Re: [dnsext] Fwd: djb on NXDOMAIN/NODATA for non-terminals

Florian Weimer <fweimer@bfk.de> Tue, 29 March 2011 09:23 UTC

Return-Path: <fweimer@bfk.de>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4D2373A692D for <dnsext@core3.amsl.com>; Tue, 29 Mar 2011 02:23:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.914
X-Spam-Level:
X-Spam-Status: No, score=-1.914 tagged_above=-999 required=5 tests=[AWL=0.020, BAYES_00=-2.599, HELO_EQ_DE=0.35, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ona+YurRdvs5 for <dnsext@core3.amsl.com>; Tue, 29 Mar 2011 02:23:29 -0700 (PDT)
Received: from mx01.bfk.de (mx01.bfk.de [193.227.124.2]) by core3.amsl.com (Postfix) with ESMTP id F01903A68B7 for <dnsext@ietf.org>; Tue, 29 Mar 2011 02:23:28 -0700 (PDT)
Received: from mx00.int.bfk.de ([10.119.110.2]) by mx01.bfk.de with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) id 1Q4VAf-0001fV-PD; Tue, 29 Mar 2011 09:25:05 +0000
Received: by bfk.de with local id 1Q4VAf-0003od-JF; Tue, 29 Mar 2011 09:25:05 +0000
To: Paul Vixie <vixie@isc.org>
References: <AANLkTimCZVyag8+Pv8zJsah2B-C=h3bPJ=DNVVo3agLc@mail.gmail.com> <34319.1301351478@nsa.vix.com> <BANLkTikkx4ndK3TpByptuRdtPGuFztm2yA@mail.gmail.com> <65033.1301383238@nsa.vix.com>
From: Florian Weimer <fweimer@bfk.de>
Date: Tue, 29 Mar 2011 09:25:05 +0000
In-Reply-To: <65033.1301383238@nsa.vix.com> (Paul Vixie's message of "Tue\, 29 Mar 2011 07\:20\:38 +0000")
Message-ID: <82ei5qz3bi.fsf@mid.bfk.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Fwd: djb on NXDOMAIN/NODATA for non-terminals
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Mar 2011 09:23:30 -0000

* Paul Vixie:

> i don't think so.  nobody is querying intersticial names from an rbl so
> even if there were millions of rbldnsd servers running on autopilot it
> would not have an operational effect.

Will this remain true if ISC changes BIND to synthesize NXDOMAIN
responses for children of names already known to not exist?  In many
cases, it will not be too difficult to reflect a query for the
non-terminal through the MTA, and after that, the blacklist is
partially bypassed.  So I wouldn't be surprised if such queries turned
somewhat popular, suddenly.

And regarding the idea of a new EDNS option---we already have plenty
of NXDOMAIN signalling in the form of NSEC(3) records.  We just have
to agree to use it.  What's worse, it seems to me that past experience
shows that EDNS options cause interoperability issues, too.

-- 
Florian Weimer                <fweimer@bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99