Skip to main content

Observed DNS Resolution Misbehavior
draft-ietf-dnsop-bad-dns-res-06

Revision differences

Document history

Date Rev. By Action
2006-08-31
06 Amy Vezza State Changes to RFC Ed Queue from Approved-announcement sent by Amy Vezza
2006-08-30
06 Amy Vezza IESG state changed to Approved-announcement sent
2006-08-30
06 Amy Vezza IESG has approved the document
2006-08-30
06 Amy Vezza Closed "Approve" ballot
2006-08-29
06 David Kessens State Changes to Approved-announcement to be sent from Approved-announcement to be sent::Point Raised - writeup needed by David Kessens
2006-08-04
06 Amy Vezza State Changes to Approved-announcement to be sent::Point Raised - writeup needed from IESG Evaluation by Amy Vezza
2006-08-04
06 (System) Removed from agenda for telechat - 2006-08-03
2006-08-03
06 Cullen Jennings [Ballot Position Update] Position for Cullen Jennings has been changed to Yes from Undefined by Cullen Jennings
2006-08-03
06 Cullen Jennings
[Ballot comment]
In section 2.4.1, I'm not sure what I as an implementer would do. Could you give some non normative advice on an example …
[Ballot comment]
In section 2.4.1, I'm not sure what I as an implementer would do. Could you give some non normative advice on an example strategy that an implementors might use to archive the goals in this section. Things like suggested throttle rates would be very useful. I know this is hard to find values that everyone agrees too but it is even harder fro implementers.  (I know, I work on some DNS code and I'm clueless what to do here :-)

I really think this is a comment not a discuss but I really encourage you to try and think of some advice to put here. Thanks, Cullen
2006-08-03
06 Cullen Jennings [Ballot Position Update] New position, Undefined, has been recorded for Cullen Jennings by Cullen Jennings
2006-08-03
06 Mark Townsley [Ballot Position Update] Position for Mark Townsley has been changed to Yes from No Objection by Mark Townsley
2006-08-03
06 Mark Townsley [Ballot Position Update] New position, No Objection, has been recorded for Mark Townsley by Mark Townsley
2006-08-03
06 Jari Arkko [Ballot Position Update] New position, No Objection, has been recorded for Jari Arkko by Jari Arkko
2006-08-03
06 Jon Peterson [Ballot Position Update] New position, No Objection, has been recorded for Jon Peterson by Jon Peterson
2006-08-03
06 Brian Carpenter
[Ballot comment]
Gen-ART review by Sharon Chisholm with comments by BC and author...

>>1. The document doesn't actually say anywhere that it is informational.
>>> …
[Ballot comment]
Gen-ART review by Sharon Chisholm with comments by BC and author...

>>1. The document doesn't actually say anywhere that it is informational.
>>> >Looking at recently published informational RFCs (4586 for example), it
>>> >would seem the document needs a 'Category: Informational' in the header
>
>>
>> Actually it's intended to be a BCP, but the Editor will insert the header.
>
>>> >
>>> >2. In section 1, first paragraph, it refers to 'the thirteen com/net TLD
>>> >name servers' but isn't that just the number at the time of publication?
>>> >Shouldn't we clarify that?


This number is pretty stable: it's been 13 since 1997 and there are no
plans to change it (a statement I can make because I work for the
com/net operator.)  Also, 13 is currently a magic number in this
context, it being the maximum number of name servers possible for a
zone to ensure that the DNS message packet does not overflow the
increasingly historic limit of 512-bytes when transported in UDP.  For
all these reasons, I don't think further clarification would be
necessary.


>>> >3. In section 2.1, on page 5, second paragraph, I think I got a little
>>> >turned around. It is claiming that under the circumstances described
>>> >there is no value in re-querying the parent, since it gave you the bad
>>> >information in the first place, but what about a potentially valid peer
>>> >name server? Couldn't you get that from the parent or is it assumed that
>>> >is already in the cache?  I.e., if ns1 is bad, is ns2 not an option? Are
>>> >these meant to have different zones?
>>> >    example.com.  IN  NS  ns1.example.com.
>>> >    example.com.  IN  NS  ns2.example.com.
>
>>
>> I understood it to mean that {ns1,ns2} is the complete set and they
>> are both broken, so if you query the parent again you can only
>> get {ns1,ns2} again and they are still broken...


That's correct.  If the parent gives you a list, and you can't contact
anyone in the list, there's no point in asking the parent again any
time soon, since you'll only get the same list again.


>>> >4. Section 2.2 implies that that an implementation can detect a lame
>>> >server and differentiate this case from others. It would be helpful to
>>> >remind implementers how to detect this.


I could add a sentence describing lame server detection.


>>> >5. In section 2.4.1, should implementations also consider detecting that
>>> >they send queries to a particular server and never get responses and
>>> >adapt as a result?


I'm sorry, but I don't understand how your suggestion differs from
what's already written in 2.4.1.

Sharon> I did not see this particular recommendation in section 2.4.1. I just
double checked and it doesn't appear to be there.

