IETF Logo Mail Archive

Re: [dnsext] WG opinion on draft : Improvements to DNS Resolvers, for Resiliency, Robustness, and Responsiveness

Mark Andrews <marka@isc.org> Thu, 24 February 2011 00:30 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 166BD3A697D for <dnsext@core3.amsl.com>; Wed, 23 Feb 2011 16:30:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[AWL=0.700, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d9iIzO+51040 for <dnsext@core3.amsl.com>; Wed, 23 Feb 2011 16:30:43 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by core3.amsl.com (Postfix) with ESMTP id B179D3A659A for <dnsext@ietf.org>; Wed, 23 Feb 2011 16:30:42 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.ams1.isc.org (Postfix) with ESMTPS id BE5E55F983B; Thu, 24 Feb 2011 00:31:15 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:ea06:88ff:fef3:4f9c]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id D2ED4216C22; Thu, 24 Feb 2011 00:31:13 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 7DFB0AD98A4; Thu, 24 Feb 2011 11:31:09 +1100 (EST)
To: Paul Vixie <vixie@isc.org>
From: Mark Andrews <marka@isc.org>
References: <4D622624.90303@ogud.com> <BF79BE89-20B2-4897-B07C-1426745C4AA9@verisign.com> <AANLkTinQig=e7wv-3GsXi73p3AKQOsbjE6EzDNMbWWRw@mail.gmail.com> <4D63907A.8010700@nlnetlabs.nl> <82zkpnyt3z.fsf@mid.bfk.de> <22348.1298455916@nsa.vix.com> <82ei6zyqqz.fsf@mid.bfk.de> <39328.1298474414@nsa.vix.com>
In-reply-to: Your message of "Wed, 23 Feb 2011 15:20:14 -0000." <39328.1298474414@nsa.vix.com>
Date: Thu, 24 Feb 2011 11:31:09 +1100
Message-Id: <20110224003109.7DFB0AD98A4@drugs.dv.isc.org>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] WG opinion on draft : Improvements to DNS Resolvers, for Resiliency, Robustness, and Responsiveness
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Feb 2011 00:30:44 -0000

In message <39328.1298474414@nsa.vix.com>, Paul Vixie writes:
> > From: Florian Weimer <fweimer@bfk.de>
> > Date: Wed, 23 Feb 2011 10:44:36 +0000
> > 
> > > while i'd like the DNSSEC solution you propose to also be done, i note
> > > that RBLDNSD operators are among the most technically adept name server
> > > operators in the history of the internet.  a campaign to get this
> > > software patched and to get upgrades installed would have a very short
> > > tail (shorter than the BIND4 AXFR example cited earlier).
> > 
> > For a while, I've been sitting on another rbldnsd/resolver interaction
> > bug and have been given the run-around so far.  I'm not convinced that
> > deploying new code is simple.
> 
> sometimes it takes a code fork if the author is no longer supporting a thing
> .
> 
> > > this does seem to me worth doing since i'm not expecting all zones
> > > to be signed and since the specification with respect to empty
> > > non-terminals was never unclear.
> > 
> > If it wasn't unclear, why did almost everyone implement the old behavior?
> 
> who is everyone?  i don't think bind or nominum or microsoft's or
> american internet's (now cisco's) authority servers have ever sent
> nxdomain on an empty non-terminal, and for a long time that was 100%
> of the market.  nlnetlabs nsd and verisign atlas both understood the
> spec in this regard also.

The early DNSSEC RFCs specified that NXDOMAIN was to be returned
and named did.  It took some arguing by me, internally and then to
dnsext, to get that reversed.  While this is listed as a bug it was
a protocol bug which was then corrected in code.

1416.   [bug]           Empty node should return NOERROR NODATA, not NXDOMAIN.
                        [RT #4715]

> the behaviour everyone implemented was on the initiator side, wherein
> they did not stop a downward traversal on a cached nxdomain, even with
> an rfc 2308 proof in cache, thus shortcutting iteration and forwarding.
> the specification was not ambiguous on this point; it was utterly silent.
> however, given that the authority server's behaviour (send NOERROR with
> ANCOUNT=0) has always been unambiguous, this silence looks like a missed
> implication to me rather than omission by intent.
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email