Re: [dnsext] MaraDNS and NXDOMAIN/NOERROR on non-terminal nodes

"John R. Levine" <johnl@iecc.com> Sat, 23 April 2011 21:08 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dnsext@ietfc.amsl.com
Delivered-To: dnsext@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 343F1E068B for <dnsext@ietfc.amsl.com>; Sat, 23 Apr 2011 14:08:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.078
X-Spam-Level:
X-Spam-Status: No, score=-109.078 tagged_above=-999 required=5 tests=[AWL=2.121, BAYES_00=-2.599, HABEAS_ACCREDITED_SOI=-4.3, RCVD_IN_BSP_TRUSTED=-4.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hLA0688nWoWM for <dnsext@ietfc.amsl.com>; Sat, 23 Apr 2011 14:08:09 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [64.57.183.53]) by ietfc.amsl.com (Postfix) with ESMTP id 4D277E0686 for <dnsext@ietf.org>; Sat, 23 Apr 2011 14:08:08 -0700 (PDT)
Received: (qmail 55047 invoked from network); 23 Apr 2011 21:08:06 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:vbr-info:user-agent:cleverness; s=d706.4db33fb6.k1104; i=johnl@submit.iecc.com; bh=Hrk7ZSHqxp5E+lJ8GrYZtTHvgyl3rw9VxgsObaFvVf0=; b=cUWGR0CTtUUrTPAbKM2ENM7rxllIdDhBh/0yy7hHUp0ecs1+GkOTSgmyTHh0u9pYrBVxVVVW2hg+/W5B6SPAuixmNaiJetHKonGJjMnjb1I5HaizzCV5tEr8z22nQTUl5yiyAOtQaT9uYQEvjcSO3G2ajZmapJV6TlU3wxxVB5A=
VBR-Info: md=iecc.com; mc=all; mv=dwl.spamhaus.org
Received: (ofmipd johnl@64.57.183.62) with (DHE-RSA-AES256-SHA encrypted) SMTP; 23 Apr 2011 21:07:43 -0000
Date: 23 Apr 2011 17:08:00 -0400
Message-ID: <alpine.BSF.2.00.1104231702040.22305@joyce.lan>
From: "John R. Levine" <johnl@iecc.com>
To: "Sam Trenholme" <strenholme.usenet@gmail.com>
In-Reply-To: <BANLkTimgkfQFx8ocrXjv7UFjhCzenwDhKw@mail.gmail.com>
References: <BANLkTimgkfQFx8ocrXjv7UFjhCzenwDhKw@mail.gmail.com>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
Cleverness: None detected
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII
Cc: dnsext@ietf.org
Subject: Re: [dnsext] MaraDNS and NXDOMAIN/NOERROR on non-terminal nodes
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Apr 2011 21:08:10 -0000

> Please update http://tools.ietf.org/html/draft-vixie-dnsext-resimprove-00
> appropriately.

Particularly with IPv6 rDNS, the wrongness of returning NXDOMAIN for an 
empty node with other nodes below it is no longer harmless.  I'm working 
to fix rbldnsd, you can fix maradns.  It's an open question whether people 
will fix rbldnsd, or we'll just give up on it, since it's unlkely ever 
to handle EDNS0 or DNSSEC either.

By the way, telling people "you're wrong, change it because it's hard for 
me to fix" is rarely a winning strategy.  Within a day of my asking the 
djbdns list how hard it would be to fix tinydns, someone had an 
approximate fix for it.  It's not that hard, you put dummy entries in your 
hash where the noerror responses need to be.

Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. http://jl.ly