Re: [dbound] NXDomain (was: Re: [dmarc-ietf] Fwd: New Version Notification for draft-dcrocker-dns-perimeter-00.txt)

"John Levine" <johnl@taugh.com> Sat, 06 April 2019 15:09 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dbound@ietfa.amsl.com
Delivered-To: dbound@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F20BE12000E for <dbound@ietfa.amsl.com>; Sat, 6 Apr 2019 08:09:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=lDRgdtYG; dkim=pass (1536-bit key) header.d=taugh.com header.b=fgoDCbp8
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CXhTkkrjC6BJ for <dbound@ietfa.amsl.com>; Sat, 6 Apr 2019 08:09:21 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3102120103 for <dbound@ietf.org>; Sat, 6 Apr 2019 08:09:20 -0700 (PDT)
Received: (qmail 87524 invoked from network); 6 Apr 2019 15:09:19 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=155e2.5ca8c11f.k1904; bh=R4tK7jsn8IIHFjpJeAc3r7ok89uh613rAxEG+pwkbmM=; b=lDRgdtYG6qfVV+cnkBknnsYmm9Pk/fSBDx4vSFc/nxiXPbcH2Cv2ubTx0hrbmCIi6QFfUhw/2FLMGZ18qISRDfr7Fde9gynuKYPdfcwfnnJZoNcDUme7UigfO3BG+1BaLtNIR6ew+r/R8RjY0Zm8kj56+DDaGxtEt7gzLaCDJ0VsUXu2szOvFVr2DgJLFacs6h4banlIUpo7bgc5BAe7B5gGOVnjJN/quIvIAEp2NRJJmt7douo5q5C7gR8oWqkK
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=155e2.5ca8c11f.k1904; bh=R4tK7jsn8IIHFjpJeAc3r7ok89uh613rAxEG+pwkbmM=; b=fgoDCbp8h5MnB6CXAIMvQRMgkplNLQYT5hNVQZJBVS3g/CmF43NutQ/sYyJBRGSwAnKV6VC4fMK9HKDQKuovYbQ3SL0yRA3no6Le5xedLpUMgzKK+7Kt7r+pe96i/+q556Kvt+KuzEboUOFFZxY0TsAqeRZoBdlRsVe35dojyq0HplhmZ5Th9LIOCai6IwNDMxEDzs0AUZIf5U6QRlxoD4YwtsyUqjGZ0LGsDglQOM9h0e99rK2NX/WdAh7Z5LKy
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 06 Apr 2019 15:09:18 -0000
Received: by ary.qy (Postfix, from userid 501) id 9B9BC2011A23A4; Sat, 6 Apr 2019 11:09:17 -0400 (EDT)
Date: 6 Apr 2019 11:09:17 -0400
Message-Id: <20190406150918.9B9BC2011A23A4@ary.qy>
From: "John Levine" <johnl@taugh.com>
To: dbound@ietf.org
Cc: dcrocker@bbiw.net
In-Reply-To: <acb079bc-53d4-780b-2f1c-98072159e7aa@dcrocker.net>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dbound/EjXXkO5_FqiWVjfRlmdvSw_O4h0>
Subject: Re: [dbound] NXDomain (was: Re: [dmarc-ietf] Fwd: New Version Notification for draft-dcrocker-dns-perimeter-00.txt)
X-BeenThere: dbound@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS tree bounds <dbound.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dbound>, <mailto:dbound-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dbound/>
List-Post: <mailto:dbound@ietf.org>
List-Help: <mailto:dbound-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dbound>, <mailto:dbound-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Apr 2019 15:09:23 -0000

In article <acb079bc-53d4-780b-2f1c-98072159e7aa@dcrocker.net>; you write:
>However from what I can tell, including Additional information in an 
>NXDomain response is entirely legal, albeit certainly unusual.

No argument there.

>My understanding is that it's likely careful use of a resolver library 
>can retrieve the Additional information.  Some calls won't get it; 
>others probably will.

As I may have said one or two times before, this hack will require
changes to DNS servers to return additional information that they
don't return now, changes to DNS caches to store and pass through
additional information that they don't store or pass through now, and
changes to DNS client libraries to retrieve the additional information
that they don't retrieve now.  I will cheerfully bet any amount of
money that none of these changes ever happen.


>The guidance for making this work is that it's seeking to emulate DNS 
>wildcard behavior, through cooperative behavior by both the resolver and 
>the authoritative server.

Don't forget the caches which also will need to be changed.

Once again, please compare this proposal to my 2016 proposal that uses
normal DNS wildcards and works right now with no changes to any DNS
server, cache, or client.  Using TXT records, a fair amount of DNS
crudware can probably provision it, too.  I'm not saying it's perfect,
but it's at least plausible.

R's,
John