[dnsext] draft-vixie-dnsext-resimprove - NXDOMAIN for empty non-terminals

Tony Finch <dot@dotat.at> Mon, 28 March 2011 14:22 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id B09353A6810 for <dnsext@core3.amsl.com>; Mon, 28 Mar 2011 07:22:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.508
X-Spam-Status: No, score=-6.508 tagged_above=-999 required=5 tests=[AWL=0.091, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id MCltDLJV9WiD for <dnsext@core3.amsl.com>; Mon, 28 Mar 2011 07:22:31 -0700 (PDT)
Received: from ppsw-51.csi.cam.ac.uk (ppsw-51.csi.cam.ac.uk []) by core3.amsl.com (Postfix) with ESMTP id E8DEF3A684A for <dnsext@ietf.org>; Mon, 28 Mar 2011 07:22:30 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-SpamDetails: not scanned
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([]:36772) by ppsw-51.csi.cam.ac.uk (smtp.hermes.cam.ac.uk []:25) with esmtpa (EXTERNAL:fanf2) id 1Q4DMW-0004lD-WN (Exim 4.72) for dnsext@ietf.org (return-path <fanf2@hermes.cam.ac.uk>); Mon, 28 Mar 2011 15:24:08 +0100
Received: from fanf2 (helo=localhost) by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local-esmtp id 1Q4DMW-0004i8-0t (Exim 4.67) for dnsext@ietf.org (return-path <fanf2@hermes.cam.ac.uk>); Mon, 28 Mar 2011 15:24:08 +0100
Date: Mon, 28 Mar 2011 15:24:08 +0100
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: dnsext@ietf.org
Message-ID: <alpine.LSU.2.00.1103281507410.5244@hermes-1.csi.cam.ac.uk>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Subject: [dnsext] draft-vixie-dnsext-resimprove - NXDOMAIN for empty non-terminals
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2011 14:22:32 -0000

Arising from the discussion at the meeting about treating a cached
NXDOMAIN as applying to all child domains...

The main concern about this clarificationin is buggy implementations that
give an NXDOMAIN for empty non-terminal names that have non-empty child
domains. The examples cited were DJBDNS and in particular rbldnsd. (I
presume there are others that we don't know about.)

We care about rbldnsd because it is widely deployed and there are a lot of
empty non-terminals in RBL zones. However the bug will not normally be
triggered by a mail server since mail servers don't query for the
non-terminal domains. But there is a serious risk if the mail server is
sharing a cache with untrusted clients, since they can make a query that
gets an NXDOMAIN response and thereby make the cache think that vast
sections of the DNSBL are empty.

This is of course a special case of the general problem with this
clarification. I don't know if it affects how much we care about it or if
it just means we should worry more about the buggy DNS servers that we
don't know about.

f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Southwest Forties, Cromarty, Forth: Southwesterly 4 or 5, occasionally 6,
becoming variable 3 later. Slight or moderate. Occasional rain. Good,
occasionally poor.