IETF Logo Mail Archive

Re: [IAB] last call discussion status on draft-iab-2870bis

Mark Andrews <marka@isc.org> Thu, 05 March 2015 23:57 UTC

Return-Path: <marka@isc.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 731D51A9094 for <ietf@ietfa.amsl.com>; Thu, 5 Mar 2015 15:57:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rqdBWCZpNKKa for <ietf@ietfa.amsl.com>; Thu, 5 Mar 2015 15:57:53 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFF201A90A3 for <ietf@ietf.org>; Thu, 5 Mar 2015 15:57:48 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.ams1.isc.org (Postfix) with ESMTP id 511F71FCC3C; Thu, 5 Mar 2015 23:57:45 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 3EC6B160068; Fri, 6 Mar 2015 00:04:45 +0000 (UTC)
Received: from rock.dv.isc.org (c122-106-252-81.belrs3.nsw.optusnet.com.au [122.106.252.81]) by zmx1.isc.org (Postfix) with ESMTPSA id 0931D160049; Fri, 6 Mar 2015 00:04:45 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 8791F2AFAA23; Fri, 6 Mar 2015 10:57:43 +1100 (EST)
To: Andrew Sullivan <ajs@anvilwalrusden.com>
From: Mark Andrews <marka@isc.org>
References: <20140520204238.21772.64347.idtracker@ietfa.amsl.com> <500031A0-DF45-409E-AACB-F79C32032E38@viagenie.ca> <4B545BEB-EA0E-4BA8-A45E-15AF12CDB1EC@piuha.net> <20150305044122.4185F2AEEC2D@rock.dv.isc.org> <EC564286-9A5E-4702-A8ED-B2C8E404E68A@piuha.net> <6056F80B-2188-4E52-AE18-35E84BA98147@vpnc.org> <20150305214829.014352AF885A@rock.dv.isc.org> <20150305232806.GG1197@mx1.yitter.info>
Subject: Re: [IAB] last call discussion status on draft-iab-2870bis
In-reply-to: Your message of "Thu, 05 Mar 2015 18:28:07 -0500." <20150305232806.GG1197@mx1.yitter.info>
Date: Fri, 06 Mar 2015 10:57:42 +1100
Message-Id: <20150305235743.8791F2AFAA23@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/7SUgrPmT9i8C3uzXtMhn72ko4uA>
Cc: IAB <iab@iab.org>, Paul Hoffman <paul.hoffman@vpnc.org>, IETF Discussion List <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2015 23:57:54 -0000

In message <20150305232806.GG1197@mx1.yitter.info>, Andrew Sullivan writes:
> On Fri, Mar 06, 2015 at 08:48:27AM +1100, Mark Andrews wrote:
> > required.  Yes, there are servers that do DNSSEC but don't correctly
> > handle DO (it is not echoed in the response).  The current root
> > servers are do not exibit this mis-behaviour.  This however comes
> > from requiring DNSSEC support not EDNS support.
> 
> I would like to understand exactly what you mean by, "Do DNSSEC but
> don't correctly handle DO."  That sounds to me like the kind of do
> DNSSEC, not that they do it properly.  DNSSEC requires EDNS0, full
> stop; therefore any additional text on the matter is unnecessary.

To get the DNSSEC records added the the responses the server needs
to be able to see the DO=1 bit.  It does not need to properly handle
unknown EDNS options.  It does not need to properly handle unknown
flags.  It does not need to properly handle EDNS version != 0.  It
does not need fully handle DO by adding DO=1 to the response.

I'm sure all the TLD operators listed in tld-report.html [1] with
broken implementations think they are doing EDNS correctly.

[1] http://users.isc.org/~marka/tld-report.html

When only 65% of the world gets EDNS support right I don't think it
unreasonable to make fully compliant EDNS support a requirement.

> Moreover, see upthread the exchange between Bill Manning and John
> Klensin.  I think if we have a root server operator that starts
> running some dodgy implementation of some name server code, the root
> server operators are going to have a worse day of it than the IETF.  I
> think we should specify exactly what we need and no more.  Since
> DNSSEC entails EDNS0 support, we're done.
> 
> Best regards,
> 
> A
> 
> -- 
> Andrew Sullivan
> ajs@anvilwalrusden.com
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email