>>> >6. In section 2.5.1, the advice is to not be excessive with queries, but
>>> >is this a well understood query rate? 1 per minute or 1 per nanosecond?
>
>>
>> The same question applies to 2.4.1


I'm not aware of a single rate specification in any DNS RFC.  That's
probably a bad thing, since it leaves too much to the implementor and
makes every implementor figure out the same things (and potentially
make the same mistakes as others).  But that being said, I'm not sure
this document is the place to start.  My intent here is not to set a
hard limit in stone, but to cause the implentor to think carefully
about their implementation's behavior.  I'd also be worried about
picking a hard limit that doesn't work in corner cases that I can't
anticipate.

My preference would be to leave the text as is with general, rather
than specific, guidance.


>>> >7. Section 2.10.1 is the best example in the document of how to write up
>>> >the recommendation section. It clearly states where errors will be
>>> >reported (either through a user interface or a log file) where in most
>>> >other sections it was never specified. It might be interpreted as actual
>>> >protocol warnings and error that could be returned to the client in some
>>> >cases. Sections 2.6.1, 2.7.1, etc should be reworked to be more clear in
>>> >their recommendations.


The exact means of error reporting is implementation dependent.
2.10.1 is different because it specifically references a stub
resolver, which is the portion of the DNS infrastructure closest to
the end user.  In this case, it might make sense and be possible to
report an error through a UI.  In all other cases, it's left to the
implementation.

Sharon> What I would like to see made clear is which of the following is being
recommended in each case (even if it is always the latter)
- DNS Protocol reporting errors and warnings
- Applications reporting errors and warnings (this can include
using non DNS-protocols to report the errors (syslog for example).


>>> >8. Section 2.8 starts talking about agents. This appears to be a change
>>> >in terminology.


It is a change, but it's intentional: 2.8 is the first reference in
the document to a component that sends DNS dynamic update messages.  I
refer to this entity as an agent to distinguish it from DNS resolvers
and servers.


>>> >9. The first paragraph of section 2.11 seems like a good introduction to
>>> >the entire section 2, but seems a bit out of place in its current
>>> >location


Fair enough.  Rather than move it, I think I'd just delete it.  I
don't think it hurts in its current position, however.


>>> >10. Section 2.11.1 mixes problem statement and recommendation in a way
>>> >that is inconsistent with the rest of the document.


I'm not sure that I see mixing problem statement and recommendation,
but I do agree that this recommendation section is different, but
that's because of the multiple recommendations it presents.

Matt
2006-08-03
06 Brian Carpenter [Ballot Position Update] New position, No Objection, has been recorded for Brian Carpenter by Brian Carpenter
2006-08-02
06 David Kessens
[Ballot comment]
Comments received by Frank Kastenholz from the Ops directorate:

This document is a bunch of MUST/SHOULD/... for "implementors of
iterative resolvers". I am …
[Ballot comment]
Comments received by Frank Kastenholz from the Ops directorate:

This document is a bunch of MUST/SHOULD/... for "implementors of
iterative resolvers". I am sure that the protocol aspects are good
but it seems to me that this would do nothing to help operators
now. I mean, an operator can not go and fix a broken resolver...
Are there things that operators can do (filters? rate-limiters?
?) Should this note go into that or should there be a separate note?

Probably not worth holding up the document for this.
2006-08-02
06 Ross Callon [Ballot Position Update] New position, No Objection, has been recorded for Ross Callon by Ross Callon
2006-08-02
06 Lars Eggert [Ballot Position Update] New position, Yes, has been recorded for Lars Eggert by Lars Eggert
2006-08-02
06 Dan Romascanu [Ballot Position Update] New position, No Objection, has been recorded for Dan Romascanu by Dan Romascanu
2006-08-01
06 Yoshiko Fong IANA Last Call Comment:

As described in the IANA Considerations section, we understand this document to
have NO IANA Actions.
2006-08-01
06 Russ Housley [Ballot Position Update] New position, No Objection, has been recorded for Russ Housley by Russ Housley
2006-07-31
06 Lisa Dusseault [Ballot Position Update] New position, No Objection, has been recorded for Lisa Dusseault by Lisa Dusseault
2006-07-31
06 Ted Hardie [Ballot Position Update] Position for Ted Hardie has been changed to No Objection from Undefined by Ted Hardie
2006-07-31
06 Ted Hardie
[Ballot comment]
The document says:

  While this situation may appear contrived, we
  have seen multiple similar occurrences and expect more as new generic …
[Ballot comment]
The document says:

  While this situation may appear contrived, we
  have seen multiple similar occurrences and expect more as new generic
  top-level domains (gTLDs) become active.  We anticipate many zones in
  new gTLDs will use name servers in existing gTLDs, increasing the
  number of delegations using out-of-zone name servers.

I am not sure that there is a reason to limit this to new gTLDs; this certainly
occurs now with some ccTLDs.  It was also at one point standard operating
procedure to use out-of-zone name servers for DNS  at least at the tld level
(.gtld-servers.net being one reminder of this ".net is for infrastructure" vision
even now). 

