Re: [Gen-art] [DNSOP] I-D Action: draft-ietf-dnsop-serve-stale-09.txt

Dave Lawrence <> Mon, 02 December 2019 22:34 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 64F6112006F; Mon, 2 Dec 2019 14:34:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LY7e9hXOb_Em; Mon, 2 Dec 2019 14:33:58 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C92F4120018; Mon, 2 Dec 2019 14:33:56 -0800 (PST)
Received: by (Postfix, from userid 102) id 791EDB8191; Mon, 2 Dec 2019 17:33:53 -0500 (EST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <>
Date: Mon, 02 Dec 2019 17:33:53 -0500
From: Dave Lawrence <>
In-Reply-To: <>
References: <> <> <> <>
Archived-At: <>
Subject: Re: [Gen-art] [DNSOP] I-D Action: draft-ietf-dnsop-serve-stale-09.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 02 Dec 2019 22:34:00 -0000

Benjamin Kaduk writes:
> Isn't there still some latent risk of such fielded implementations
> that would be incompatible with this change if it ever did show up
> on the wire? 

There's always some risk with any change, right?  I'm not trying to be
flatly dismissive of the concern. I do, however, find vague,
unsubstantiated concerns about the behaviour of unidentified software
to be a poor basis for an engineering decision.

Given that no circumstance has been identified where this is an issue,
the next best thing is a risk analysis of the potential, and I've
previously gone over the possible failure scenarios.  The worst case
identified is that someone was actually sending a negative TTL with
the intent of it being cached as 0 (leaving open the question about
why they'd make that choice), but which would now be treated by new
software as very large and almost universally capped at something more
sane but still on the order of days instead of an augenblick.  

As failure cases go, my subjective opinion is that this is not vexing,
especially without any evidence that someone is making meaningful
operational use of the treat-as-zero logic.  If they were, it seems to
me that the people running the authority doing that and needing the
dynamic remapping it implies would be highly incentivized to update
their relatively smaller footprint of servers to behave more

On the flip side, authorities sending an obnoxiously large TTL (2^31+)
would now get the expected behviour of being cached as long as
possible rather than 0.  Of course I personally would expect them to
get their act together and send more sane TTLs, too, in no small part
because in practical terms there are smaller values they could use to
achieve the same aims without having to even deal with the question of
the high order bit.  The risk on this end is that new software,
written with the expectation that 2^31+ TTLs would be treated as
basically equivalent to 2^31-1 and then capped by modern resolvers,
might send to an old treat-as-0 resolver and get surprisingly frequent
requeries for what the operator intended to be a static response.  If
this traffic were for a popular enough name to cause packet volume to
rise above the usual noise in any sort of remotely problematic way,
the authority operators are then highly incentivized to change as
well.  This is all hinging on a lot of "ifs" though, starting that
chain with it being new behavior by an authority to start sending such

If you see some greater risk potential, I'll gladly think on that some
more.  I certainly don't want to cause any harm either; I just don't
see it here.