Re: [dnsext] DNAME YXDOMAIN validation

"George Barwood" <george.barwood@blueyonder.co.uk> Mon, 16 May 2011 18:15 UTC

Return-Path: <george.barwood@blueyonder.co.uk>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8EAFE079A for <dnsext@ietfa.amsl.com>; Mon, 16 May 2011 11:15:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.218
X-Spam-Level: *
X-Spam-Status: No, score=1.218 tagged_above=-999 required=5 tests=[AWL=-0.763, BAYES_20=-0.74, J_CHICKENPOX_52=0.6, MIME_BASE64_TEXT=1.753, URI_HEX=0.368]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tiqGdit0NUzk for <dnsext@ietfa.amsl.com>; Mon, 16 May 2011 11:15:36 -0700 (PDT)
Received: from mtaout03-winn.ispmail.ntl.com (mtaout03-winn.ispmail.ntl.com [81.103.221.49]) by ietfa.amsl.com (Postfix) with ESMTP id B4D30E0799 for <dnsext@ietf.org>; Mon, 16 May 2011 11:15:33 -0700 (PDT)
Received: from know-smtpout-4.server.virginmedia.net ([62.254.123.4]) by mtaout03-winn.ispmail.ntl.com (InterMail vM.7.08.04.00 201-2186-134-20080326) with ESMTP id <20110516181529.YIYA3152.mtaout03-winn.ispmail.ntl.com@know-smtpout-4.server.virginmedia.net>; Mon, 16 May 2011 19:15:29 +0100
Received: from [92.238.99.235] (helo=GeorgeLaptop) by know-smtpout-4.server.virginmedia.net with smtp (Exim 4.63) (envelope-from <george.barwood@blueyonder.co.uk>) id 1QM2KH-0000ri-9E; Mon, 16 May 2011 19:15:29 +0100
Message-ID: <481B7D2048D44E988F9968AEEF4EFF27@local>
From: "George Barwood" <george.barwood@blueyonder.co.uk>
To: "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>, <dnsext@ietf.org>
References: <22823BCF8255413FBF76D4DF5D519471@local> <4DD0E578.1020207@nlnetlabs.nl>
Date: Mon, 16 May 2011 19:15:21 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: base64
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6090
X-Cloudmark-Analysis: v=1.1 cv=R50lirqlHffDPPkwUlkuVa99MrvKdVWo//yz83qex8g= c=1 sm=0 a=I1x6_YhjcwUA:10 a=3NElcqgl2aoA:10 a=8nJEP1OIZ-IA:10 a=48vgC7mUAAAA:8 a=F5-z33WhAAAA:8 a=mNUaEz08pOpgB_XXUe0A:9 a=cMhFUN-2cy3vwdufepoA:7 a=wPNLvfGTeEIA:10 a=LOTjP7iKY08A:10 a=lZB815dzVvQA:10 a=LBeFHwr47n4orSip:21 a=14NKUdgVX3p83JAF:21 a=HpAAvcLHHh0Zw7uRqdWCyQ==:117
Subject: Re: [dnsext] DNAME YXDOMAIN validation
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 May 2011 18:15:37 -0000

----- Original Message ----- 
From: "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>;
To: <dnsext@ietf.org>;
Sent: Monday, May 16, 2011 9:51 AM
Subject: Re: [dnsext] DNAME YXDOMAIN validation


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi George,
> 
> On 05/16/2011 08:14 AM, George Barwood wrote:
>> What are the requirements on resolvers for validating DNAME YXDOMAIN responses?
> 
> There are no requirements.  Because there is no text in RFC2672 or -bis.

Ok, given the general imprecations to validate as per http://tools.ietf.org/html/rfc4035#section-4.2
I think a statement that YXDOMAIN responses need not be validated would be useful.

>> http://tools.ietf.org/html/draft-ietf-dnsext-rfc2672bis-dname-22#section-5.3.1
>> 
>> says
>> 
>>   The domain name can get too long during substitution.  For example,
>>    suppose the target name of the DNAME RR is 250 octets in length
>>    (multiple labels), if an incoming QNAME that has a first label over 5
>>    octets in length, the result would be a name over 255 octets.  If
>>    this occurs the server returns an RCODE of YXDOMAIN [RFC2136].  The
>>    DNAME record and its signature (if the zone is signed) are included
>>    in the answer as proof for the YXDOMAIN (value 6) RCODE.
>> 
>> which implies that YXDOMAIN responses can be validated.
> 
> Yes.
> 
>> However, I'm wondering if this is actually useful, and simply clearing the AD
>> bit would be acceptable. i.e. "validators MAY validate YXDOMAIN responses" but no stronger.
>> Or maybe I'm wrong, and YXDOMAIN responses MUST be validated if possible, in which case I think
>> this would be best stated explicitly.
> 
> I thought it would be good to include the DNAME (I believe the authority
> servers already include the DNAME for YXDOMAIN responses, so the
> signature (when appropriate, DO flag, signed zone) is not a lot of
> work), just because you can.
> 
>> As an aside,  I may be mistaken, but it seems that both BIND and UNBOUND don't
>> currently handle YXDOMAIN responses, returning SERVERFAIL instead of YXDOMAIN. 
>> I think this is quite likely to be the behavior for legacy resolvers as well, maybe that could be noted.
> 
> Yes, there does not seem to be a great deal of utility for validating
> the YXDOMAIN.  It is nice that there is some sort of proof for the RCODE
> (since for many other RCODEs no proof is possible, and considering the
> length of effort we took to prove NXDOMAINs).

Ok, but I don't think that either BIND or UNBOUND handling of YXDOMAIN is correct (IMO).
I'll admit as bugs go, this is extremely minor, and very unlikely to cause any kind of operational problem, 
so this may seem very pedantic, but..

With both UNBOUND and BIND, the behavior depends on whether the DNAME is cached.

UNBOUND:
If the DNAME is cached, UNBOUND correctly returns just the DNAME with Rcode=YXDOMAIN (great!). AD is not set (ok).
If the DNAME is not cached, UNBOUND seems to regard the YXDOMAIN response as Lame, since it repeats the query 6 times before giving up and returning SERVERFAIL.

BIND:
If the DNAME is cached, it correctly returns the DNAME (only), but with Rcode=Ok rather than YXDOMAIN. AD is set.
If the DNAME is not cached, it doesn't repeat the query, but returns SERVERFAIL.

The test domain I'm using is

a123456789.longd.test2.itec-usa.com

Kind regards,
George