[dns-operations] DNS error reporting
Petr Spacek
pspacek at redhat.com
Mon Feb 15 09:39:33 UTC 2016
On 12.2.2016 15:35, Shane Kerr wrote:
> George,
>
> At 2016-02-12 11:43:23 +0000
> George Ross <gdmr at inf.ed.ac.uk> wrote:
>
>>> Can we invent something which is structured enough so the end node can
>>> translate the message for the user? Or even advise what might be wrong?
>>
>> Can we invent something where the error response is smaller than, or at
>> least not much bigger than, the original request? It would be as well not
>> to provide another DDoS amplifier.
>
> Since the question is copied back in the answer to a DNS query, this is
> tricky. :)
>
> The only way I can see to do this is by padding the query packet so
> that the response is never bigger than the query.
>
> This results in three unpleasant alternatives though:
>
> 1. If the stub resolvers gets a SERVFAIL then re-send the query asking
> for an error, with padding, and hope that you see the exact same
> error again.
>
> 2. Or, the recursive resolver can send an error ID to the client, which
> the client can then use to get the full error information by using a
> special query with padding.
>
> 3. The stub resolver can pad *every* query.
>
> Option 3 is probably the easiest, and maybe not so bad in these days of
> no-copy packet processing?
>
> Option 2 is arguably the "best", except that now a recursive resolver
> has yet more state to track. Maybe that doesn't matter, although it may
> be troublesome if the error involves memory problems that mean that it
> can't add any more state.
>
> Option 1 is nondeterministic. It also means more packets on the wire at
> the exact time when the system is under stress. :(
Maybe we can send the error back only when client is connected over TCP or is
using DNS cookies.
--
Petr Spacek @ Red Hat
More information about the dns-operations
mailing list