I  would personally strengthen the requirement to handle arbitrary levels of indirection,
and I wonder about recommending that one or more of the servers be within
the zone itself without saying whether best current practice is that some number
be outside the zone.
2006-07-31
06 Ted Hardie [Ballot Position Update] New position, Undefined, has been recorded for Ted Hardie by Ted Hardie
2006-07-30
06 Sam Hartman [Ballot Position Update] New position, Yes, has been recorded for Sam Hartman by Sam Hartman
2006-07-27
06 David Kessens [Ballot Position Update] New position, Yes, has been recorded for David Kessens
2006-07-27
06 David Kessens Ballot has been issued by David Kessens
2006-07-27
06 David Kessens Created "Approve" ballot
2006-07-27
06 David Kessens Placed on agenda for telechat - 2006-08-03 by David Kessens
2006-07-27
06 David Kessens State Changes to IESG Evaluation from In Last Call by David Kessens
2006-07-27
06 David Kessens [Note]: 'Proto shepherd: Rob Austein' added by David Kessens
2006-07-13
06 Amy Vezza Last call sent
2006-07-13
06 Amy Vezza State Changes to In Last Call from Last Call Requested by Amy Vezza
2006-07-12
06 David Kessens State Changes to Last Call Requested from Publication Requested by David Kessens
2006-07-12
06 David Kessens Last Call was requested by David Kessens
2006-07-12
06 (System) Ballot writeup text was added
2006-07-12
06 (System) Last call text was added
2006-07-12
06 (System) Ballot approval text was added
2006-06-07
06 Dinara Suleymanova
PROTO Write-up

1.a) Have the chairs personally reviewed this version of the Internet
Draft (ID), and in particular, do they believe this ID is ready …
PROTO Write-up

1.a) Have the chairs personally reviewed this version of the Internet
Draft (ID), and in particular, do they believe this ID is ready
to forward to the IESG for publication?

Yes and yes.

Which chair is the WG Chair Shepherd for this document?

Rob Austein.

1.b) Has the document had adequate review from both key WG members
and key non-WG members?

Yes.

Do you have any concerns about the depth or breadth of the
reviews that have been performed?

No. This document has been something of a moving target for several
years, as traffic studies at the authoritative name servers in
question is an ongoing process, but the WG felt strongly that the
document in its present form is useful and should be published.

1.c) Do you have concerns that the document needs more review from a
particular (broader) perspective (e.g., security, operational
complexity, someone familiar with AAA, internationalization,
XML, etc.)?

No such concerns.

1.d) Do you have any specific concerns/issues with this document that
you believe the ADs and/or IESG should be aware of? For
example, perhaps you are uncomfortable with certain parts of the
document, or have concerns whether there really is a need for
it. In any event, if your issues have been discussed in the WG
and the WG has indicated it that it still wishes to advance the
document, detail those concerns in the write-up.

No such concerns.

1.e) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with
others being silent, or does the WG as a whole understand and
agree with it?

Solid support by the WG as a whole, as evidenced by result of WG last
call in November 2005. Subsequent delay has been minor nits only.

1.f) Has anyone threatened an appeal or otherwise indicated extreme
discontent?

No.

1.g) Have the chairs verified that the document checks out against
all the ID nits?

Yes.

1.h) Has the document split its references into normative and
informative?

Yes.

Are there normative references to IDs, where the IDs are not
also ready for advancement or are otherwise in an unclear
state?

No.

1.i) For Standards Track and BCP documents, the IESG approval
announcement includes a write-up

===[snip]===

Technical Summary

This memo describes DNS iterative resolver behavior that results in a
significant query volume sent to the root and top-level domain (TLD)
name servers, and offers implementation advice to iterative resolver
developers to alleviate these unnecessary queries. The
recommendations made in this document are a direct byproduct of
observation and analysis of abnormal query traffic patterns seen at
two of the thirteen root name servers and all thirteen com/net TLD
name servers.

Working Group Summary

This document was produced by the DNSOP WG. The WG has consensus
to publish this document as a BCP.

Protocol Quality

This document has been reviewed for the IESG by David Kessens.
2006-06-07
06 Dinara Suleymanova Draft Added by Dinara Suleymanova in state Publication Requested
2006-04-10
06 (System) New version available: draft-ietf-dnsop-bad-dns-res-06.txt
2006-02-13
05 (System) New version available: draft-ietf-dnsop-bad-dns-res-05.txt
2005-07-19
04 (System) New version available: draft-ietf-dnsop-bad-dns-res-04.txt
2004-10-27
03 (System) New version available: draft-ietf-dnsop-bad-dns-res-03.txt
2004-02-17
02 (System) New version available: draft-ietf-dnsop-bad-dns-res-02.txt
2003-06-25
01 (System) New version available: draft-ietf-dnsop-bad-dns-res-01.txt
2001-11-14
00 (System) New version available: draft-ietf-dnsop-bad-dns-res-00.txt