Re: [dnsext] WG opinion on draft : Improvements to DNS Resolvers, for Resiliency, Robustness, and Responsiveness
Paul Vixie <vixie@isc.org> Wed, 23 February 2011 10:11 UTC
Return-Path: <vixie@isc.org>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7A2633A6839 for <dnsext@core3.amsl.com>; Wed, 23 Feb 2011 02:11:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XmyxQ4T4hzM9 for <dnsext@core3.amsl.com>; Wed, 23 Feb 2011 02:11:14 -0800 (PST)
Received: from nsa.vix.com (unknown [IPv6:2001:4f8:3:bb:230:48ff:fe5a:2f38]) by core3.amsl.com (Postfix) with ESMTP id E85353A6859 for <dnsext@ietf.org>; Wed, 23 Feb 2011 02:11:12 -0800 (PST)
Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id 924CAA1019 for <dnsext@ietf.org>; Wed, 23 Feb 2011 10:11:56 +0000 (UTC) (envelope-from vixie@isc.org)
From: Paul Vixie <vixie@isc.org>
To: dnsext@ietf.org
In-Reply-To: Your message of "Wed, 23 Feb 2011 09:53:36 GMT." <82zkpnyt3z.fsf@mid.bfk.de>
References: <4D622624.90303@ogud.com> <BF79BE89-20B2-4897-B07C-1426745C4AA9@verisign.com> <AANLkTinQig=e7wv-3GsXi73p3AKQOsbjE6EzDNMbWWRw@mail.gmail.com> <4D63907A.8010700@nlnetlabs.nl> <82zkpnyt3z.fsf@mid.bfk.de>
X-Mailer: MH-E 8.2; nmh 1.2; XEmacs 21.4 (patch 22)
Date: Wed, 23 Feb 2011 10:11:56 +0000
Message-ID: <22348.1298455916@nsa.vix.com>
Subject: Re: [dnsext] WG opinion on draft : Improvements to DNS Resolvers, for Resiliency, Robustness, and Responsiveness
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Feb 2011 10:11:27 -0000
> From: Florian Weimer <fweimer@bfk.de> > Date: Wed, 23 Feb 2011 09:53:36 +0000 > > > I do not think you could enable this by default today, because very > old > software might still have bugs in handling empty nonterminals > and send > NXDOMAINs for them. > > A lot of DNSBLs are hosted on servers which send NXDOMAIN for empty > non-terminals. those servers are lying and/or seriously broken/nonconformant. i don't like walking as if on on eggshells to avoid offending them. they ought to be fixed, not tolerated. consider BIND4 4.8's odd AXFR behaviour. it only looked at the first answer in each message, and only sent one answer per message. it had a 100% market share. we fixed the problem in 4.9.3 and added configuration knobs defaulting to sending single-answer output (to avoid causing older noncompliant initiators to reject the transfers) but allowing this to be overridden. eventually we just changed the default. microsoft, whose correct DNS implementation was not compatible with BIND, had to do the same thing. they deserved an apology from me, which they got, not excuses. the standards weren't changed as a result. again, at the beginning of this debacle the offending DNS implementation had a 100% market share. > I don't think this change is worth the effort. I would rather prefer > official blessing of NXDOMAIN synthesis from NSEC/NSEC3 records. This > would be both more deterministic and more effective. while i'd like the DNSSEC solution you propose to also be done, i note that RBLDNSD operators are among the most technically adept name server operators in the history of the internet. a campaign to get this software patched and to get upgrades installed would have a very short tail (shorter than the BIND4 AXFR example cited earlier). this does seem to me worth doing since i'm not expecting all zones to be signed and since the specification with respect to empty non-terminals was never unclear.
- Re: [dnsext] WG opinion on draft : Improvements t… David Blacka
- [dnsext] WG opinion on draft : Improvements to DN… Olafur Gudmundsson
- Re: [dnsext] WG opinion on draft : Improvements t… Brian Dickson
- Re: [dnsext] WG opinion on draft : Improvements t… Tony Finch
- Re: [dnsext] WG opinion on draft : Improvements t… Paul Vixie
- Re: [dnsext] WG opinion on draft : Improvements t… Andrew Sullivan
- Re: [dnsext] WG opinion on draft : Improvements t… Paul Vixie
- Re: [dnsext] WG opinion on draft : Improvements t… W.C.A. Wijngaards
- Re: [dnsext] WG opinion on draft : Improvements t… Andrew Sullivan
- Re: [dnsext] WG opinion on draft : Improvements t… Doug Barton
- Re: [dnsext] WG opinion on draft : Improvements t… Florian Weimer
- Re: [dnsext] WG opinion on draft : Improvements t… Florian Weimer
- Re: [dnsext] WG opinion on draft : Improvements t… Paul Vixie
- Re: [dnsext] WG opinion on draft : Improvements t… Paul Vixie
- Re: [dnsext] WG opinion on draft : Improvements t… Florian Weimer
- Re: [dnsext] WG opinion on draft : Improvements t… Florian Weimer
- Re: [dnsext] WG opinion on draft : Improvements t… Brian Dickson
- Re: [dnsext] WG opinion on draft : Improvements t… Edward Lewis
- Re: [dnsext] WG opinion on draft : Improvements t… Mark Andrews
- Re: [dnsext] WG opinion on draft : Improvements t… Paul Vixie
- Re: [dnsext] WG opinion on draft : Improvements t… Brian Dickson
- Re: [dnsext] WG opinion on draft : Improvements t… Paul Vixie
- Re: [dnsext] WG opinion on draft : Improvements t… Paul Vixie
- Re: [dnsext] WG opinion on draft : Improvements t… Tony Finch
- Re: [dnsext] WG opinion on draft : Improvements t… Florian Weimer