >> and diverts them to a recursive server, you are likely to get RA=1 AA=0 >> answers to priming queries. Your resolver ought to soldier on as best it >> can in this situation. > > > On 15 Jan 2016, at 5:59, Stephane Bortzmeyer wrote: > >> On Fri, Jan 15, 2016 at 01:03:41PM +0000, >> Tony Finch <dot@dotat.at> wrote >> a message of 22 lines which said: >> >>> If you are unlucky enough to be on a network that intercepts DNS >>> queries and diverts them to a recursive server, you are likely to >>> get RA=1 AA=0 answers to priming queries. Your resolver ought to >>> soldier on as best it can in this situation. >> >> If the resolver validates with DNSSEC, it may go on in such a case. If >> it doesn't, I'm tempted to say that it should give in and tell the >> sysadmin that it cannot do its job properly and safely. >> >> At the very minimum, such problem should be escalated to the sysadmin. > > > > > On 15 Jan 2016, at 9:52, Darcy Kevin (FCA) wrote: > >> It's not really a "normal" query, in the sense that it's not coming from a stub resolver, typically, and the initiator wouldn't normally assume that recursion is required to fetch the answer. >> >> So, in the typical case I'd expect RD=0. >> >> Not sure that the "although" verbiage below really adds any value, though. If you've already declared that something is a "MAY", what's the practical effect of then saying that its meaning is "undefined"? Either it's allowable per the standard or it's not. >> > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
- [DNSOP] Setting of the RD bit in queries in draft… Paul Hoffman
- Re: [DNSOP] Setting of the RD bit in queries in d… Suzanne Woolf