IETF Logo Mail Archive

Re: [dnsext] RFC 6604 Clarification

"Darcy Kevin (FCA)" <kevin.darcy@fcagroup.com> Thu, 02 April 2015 22:30 UTC

Return-Path: <kevin.darcy@fcagroup.com>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A3191A8742 for <dnsext@ietfa.amsl.com>; Thu, 2 Apr 2015 15:30:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OPp1WNWX00aR for <dnsext@ietfa.amsl.com>; Thu, 2 Apr 2015 15:30:31 -0700 (PDT)
Received: from odbmap08.extra.chrysler.com (odbmap08.out.extra.chrysler.com [129.9.107.38]) by ietfa.amsl.com (Postfix) with ESMTP id AEA371A6F11 for <dnsext@ietf.org>; Thu, 2 Apr 2015 15:30:31 -0700 (PDT)
Received: from odbmap09.oddc.chrysler.com (Unknown_Domain [151.171.137.34]) by odbmap08.extra.chrysler.com (Symantec Messaging Gateway) with SMTP id F0.89.05098.603CD155; Thu, 2 Apr 2015 18:30:31 -0400 (EDT)
X-AuditID: 81096b24-f79016d0000013ea-17-551dc306a6ec
Received: from MXPA3CHRW.fgremc.it (Unknown_Domain [151.171.20.19]) by odbmap09.oddc.chrysler.com (Symantec Messaging Gateway) with SMTP id E4.3F.03913.603CD155; Thu, 2 Apr 2015 18:30:30 -0400 (EDT)
Received: from mxph2chrw.fgremc.it (2002:97ab:152a::97ab:152a) by MXPA3CHRW.fgremc.it (2002:97ab:150f::97ab:150f) with Microsoft SMTP Server (TLS) id 15.0.847.32; Thu, 2 Apr 2015 17:30:30 -0500
Received: from mxph1chrw.fgremc.it (151.171.20.45) by mxph2chrw.fgremc.it (151.171.20.46) with Microsoft SMTP Server (TLS) id 15.0.847.32; Thu, 2 Apr 2015 17:30:01 -0500
Received: from mxph1chrw.fgremc.it ([fe80::fdc5:c8cf:dca3:ac4]) by mxph1chrw.fgremc.it ([fe80::fdc5:c8cf:dca3:ac4%19]) with mapi id 15.00.0847.030; Thu, 2 Apr 2015 17:29:55 -0500
From: "Darcy Kevin (FCA)" <kevin.darcy@fcagroup.com>
To: Kumar Ashutosh <Kumar.Ashutosh@microsoft.com>, Brian Dickson <brian.peter.dickson@gmail.com>
Thread-Topic: [dnsext] RFC 6604 Clarification
Thread-Index: AdBqx4LlMcsNNOFbQA+DDcOOf8n56gBZdqCAAAVUMwAAU8VA4A==
Date: Thu, 02 Apr 2015 22:29:55 +0000
Message-ID: <ea72cffd1a394932a42c7e2bbb0f83bd@mxph1chrw.fgremc.it>
References: <af1796c3bda84e99844715264afc67a5@HKXPR30MB021.064d.mgd.msft.net> <CAH1iCip9Xgh0n5PFt-kyZaMA3Z9D28E0Dr2Rbg5iV5bzHKPHng@mail.gmail.com> <0bea6bc18cb34b1681a1bd0484ec91a9@HKXPR30MB021.064d.mgd.msft.net>
In-Reply-To: <0bea6bc18cb34b1681a1bd0484ec91a9@HKXPR30MB021.064d.mgd.msft.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [151.171.20.202]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrHIsWRmVeSWpSXmKPExsUyfXWnki77YdlQg5lNTBa7mx6xWpzcsoDV gcljyZKfTB6tO/6yBzBFcdmkpOZklqUW6dslcGU8alrIWHBRrmLn7y62BsYpEl2MnBwSAiYS h7rvMEHYYhIX7q1n62Lk4hASuMQo8XLLCRaYoumbP7NCJE4ySuzbc4oRwjnKKDFj5yoghwPI WcsoMTMPIr6NUWLq37WMIN1sQN0Lr9xlBrFFBJIkbjUcArOZBbQkfpy8yA5iCwvoSHybsZ4J okZXYsOXl2wQtpPE4h+vwepZBFQkVpxewAayixco/vlQPMSuG4wSJ/dNBNvFKeAnMWfDK7A5 jEDvfD+1hglil7jErSfzod4UkFiy5zwzhC0q8fLxP1YIW0mi4+YyNoh6HYkFuz9B2doSyxZC 3MArIChxcuYTcKgICahK9K99yQ5yhITAV3aJjwcnsk5glJmFZN8sJLNmIZk1C8msBYwsqxil 81OSchMLDCz0UitKihL1kjOKKotzUov0kvNzNzECI7yRM1tlB+OaeZaHGAU4GJV4eNNWyoYK sSaWFVfmHmKU5mBREud9kgcUEkhPLEnNTk0tSC2KLyrNSS0+xMjEwSnVwHi4a+X51vzAnjTr DfKMO0qZRThsDWayVxfdmryV9czhORc+FmQ+U6o4637m8/EdXOGJeQZ/slZtuRfF/nIq+/wG wayPX1RcN/XXPf69q36t0d5wPqFUZv5nb3U//VrRVepu3xjx9OgpjuBPahkLjbjeNcjMzJO7 NPHVXLNXz/dleaiv+hPEnaPEUpyRaKjFXFScCAAndrmr0QIAAA==
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrLKsWRmVeSWpSXmKPExsUyfbWIsC7bYdlQgz2fjS12Nz1itTi5ZQGr A5PHkiU/mTxad/xlD2CK4rJJSc3JLEst0rdL4Mp41LSQseCiXMXO311sDYxTJLoYOTkkBEwk pm/+zAphi0lcuLeerYuRi0NI4CSjxL49pxghnKOMEjN2rgJyOICctYwSM/Mg4tsYJab+XcsI 0s0GNGnhlbvMILaIQJLErYZDYDazgJbEj5MX2UFsYQEdiW8z1jNB1OhKbPjykg3CdpJY/OM1 WD2LgIrEitML2EB28QLFPx+Kh9h1g1Hi5L6JYLs4Bfwk5mx4BTaHEejq76fWMEHsEpe49WQ+ E8Q3AhJL9pxnhrBFJV4+/gf1pZJEx81lbBD1OhILdn+CsrUlli2EuIFXQFDi5MwnLCC2kICq RP/al+wTGCVnIVkxC0n7LCTts5C0L2BkWcUolZ+SlJtYYGCpl5+SkqyXnFFUWZyTWqSXnJ+7 iREck52KOxgbF1keYhTgYFTi4a1fKRsqxJpYVlyZe4hRkoNJSZT3+16gEF9SfkplRmJxRnxR aU5q8SFGCQ5mJRHeFbuBcrwpiZVVqUX5MClpDhYlcV6VAodAIYH0xJLU7NTUgtQimKwMB4eS BK/RQaBGwaLU9NSKtMycEoQ0EwcnyHAeoOEVIDW8xQWJucWZ6RD5V4ziQGcK82aBpHiAaRJJ RgLoWhFeh3nSIE0liQgpqQZGp/3RRWyCer8f1u6TT30z+d/PpJ+njNkSbt16+vDT2R2rPwlO nX/wWFam/sFFddfYDv7bOkUmY5HhKr5nJT4MyXGTsws/yyvyzZ77RPunwscLC3de4VyVkrnp QaFV6lV9t6BNZffZDJ/GiO3ysGm7teSW/Ooz+e8yDZj3mPUaNaaWK4ZNbLkSrsRSnJFoqMVc VJwIAMFPG8RQAwAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsext/7ecfVJ5HK5b10PjsxBvljo3PxD4>
Cc: DNSEXT Group Working <dnsext@ietf.org>
Subject: Re: [dnsext] RFC 6604 Clarification
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Apr 2015 22:30:34 -0000

