IETF Logo Mail Archive

Re: [dane] TLSA lookup impedance mismatch with bare-bones DNS servers

Mark Andrews <marka@isc.org> Thu, 21 November 2013 00:21 UTC

Return-Path: <marka@isc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E596F1AE1AC for <dane@ietfa.amsl.com>; Wed, 20 Nov 2013 16:21:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.526
X-Spam-Level:
X-Spam-Status: No, score=-2.526 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.525, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VyNHhkb_uodO for <dane@ietfa.amsl.com>; Wed, 20 Nov 2013 16:21:20 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id 0035F1AE1FC for <dane@ietf.org>; Wed, 20 Nov 2013 16:21:19 -0800 (PST)
Received: from mx.pao1.isc.org (localhost [127.0.0.1]) by mx.pao1.isc.org (Postfix) with ESMTP id 99676C94B8; Thu, 21 Nov 2013 00:21:00 +0000 (UTC) (envelope-from marka@isc.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=dkim2012; t=1384993273; bh=zDIjO6ZaiECAt4o8RAuIyG11/zLa8wFsJa3jBQ6m+Wo=; h=To:Cc:From:References:Subject:In-reply-to:Date; b=aFdj66QcX4wHDs7E/EptQlvHEtBo3OxleCsHHTSmqdWBoyakTZzeD1Qli+5xf/igZ dd0iogqq09afWQNS6hAEh69qVlnEE6zpSCzm5UvIjANPmVzSiKElFZ6fJ758/YaYtK Ox/RF6Nmt/SyjmsdKvy1K3qRnXeIEoy6YfPU6Qwc=
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.pao1.isc.org (Postfix) with ESMTP; Thu, 21 Nov 2013 00:21:00 +0000 (UTC) (envelope-from marka@isc.org)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 0F1C516042E; Thu, 21 Nov 2013 00:27:51 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id D15C01603E9; Thu, 21 Nov 2013 00:27:50 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 0500FAAB027; Thu, 21 Nov 2013 11:20:57 +1100 (EST)
To: mrex@sap.com
From: Mark Andrews <marka@isc.org>
References: <20131121000528.8BDF61AACA@ld9781.wdf.sap.corp>
In-reply-to: Your message of "Thu, 21 Nov 2013 01:05:28 +0100." <20131121000528.8BDF61AACA@ld9781.wdf.sap.corp>
Date: Thu, 21 Nov 2013 11:20:57 +1100
Message-Id: <20131121002058.0500FAAB027@rock.dv.isc.org>
X-DCC--Metrics: post.isc.org; whitelist
Cc: dane@ietf.org
Subject: Re: [dane] TLSA lookup impedance mismatch with bare-bones DNS servers
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2013 00:21:22 -0000

In message <20131121000528.8BDF61AACA@ld9781.wdf.sap.corp>, Martin Rex writes:
> Viktor Dukhovni wrote:
> > 
> > > RFC 103[45] say what to return if the name exists and
> > > the type doesn't and it isn't NOTIMP.
> > 
> > In this case the name does not exist, so the nameserver should be
> > returning NXDOMAIN, but it snatches defeat from the jaws of victory
> > and indeed returns "NOTIMP":
> > 
> >     ; <<>> DiG 9.8.0rc1 <<>> +norecur -t TYPE52 _25._tcp.mail.protection.outlook.com. @ns1-proddns.glbdns.o365filtering.com.
> >     ;; global options: +cmd
> >     ;; Got answer:
> >     ;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id: 4960
> >     ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> > 
> > which 8.8.8.8 relayed as SERVFAIL.  If there is someone from
> > Microsoft on this list, please forward a pointer to thread to the
> > appropriate interested parties.
> 
> 
> I haven't looked at any of the other stuff (from this discussion),
> but this latter appears to be a major goof in Googles DNS server.
> 
> Forwarding NOTIMP (=permanent, do not retry) as a temporary
> RC (SERVFAIL) is pretty unreasonable on my scorecard.

NOTIMP causes a recursive server to try other servers or if
it was a EDNS query to try a plain DNS query.
REFUSED causes a recursive server to try other servers.
SERVFAIL causes a recursive server to try other servers.

When you exhaust the list of servers you return SERVFAIL.

NOTIMP, REFUSED and SERVFAIL are not authoritative responses.

> -Martin
> _______________________________________________
> dane mailing list
> dane@ietf.org
> https://www.ietf.org/mailman/listinfo/dane
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.15.0 | Report a Bug | By Email