Re: [dnsext] RFC 6604 Clarification

Tony Finch <dot@dotat.at> Wed, 01 April 2015 00:17 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8E0F1A9036 for <dnsext@ietfa.amsl.com>; Tue, 31 Mar 2015 17:17:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Level:
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SPV6tdOzq1xT for <dnsext@ietfa.amsl.com>; Tue, 31 Mar 2015 17:17:53 -0700 (PDT)
Received: from ppsw-33.csi.cam.ac.uk (ppsw-33.csi.cam.ac.uk [131.111.8.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 656481A1AC9 for <dnsext@ietf.org>; Tue, 31 Mar 2015 17:17:52 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from host86-129-222-51.range86-129.btcentralplus.com ([86.129.222.51]:58886 helo=[192.168.1.107]) by ppsw-33.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.157]:587) with esmtpsa (PLAIN:fanf2) (TLSv1:DHE-RSA-AES256-SHA:256) id 1Yd6Lu-00047j-he (Exim 4.82_3-c0e5623) (return-path <fanf2@hermes.cam.ac.uk>); Wed, 01 Apr 2015 01:17:50 +0100
Content-Type: multipart/alternative; boundary="Apple-Mail-96DB877E-70BD-4A5C-AB43-EA1713D1B7D9"
Mime-Version: 1.0 (1.0)
From: Tony Finch <dot@dotat.at>
X-Mailer: iPhone Mail (12D508)
In-Reply-To: <CAH1iCip9Xgh0n5PFt-kyZaMA3Z9D28E0Dr2Rbg5iV5bzHKPHng@mail.gmail.com>
Date: Wed, 01 Apr 2015 01:17:49 +0100
Content-Transfer-Encoding: 7bit
Message-Id: <452FFC6C-023B-4D93-8E24-6DE454DD9143@dotat.at>
References: <af1796c3bda84e99844715264afc67a5@HKXPR30MB021.064d.mgd.msft.net> <CAH1iCip9Xgh0n5PFt-kyZaMA3Z9D28E0Dr2Rbg5iV5bzHKPHng@mail.gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsext/LAcE_Co9IQkv2RmdSG8SwtueDxs>
Cc: DNSEXT Group Working <dnsext@ietf.org>
Subject: Re: [dnsext] RFC 6604 Clarification
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Apr 2015 00:17:56 -0000

> On 31 Mar 2015, at 23:38, Brian Dickson <brian.peter.dickson@gmail.com> wrote:
> 
> Sending the query to the previous auth server would be the wrong thing
> to do. Even if such a query were received, the correct behavior is
> NOERRROR, NODATA, with AA unset (set to zero).

If you send a query to an authoritative-only server for a name for which it isn't authoritative, you should get a referral if the qname is a subdomain of one of the server's zones, or a referral to the root (traditional), or REFUSED. A referral is a bit more than just NOERROR NODATA AA=0 :-)

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at