Re: [dnsext] [DNSOP] RFC2308/6604 violation in NSD and BIND?

Paul Wouters <paul@nohats.ca> Fri, 26 October 2012 15:18 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB9DD21F84AF for <dnsext@ietfa.amsl.com>; Fri, 26 Oct 2012 08:18:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.477
X-Spam-Level:
X-Spam-Status: No, score=-2.477 tagged_above=-999 required=5 tests=[AWL=0.122, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e5pMZ9etpaRF for <dnsext@ietfa.amsl.com>; Fri, 26 Oct 2012 08:18:59 -0700 (PDT)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by ietfa.amsl.com (Postfix) with ESMTP id 0EAF221F84A6 for <dnsext@ietf.org>; Fri, 26 Oct 2012 08:18:59 -0700 (PDT)
Received: by bofh.nohats.ca (Postfix, from userid 500) id 5C0F782A2D; Fri, 26 Oct 2012 11:18:22 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 5330A8051A; Fri, 26 Oct 2012 11:18:22 -0400 (EDT)
Date: Fri, 26 Oct 2012 11:18:22 -0400
From: Paul Wouters <paul@nohats.ca>
To: Peter van Dijk <peter.van.dijk@netherlabs.nl>
In-Reply-To: <F2F353F2-F434-4F26-AFC6-B5BEFE6B5035@netherlabs.nl>
Message-ID: <alpine.LFD.2.02.1210261112020.8639@bofh.nohats.ca>
References: <54B9D70A-8A29-4778-B054-E0CF4407A7AD@netherlabs.nl> <alpine.LFD.2.02.1210260909570.6690@bofh.nohats.ca> <F5E1B738-951F-4AEB-A0B4-842DF85C95E8@netherlabs.nl> <alpine.LFD.2.02.1210260940190.7864@bofh.nohats.ca> <F2F353F2-F434-4F26-AFC6-B5BEFE6B5035@netherlabs.nl>
User-Agent: Alpine 2.02 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Mailman-Approved-At: Fri, 26 Oct 2012 08:38:52 -0700
Cc: dnsext@ietf.org
Subject: Re: [dnsext] [DNSOP] RFC2308/6604 violation in NSD and BIND?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Oct 2012 15:18:59 -0000

On Fri, 26 Oct 2012, Peter van Dijk wrote:

> There is no corner case. The NXDOMAIN is about the last name in the CNAME
> chain (RFC2308 1) or the last lookup done in optionally following the chain
> (RFC6604 3), not about the original QNAME.
>
> In your zone you have:
>
> cname.nohats.ca.	5	IN	CNAME	doesnotexist.nohats.ca.
>
> cname.nohats.ca exists and is an entry in your NSEC3 chain.
>
> doesnotexist.nohats.ca does not exist and is denied by your NSEC3 chain:
>
>  doesnotexist.nohats.ca (5jng314a18r89qab1ilhe54l393kfu8a) denied by 4nbrqak4o1esr5qpg452fucnh8k23d15..6hlm0p5e9c1f3haq64ci0puo97lmtp8g
>
>
> As for validators, they are not supposed to look at the RCODE anyway.

I was not so much thinking of the orignal query. I was thinking of the
case where the NSEC3 has made it into the cache, and some new query causes
the validator to check its cache to see if it has nsec(3) records
proving a QNAME does or does not exist.

The odd thing is that cname.nohats.ca "kinda" exists if you look at the
nsec(3) chain. I guess resolvers implement a negative cache on the QNAME,
so they never used this data to not even ask about a QNAME, and they
still query for the QNAME despite having proof in the cache about it
not existing. In which case, my issue would not come up.

Paul