Re: [dnsext] Fwd: djb on NXDOMAIN/NODATA for non-terminals

Colm MacCárthaigh <> Thu, 31 March 2011 02:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1AFDF3A6874 for <>; Wed, 30 Mar 2011 19:23:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.638
X-Spam-Status: No, score=-2.638 tagged_above=-999 required=5 tests=[AWL=0.039, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0ZhenofoMdUb for <>; Wed, 30 Mar 2011 19:23:50 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 6E5213A6BF1 for <>; Wed, 30 Mar 2011 19:23:49 -0700 (PDT)
Received: by fxm15 with SMTP id 15so1678474fxm.31 for <>; Wed, 30 Mar 2011 19:25:28 -0700 (PDT)
MIME-Version: 1.0
Received: by with SMTP id f9mr2145044fai.102.1301538328710; Wed, 30 Mar 2011 19:25:28 -0700 (PDT)
Received: by with HTTP; Wed, 30 Mar 2011 19:25:28 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <a06240806c9b7b2040e80@> <> <a06240807c9b7b5a6e892@> <> <a06240800c9b93e602208@> <>
Date: Wed, 30 Mar 2011 19:25:28 -0700
Message-ID: <>
From: Colm MacCárthaigh <>
To: Paul Vixie <>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: Re: [dnsext] Fwd: djb on NXDOMAIN/NODATA for non-terminals
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 31 Mar 2011 02:23:52 -0000

On Wed, Mar 30, 2011 at 3:48 PM, Paul Vixie <> wrote:
> if we don't want to do that with rbldnsd given its 0.00005% market share
> and that really is the consensus of the working group, we can remove the
> text.  i'd like to hear from different voices to help judge consensus.

The behavior isn't limited to rbldnsd. It is also manifest in TinyDNS,
and probably other non-tree-indexed implementations.

These implementations may not have a plurality of domain names on
them, but I think they do meet the "widely deployed" bar.

Given that, it seems imprudent for resolvers to make inferences about
empty sub-trees based merely on NXDOMAIN.

At least one EDNS0 capable implementation exists that exhibits this
behavior [1] . So for the moment, making inferences on EDNS0 also
seems unwise.

Making inferences based on returning DNSSEC data may be safe, I
haven't yet found any counter-examples. I wouldn't be surprised to
find one though.

My vote would be for;

  Recommending that authoritative servers implementing DNSSEC SHOULD
NOT return NXDOMAIN for non-terminal labels.

  Recommending that caches SHOULD NOT infer empty sub-trees based on NXDOMAIN.

My reason for saying "implementing DNSSEC" is that inferring sub-tree
emptiness is another dangerous poisoning case (along with spoofed
DNAME and NS responses) that can poison a very large name-space in a
cache for very low effort. DNSSEC is a reasonable mitigation against
that problem.

On the historical point, I don't agree with djb's interpretation of
RFC2308. That RFC says;

  "A negative answer that resulted from a name error (NXDOMAIN) should
   be cached such that it can be retrieved and returned in response to
   another query for the same <QNAME, QCLASS> that resulted in the
   cached negative response."

It doesn't say "only returned". To say that inferences about empty sub-trees
is "outlawed" goes too far. But I think there's so little clarity in
the standards, that
no particular "side" has great support there. Greater clarity from now
on will definitely help!

[1]   dig +edns=0
       dig +edns=0