Skip to main content

Common Misbehavior Against DNS Queries for IPv6 Addresses
draft-ietf-dnsop-misbehavior-against-aaaa-02

Yes

(David Kessens)

No Objection

(Steven Bellovin)

Note: This ballot was opened for revision 02 and is now closed.

David Kessens Former IESG member
Yes
Yes () Unknown

                            
Alex Zinin Former IESG member
No Objection
No Objection (2004-06-10) Unknown
Ready to go. Editorial comments from gen-art:

Draft: draft-ietf-dnsop-misbehavior-against-aaaa-01
Reviewer: Brian Carpenter
Date: June 8, 2004

I think this is ready to publish and should be published. No
substantive problems.

Editorial nits:

> 1. Introduction
> 
>    Many DNS clients (resolvers) that support IPv6 first search for AAAA
>    Resource Records (RRs) of a target host name, and then for A RRs of
>    the same name. This fallback mechanism is based on the DNS
>    specifications, which if not obeyed by authoritative servers can
>    produce unpleasant results. In some cases, for example, a web browser
>    fails to connect to a web server it could otherwise. In the following
Missing verb,e.g. ....it could otherwise reach.

>    sections, this memo describes some typical cases of the misbehavior
---------------------------------------------------------such
>    and its (bad) effects.


> 4.5 Ignore Queries for AAAA
> 
>    Some authoritative severs seem to ignore queries for a AAAA RR,
------------------------servers
Bill Fenner Former IESG member
No Objection
No Objection (2004-06-10) Unknown
Just as a point of interest to section 4.2: Microsoft's name server returned SERVFAIL in response to AAAA queries at one point; SERVFAIL causes BSD's resolver to return TRY_AGAIN; sendmail thinks that TRY_AGAIN means "don't ask this name server any more questions", so would never ask for the A record since it always tried AAAA first, got TRY_AGAIN, and queued it to be tried again later.  Sendmail introduced the WorkAroundBrokenAAAA configuration option in response, which changes the behavior on TRY_AGAIN.
Scott Hollenbeck Former IESG member
(was Discuss, No Objection) No Objection
No Objection (2004-06-10) Unknown
<Trying to delete a comment, but it keeps coming back!>
Steven Bellovin Former IESG member
No Objection
No Objection () Unknown

                            
Thomas Narten Former IESG member
No Objection
No Objection (2004-06-10) Unknown
>    for a AAAA RR of the name with the RCODE being 0 (indicating no
>    error) and with an empty answer section [1]. Such a response

[1] should point to RFC 1035, not 1034 (could also point to both).


>    A widely deployed caching server implementation transparently returns
>    the broken response (as well as caches it) to the stub resolver.
>    Another known server implementation parses the response by
>    themselves, and sends a separate response with the RCODE being 2
>    (SERVFAIL).

But, isn't returning the "malformed" response the right thing to do?
The above makes it sound like the caching server has a bug. Caching
servers do not necessarily understand the format of the RRs they cache...