Re: [dnsext] Fwd: djb on NXDOMAIN/NODATA for non-terminals

[Sabahattin Gucukoglu <mail@sabahattin-gucukoglu.com>]

On 30 Mar 2011, at 21:27, Edward Lewis wrote:
> Dan Bernstein's statement (as found in [0]) that returning NXDOMAIN for empty non-terminals is acceptable because buggy code did this in the past is an interesting point.  While technically wrong to do so, this code is out there and to accommodate (work around the bug), optimizing according what is in section 3 would be sub-optimal.  I would never say that NXDOMAIN for empty non-terminals is correct as a protocol analyst.  But if I was dealing with buggy code, I'd play the "be liberal in what you accept" card.

I have to admit, I can't even understand the question, and after so much discussion I'm starting to feel that I never will.  I could not imagine any other behaviour than the one manifest in pretty much every DNS server I can get my hands on (BIND 9, Tinydns, MaraDNS, NSD, ...) and could not see how it would even make sense or be possible to implement the suggestion to return 0 records for non-terminal labels.  What would the authority for such a query name be?  You could hardly synthesise one, and using the SOA from the next highest delegation doesn't work, unless you also don't mind making the case of no data at query name exclusively indistinct from no data at query name except for the possibility of terminating labels.  How could you distinguish components of query names which are naturally entered and used with dots in their textual representations, without providing misleading responses to questions about the right-hand sides of such names?  And doesn't it follow that a non-terminal name isn't a name, so that it doesn't exist, rather than that it does only because it happens to use more than the usual number of labels between delegations?

And then there's all the existing points raised about the feasibility of *trusting* NXDOMAIN responses, based on the idea that the authoritative servers will distinguish terminals from non-terminals in this way, which as has been discussed before is problematic for a number of good, solid reasons (RBLs, increased work for caches with non-tree structures, etc).

If somebody could help me to understand which bit of RFC 1034-5 or succeeding documents says (or even hints at) the fallibility of multi-label names, I'd be especially interested, since so far I haven't been able to do it.  It would help me decide that much more firmly one way or the other; for now, I don't like the suggestion.  Maybe it's all about semantics, but I like things the way they are (in this regard). It's clearer and, for me, more logical and sensible, with no added gotchas.

Cheers,
Sabahattin

PS: Dan did in fact post that referenced message to his dns@list.cr.yp.to list.  I use tinydns, primarily, but am thinking about shuffling along to NSD.