Re: [dnsext] MaraDNS and NXDOMAIN/NOERROR on non-terminal nodes

Sam Trenholme <strenholme.usenet@gmail.com> Sat, 23 April 2011 22:33 UTC

Return-Path: <strenholme.usenet@gmail.com>
X-Original-To: dnsext@ietfc.amsl.com
Delivered-To: dnsext@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 7C282E06C8 for <dnsext@ietfc.amsl.com>; Sat, 23 Apr 2011 15:33:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.368
X-Spam-Level:
X-Spam-Status: No, score=-3.368 tagged_above=-999 required=5 tests=[AWL=0.230, BAYES_00=-2.599, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id naTWcN0mAh+8 for <dnsext@ietfc.amsl.com>; Sat, 23 Apr 2011 15:33:03 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by ietfc.amsl.com (Postfix) with ESMTP id 09A1EE0613 for <dnsext@ietf.org>; Sat, 23 Apr 2011 15:33:02 -0700 (PDT)
Received: by iwn39 with SMTP id 39so1495825iwn.31 for <dnsext@ietf.org>; Sat, 23 Apr 2011 15:33:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=hYnorOadrVxOJnfsIbRYn0L/VIRvSNcwtNX9YZ59Gvs=; b=TvOhZWj40gMgEX/VSUGHqibhTM5CSWQ6rxgogEh5T9NAsOA/+YIHwEbLaCxkYI4ukX aCIjulaluhOucFOvKOgQNASWqQw8lKsh6e26uon7F6FL/qnBh0dKDxx9Q5BFi0ePvf/D M9czUHdyhEIpUxtQenZvLraJwLfMKSmshwYzE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=wi0BE0zn3BCE7zAcx54HU0ze0D5Di4Zk0/DTNIT6tWw+4Zy6GQMws0uNJU/jWrJxId Vf+ZjIgCp+5ln6cYRX8APJbZIhowI3HpAipXFasidr/tB578gYv5oMrnJciJ/WlRnCws vfwAI8dCvMHXYc1Z43jD6e1TJJ+Uw+K0f0CqY=
MIME-Version: 1.0
Received: by 10.42.217.3 with SMTP id hk3mr2892255icb.200.1303597982043; Sat, 23 Apr 2011 15:33:02 -0700 (PDT)
Received: by 10.42.220.67 with HTTP; Sat, 23 Apr 2011 15:33:02 -0700 (PDT)
In-Reply-To: <alpine.BSF.2.00.1104231702040.22305@joyce.lan>
References: <BANLkTimgkfQFx8ocrXjv7UFjhCzenwDhKw@mail.gmail.com> <alpine.BSF.2.00.1104231702040.22305@joyce.lan>
Date: Sat, 23 Apr 2011 17:33:02 -0500
Message-ID: <BANLkTi=6BE+QBnyeHVcGo-PoaMtk2JvLzw@mail.gmail.com>
From: Sam Trenholme <strenholme.usenet@gmail.com>
To: "John R. Levine" <johnl@iecc.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: dnsext@ietf.org
Subject: Re: [dnsext] MaraDNS and NXDOMAIN/NOERROR on non-terminal nodes
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Apr 2011 22:33:04 -0000

[John: Sorry about giving you two copies of this email]

> the wrongness of returning NXDOMAIN for an
> empty node with other nodes below it

[citation needed].  In other words, accusations of RFC non-compliance
need to quote chapter and verse of the relevant RFC or are invalid.

> By the way, telling people "you're wrong, change it because it's hard for me
> to fix" is rarely a winning strategy

That's not what I said.  I said that Paul Vixie once said that the
opposite behavior was the correct behavior [1], so it was reasonable
for DNS implementers in the 2000s to feel the opposite behavior was
correct.  And, indeed, there are at least two DNS implementers which
did precisely that.

I do feel that, in light of that fact that ip6.arpa can be very
sparse, it would be helpful to have a DNS server be able to say "not
only does this node not exist, but all child nodes also do not exist".
 [2]  But doing it in a way that breaks the existing internet and has
security problems [3] is, IMHO, not a good idea.

- Sam

[1] http://groups.google.com/group/comp.protocols.dns.std/msg/69e4500e7b7d73c8

[2] Actually, on second thought, I have promised a friend that I would
implement a simple DNS server that would convert all queries in the
form "0.1.2.3.4.5.6.7.8.9.a.b.c.d.e.f.0.1.2.3.4.5.6.7.8.9.a.b.c.d.e.f.ip6.arpa
PTR" in to answers like
"ip6.fedc-ba98-7654-3210-fedc-ba98-7654-3210.example.com" (and,
correspondingly, convert AAAA queries for
"ip6.fedc-ba98-7654-3210-fedc-ba98-7654-3210.example.com" in to
"fedc:ba98:7654:3210:fedc:ba98:7654:3210"), so ip6.arpa does not
necessarily have to be sparse.

[3] http://marc.info/?l=djbdns&m=130141880325287&w=1 and
http://www.ietf.org/mail-archive/web/dnsext/current/msg11101.html