Re: [dnsext] Fwd: djb on NXDOMAIN/NODATA for non-terminals

Edward Lewis <> Thu, 31 March 2011 16:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 65E7628C118 for <>; Thu, 31 Mar 2011 09:08:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -101.87
X-Spam-Status: No, score=-101.87 tagged_above=-999 required=5 tests=[AWL=-0.667, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hMxFLXsiF1wY for <>; Thu, 31 Mar 2011 09:08:04 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 2FF6D3A6B3C for <>; Thu, 31 Mar 2011 09:08:04 -0700 (PDT)
Received: from Work-Laptop-2.local ( []) by (8.14.4/8.14.4) with ESMTP id p2VG9gjM088749; Thu, 31 Mar 2011 12:09:42 -0400 (EDT) (envelope-from
Received: from [] by Work-Laptop-2.local (PGP Universal service); Thu, 31 Mar 2011 12:09:43 -0400
X-PGP-Universal: processed; by Work-Laptop-2.local on Thu, 31 Mar 2011 12:09:43 -0400
Mime-Version: 1.0
Message-Id: <a06240800c9ba512398a2@[]>
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <a06240806c9b7b2040e80@> <> <a06240807c9b7b5a6e892@> <> <a06240800c9b93e602208@> <> <> <>
Date: Thu, 31 Mar 2011 12:07:45 -0400
From: Edward Lewis <>
Content-Type: text/plain; charset="iso-8859-1"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Scanned-By: MIMEDefang 2.68 on
Subject: Re: [dnsext] Fwd: djb on NXDOMAIN/NODATA for non-terminals
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 31 Mar 2011 16:08:05 -0000

At 15:27 +0100 3/31/11, Tony Finch wrote:
>Colm MacCárthaigh <> wrote:
>>  My vote would be for;
>>    Recommending that authoritative servers implementing DNSSEC SHOULD
>>  NOT return NXDOMAIN for non-terminal labels.
>I believe that requirement already exists as a MUST NOT.

Although I agree that sending a NXDOMAIN for an 
empty non-terminal is a protocol error[0], I'll 
note that in the resimprove document it says:

# This is due to an ambiguity in RFC 1034 that failed to distinguish
# empty nonterminal domain names from nonexistent names.

To convert "I believe" to something more 
fact-based, it would be helpful if the ambiguity 
were identified.

[0] from this in RFC 1034, section 4.3.2:

# 3. Start matching down, label by label, in the zone.  The
#      matching process can terminate several ways:
#         a. If the whole of QNAME is matched, we have found the
#           node.

That is, the name/node exists, whether it has a type match remains to be seen.

#           ...skipping CNAME stuff...
#           Otherwise, copy all RRs which match QTYPE into the
#           answer section and go to step 6.

If there are no RRs to match (and empty 
non-terminal), none match, hence no data is put 
into the answer section.

On the other hand, of the name isn't there, here 
is the instruction for Name Error (aka NXDOMAIN):

#         c. If at some label, a match is impossible (i.e., the
#            corresponding label does not exist), look to see if a
#            the "*" label exists.
#            If the "*" label does not exist, check whether the name
#            we are looking for is the original QNAME in the query
#            or a name we have followed due to a CNAME.  If the name
#            is original, set an authoritative name error in the
#            response and exit.  Otherwise just exit.

RFC 2308, section 2.1 shows NXDOMAINs where the 
name is not original.  Reducing the logic that 
would mean the above reads as:

              If the "*" label does not exist, set an authoritative name
              error in the response and exit.  Otherwise just exit.

Edward Lewis             
NeuStar                    You can leave a voice message at +1-571-434-5468

Me to infant son: "Waah! Waah! Is that all you can say?  Waah?"
Son: "Waah!"