ietf
[Top] [All Lists]

Re: [IAB] Last Call: <draft-iab-2870bis-01.txt> (DNS Root Name Service Protocol and Deployment Requirements) to Best Current Practice

2015-03-04 22:56:06

In message <78A73ED3-BAAB-448F-A550-77F69535422B(_at_)vpnc(_dot_)org>, Paul 
Hoffman writes
:
On Mar 4, 2015, at 6:57 PM, Jari Arkko 
<jari(_dot_)arkko(_at_)piuha(_dot_)net> wrote:
The requirements in Section 2 should be clearly stated as being
appropriate only for the authoritative name service. The last bullet says
this, but the first bullet says "MUST implement core DNS [RFC1035] and
clarifications to the DNS [RFC2181]." That could be interpreted as saying
that the root name service must follow all the rules of RFC 1035, not
just those that apply to authoritative name servers, and there are a
bunch that should not be required. Consider changing that sentence
fragment to "MUST implement core DNS [RFC1035] and clarifications to the
DNS [RFC2181], as an authoritative name service".

I think this seems reasonable. Marc?

Another bullet in Section 2 may be problematic:
    MUST generate checksums when sending UDP datagrams and MUST verify
    checksums when receiving UDP datagrams containing a non-zero
    checksum.
What happens if a root name server receives a UDP datagram with a bad
checksum? It fails verification, but then what? This sentence *might*
incorporate the following clarification, but I'm not sure if it actually
matches the intent.
    MUST generate checksums when sending UDP datagrams, and MUST
    ignore a received UDP datagram containing a non-zero checksum
    when that checksum does not verify.
If that's not the intent, I'm not sure what "verify" means without a
follow-on action.

I would not like to specify protocol in this document. It would be best
if one of the referenced documents already said this, and we could simply
add a reference. Do they?

Oddly, that doesn't appear in any of the DNS-related RFC I know of. It is
not in the "base" DNS RFCs of 1034 & 1035 & 2181, nor is it in 5966 (DNS
use of TCP). Of the ~100 DNS-related RFCs that Standcore has reviewed in
the DNS conformance testbed, RFC 1912 has the same wording about
verifying UDP checksums without saying what to do if there is a
verification failure, and 1995 has advice of what to do if the checksum
is 0. Other than that, 2870 is the only other RFC that mentions UDP
checksums.

Maybe there is a UDP-specific RFC that says what to do when you get a
failed checksum.

You drop it possibly incrementing a error counter.  There really
isn't anything else sane to do.  If the checksum doesn't match you
have no idea what part of the UDP packet is wrong or if it even is
a UDP packet.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka(_at_)isc(_dot_)org