[dane] getdns API and suffix search list

Viktor Dukhovni <viktor1dane@dukhovni.org> Wed, 26 February 2014 19:30 UTC

Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 2D92B1A017D for <dane@ietfa.amsl.com>; Wed, 26 Feb 2014 11:30:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_40=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id KhW-ztqNOap5 for <dane@ietfa.amsl.com>; Wed, 26 Feb 2014 11:30:33 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org []) by ietfa.amsl.com (Postfix) with ESMTP id C6E751A01E4 for <dane@ietf.org>; Wed, 26 Feb 2014 11:30:33 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 386612AAD0C; Wed, 26 Feb 2014 19:30:32 +0000 (UTC)
Date: Wed, 26 Feb 2014 19:30:32 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20140226193031.GD21390@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/pcEw2D4jB0-xOVOrYzwyzFyCY14
Subject: [dane] getdns API and suffix search list
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2014 19:30:37 -0000

On Wed, Feb 26, 2014 at 07:09:57PM +0000, Wiley, Glen wrote:

> An application using the getdns api can decide how it will take advantage
> of the system files - for example whether it wants to use a search option
> which is an improvement over the current approach in which applications
> are not aware of whether a suffix was appended to a query.

The write-up on Paul's site does not specify how suffix appending
interacts with DNSSEC.  Is that writted down somewhere?

I think that applications should studiously avoid mixing the two,
but they may need to be warned, or at least the interaction of the
two needs to be documented.

In particular, after an insecure denial of existence (or after any
lookup failure, such as a timeout, SERVFAIL, ...) of a suffixed
name, all subsequent lookups with other suffixes, or with no suffix,
must be deemed insecure.

How do suffixed looks handle lookup errors for a suffixed name?  Does
the query fail at that point, or does it continue with any remaining
suffixes or bare name?