Closest-enclosing-zone logic. If the non-recursive server, in the hypothetical mentioned below, happens to be authoritative for the *root* zone, then since "root" logically encloses all other zones, the nameserver wouldn't return a SERVFAIL in that case, right?

									- Kevin

-----Original Message-----
From: dnsext [mailto:dnsext-bounces@ietf.org] On Behalf Of Kumar Ashutosh
Sent: Tuesday, March 31, 2015 9:11 PM
To: Brian Dickson
Cc: DNSEXT Group Working
Subject: Re: [dnsext] RFC 6604 Clarification

Hi 

" Sending the query to the previous auth server would be the wrong thing to do. Even if such a query were received, the correct behavior is NOERRROR, NODATA, with AA unset (set to zero).

If you are not sure you understand this, please ask any clarifying questions you may have.

Please tell us that MS DNS does NOT do SERV_FAIL, or if it does, that you are going to fix it. :-)"

For CNAME partial chains, MS DNS servers respond with NOERROR in all the cases till now. We were evaluating to see what RFC 6604 compliance would mean in terms of changes.

For your question above. If a query for A of x.example.com is received on an authoritative server, which does not have any idea of example.com or .com, then it will simply respond with serv_fail. NODATA will be returned only when there is a x.example.com of some other type. 



-----Original Message-----
From: Brian Dickson [mailto:brian.peter.dickson@gmail.com]
Sent: Wednesday, April 1, 2015 04:09
To: Kumar Ashutosh
Cc: DNSEXT Group Working
Subject: Re: [dnsext] RFC 6604 Clarification

On Mon, Mar 30, 2015 at 2:04 AM, Kumar Ashutosh <Kumar.Ashutosh@microsoft.com> wrote:
> Hi
>
> As per RFC 6604, section 3
>
>       When an xNAME chain is followed, all but the last query cycle
>
>       necessarily had no error.  The RCODE in the ultimate DNS 
> response
>
>       MUST BE set based on the final query cycle leading to that
>
>       response.  If the xNAME chain was terminated by an error, it 
> will
>
>       be that error code.  If the xNAME chain terminated without 
> error,
>
>               it will be zero.

> 2. If the CNAME chain points to a Qname for which the auth server is 
> non-authoritative (and recursion is disabled on the auth server.) The 
> server in this case cannot get the response. A direct query for this 
> Qname will result in SERV_FAIL. Should the auth server return SERV_FAIL in this case?
> Will resolvers respect answers with SERV_FAIL in RCODE and cache the 
> partial response?

Just to clarify your question further:

A CNAME chain is normally processed ENTIRELY by the iterative
(recursive) resolver.
In the case of a given authority server being authoritative for the domain name found on the right-hand-side of a CNAME, as an optimization, it MAY provide the results of a re-started query using that RHS value.

It can ONLY do that so long as it is authoritative. If it is not, it simply returns the data it is authoritative for, with a NOERROR RCODE.

Pointing to a domain name that it is not authoritative for, is not an error condition.

The iterative resolver would need to continue processing the rewritten QNAME, by sending the rewritten query to whatever authority server is authoritative for that new QNAME.

Sending the query to the previous auth server would be the wrong thing to do. Even if such a query were received, the correct behavior is NOERRROR, NODATA, with AA unset (set to zero).

If you are not sure you understand this, please ask any clarifying questions you may have.

Please tell us that MS DNS does NOT do SERV_FAIL, or if it does, that you are going to fix it. :-)

Brian
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email