Re: [dbound] [dmarc-ietf] Fwd: New Version Notification for draft-dcrocker-dns-perimeter-00.txt

Dave Crocker <> Thu, 04 April 2019 02:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 13F46120153 for <>; Wed, 3 Apr 2019 19:54:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kEP79dq5SAAQ for <>; Wed, 3 Apr 2019 19:54:23 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7B1C31200F1 for <>; Wed, 3 Apr 2019 19:54:23 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) by (8.14.4/8.14.4/Debian-4.1ubuntu1.1) with ESMTP id x342u1k7013845 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Wed, 3 Apr 2019 19:56:01 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=default; t=1554346562; bh=FLlYN4FSnr4VR+s8HFghhV5sB9HSY4ZYLKez461noQc=; h=Subject:To:Cc:References:From:Reply-To:Date:In-Reply-To:From; b=MgOswz3M3Aq7dfmCunhOfx7R0zqSeAO7cFiszh6Z3EacplR6ctAdvCHcRaLtPks8g LcZ6ioAYclj+Xh8x0cVNWkDHLddta6rEJY2iQuzEDo2K5GRuTl5LBpbiuaO6FALlPv qQyTUC5kfd0oMBlp2jwUTXkgqcAEBmFiGTiJGDpI=
To: "John R. Levine" <>
Cc: tjw ietf <>,
References: <20190403175820.8391420115F376@ary.qy> <> <alpine.OSX.2.21.1904031430270.21189@ary.qy> <> <alpine.OSX.2.21.1904031459480.21189@ary.qy> <> <> <alpine.OSX.2.21.1904032056230.22661@ary.qy> <> <alpine.OSX.2.21.1904032126480.22887@ary.qy> <> <alpine.OSX.2.21.1904032148150.22920@ary.qy>
From: Dave Crocker <>
Organization: Brandenburg InternetWorking
Message-ID: <>
Date: Wed, 3 Apr 2019 19:54:12 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <alpine.OSX.2.21.1904032148150.22920@ary.qy>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [dbound] [dmarc-ietf] Fwd: New Version Notification for draft-dcrocker-dns-perimeter-00.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS tree bounds <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 04 Apr 2019 02:54:26 -0000

On 4/3/2019 7:14 PM, John R. Levine wrote:
> That bit in the parentheses, who does the modifying, and how does it get 
> into the running versions of BIND and NSD and PowerDNS and all the other 
> DNS servers and caches that people use?

You appear to be confusing 'adding to an implementation' with 'changing 
the protocol'.  Modifying the protocol is changing DNS.  Adding code 
might or might not be and in this case, it isn't.  It is adding a /use/ 
of /existing/ DNS mechanisms.  That's not 'changing the DNS'.

> Although now that I think about it, it won't work anyway.  For one 
> thing, if you ask for _perim.a.b.c.tld, and there is only _perim.c.tld, 
> the DNS response will be an NXDOMAIN and I don't think that DNS clients 
> expect to find additional records in an NXDOMAIN response.  Or if we 
> wave our hands some more and somehow make it a NODATA (positive response 
> with no records), the fact that there's _perim.c.tld in the additional 
> section doesn't mean that there wouldn't also be _perim.b.c.tld if you 
> asked for it.  There's another whole set of failures if there's a zone 
> cut between the name you ask for and the _perim above it.

The NXDomain looks like an interesting bit of inconvenience.  Have to 
think about it some more.

And yes, zone boundaries are always fun.  But since these are names that 
are, by definition, within a single administrative scope, I suspect 
that's solvable too.

> Don't take my word for it, ask in dnsop.  Or perhaps Tim has some opinions.
I already sent a note to dnsop, inviting them to dbound for this discussion.


Dave Crocker
Brandenburg InternetWorking