Hello dnsop folks,
Discussion with Manu Bretelle in the other thread got me thinking about
the subset of codes operators want to hear about. Let's think a bit
about this part of spec:
On 09. 11. 21 23:59, internet-dra...@ietf.org wrote:
Filename : draft-ietf-dnsop-dns-error-reporting-01.txt
6.1.1. Constructing the Reporting Query
The QNAME for the reporting query is constructed by concatenating the
following elements, appending each successive element in the list to
the right-hand side of the QNAME:
o A label containing the string "_er".
o The Extended DNS error, presented as a decimal value, in a single
DNS label.
o The QTYPE that was used in the query that resulted in the extended
DNS error, presented as a decimal value, in a single DNS label.
o The QNAME that was used in the query that resulted in the extended
DNS error. The QNAME may consist of multiple labels and is
concatenated as is, i.e. in DNS wire format.
o A label containing the string "_er".
o The reporting agent domain. The reporting agent domain consists
of multiple labels and is concatenated exactly as received in the
EDNS option sent by the authoritative server.
4.2. Example
_er.7.1.broken.test._er.a01.reporting-agent.example
Using RFC 8020 ("there's nothing below NXDOMAIN") or RFC 8198 (DNSSEC
aggressive cache) an operator can effectively cut out some parts of the
"reporting subtree" and dampen queries for it. This enables various
tricks, depending on how we construct the query name:
_er.<ede code>.<qname>._er.<reporting agent domain>
_er.<qname>.<ede code>._er.<reporting agent domain>
A) Variant A (current draft):
- I'm operating domain "petrs.example"
- subtree "dnssec-failed.petrs.example" is a playground which
intentionally fails DNSSEC validation (sorry Manu :-))
- error reporting agent domain is "agent.test"
I use domain dnssec-failed.petrs.example in a piece of Javascript which
renders "DNSSEC validation does (not) work" text on my web front page
page, so it gets queried fairly often, and I do not want to hear about
failures in this subtree.
Within the current draft it can be done with agent.test zone file like this:
$ORIGIN _er.agent.test.
* TXT "tell me!"
dnssec-failed.petrs.example TXT "silence"
Wildcard expansion rules & RFC 8020 & query name minimization will cut
out the whole subtree, saving traffic and also noise in data received by
the reporting agent.
B) Variant B:
- My domain "petrs.example" hosts a really nasty political satire, and
it gets censored a lot
- I don't care about reports of EDE "Censored" because there is nothing
I can do about them anyway
- I still _do_ care about technical issues.
To make use of the same technique as in the previous example (wildcard),
we would have to switch order of elements in the reporting query to:
_er.<qname>.<ede code>._er.<reporting agent domain>
This structure allows to use the same trick on per-EDE code basis:
$ORIGIN _er.agent.test.
* TXT "tell me!"
16 TXT "silence" ; 16 = EDE Censored
The question is: Which variant is better?
I don't remember from our previous discussions if the current ordering
in draft was a conscious choice or not, sorry if I forgot.
Have a great weekend everyone!
--
Petr Špaček
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
