Re: [dnsext] MaraDNS and NXDOMAIN/NOERROR on non-terminal nodes

"John R. Levine" <> Sat, 23 April 2011 21:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 343F1E068B for <>; Sat, 23 Apr 2011 14:08:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -109.078
X-Spam-Status: No, score=-109.078 tagged_above=-999 required=5 tests=[AWL=2.121, BAYES_00=-2.599, HABEAS_ACCREDITED_SOI=-4.3, RCVD_IN_BSP_TRUSTED=-4.3, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hLA0688nWoWM for <>; Sat, 23 Apr 2011 14:08:09 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 4D277E0686 for <>; Sat, 23 Apr 2011 14:08:08 -0700 (PDT)
Received: (qmail 55047 invoked from network); 23 Apr 2011 21:08:06 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple;; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:vbr-info:user-agent:cleverness; s=d706.4db33fb6.k1104;; bh=Hrk7ZSHqxp5E+lJ8GrYZtTHvgyl3rw9VxgsObaFvVf0=; b=cUWGR0CTtUUrTPAbKM2ENM7rxllIdDhBh/0yy7hHUp0ecs1+GkOTSgmyTHh0u9pYrBVxVVVW2hg+/W5B6SPAuixmNaiJetHKonGJjMnjb1I5HaizzCV5tEr8z22nQTUl5yiyAOtQaT9uYQEvjcSO3G2ajZmapJV6TlU3wxxVB5A=
VBR-Info:; mc=all;
Received: (ofmipd johnl@ with (DHE-RSA-AES256-SHA encrypted) SMTP; 23 Apr 2011 21:07:43 -0000
Date: Sat, 23 Apr 2011 17:08:00 -0400
Message-ID: <alpine.BSF.2.00.1104231702040.22305@joyce.lan>
From: "John R. Levine" <>
To: Sam Trenholme <>
In-Reply-To: <>
References: <>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
Cleverness: None detected
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
Subject: Re: [dnsext] MaraDNS and NXDOMAIN/NOERROR on non-terminal nodes
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 23 Apr 2011 21:08:10 -0000

> Please update
> appropriately.

Particularly with IPv6 rDNS, the wrongness of returning NXDOMAIN for an 
empty node with other nodes below it is no longer harmless.  I'm working 
to fix rbldnsd, you can fix maradns.  It's an open question whether people 
will fix rbldnsd, or we'll just give up on it, since it's unlkely ever 
to handle EDNS0 or DNSSEC either.

By the way, telling people "you're wrong, change it because it's hard for 
me to fix" is rarely a winning strategy.  Within a day of my asking the 
djbdns list how hard it would be to fix tinydns, someone had an 
approximate fix for it.  It's not that hard, you put dummy entries in your 
hash where the noerror responses need to be.

John Levine,, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail.