Re: [dnsext] MaraDNS and NXDOMAIN/NOERROR on non-terminal nodes

Sam Trenholme <> Sat, 23 April 2011 22:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7C282E06C8 for <>; Sat, 23 Apr 2011 15:33:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.368
X-Spam-Status: No, score=-3.368 tagged_above=-999 required=5 tests=[AWL=0.230, BAYES_00=-2.599, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id naTWcN0mAh+8 for <>; Sat, 23 Apr 2011 15:33:03 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 09A1EE0613 for <>; Sat, 23 Apr 2011 15:33:02 -0700 (PDT)
Received: by iwn39 with SMTP id 39so1495825iwn.31 for <>; Sat, 23 Apr 2011 15:33:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=hYnorOadrVxOJnfsIbRYn0L/VIRvSNcwtNX9YZ59Gvs=; b=TvOhZWj40gMgEX/VSUGHqibhTM5CSWQ6rxgogEh5T9NAsOA/+YIHwEbLaCxkYI4ukX aCIjulaluhOucFOvKOgQNASWqQw8lKsh6e26uon7F6FL/qnBh0dKDxx9Q5BFi0ePvf/D M9czUHdyhEIpUxtQenZvLraJwLfMKSmshwYzE=
DomainKey-Signature: a=rsa-sha1; c=nofws;; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=wi0BE0zn3BCE7zAcx54HU0ze0D5Di4Zk0/DTNIT6tWw+4Zy6GQMws0uNJU/jWrJxId Vf+ZjIgCp+5ln6cYRX8APJbZIhowI3HpAipXFasidr/tB578gYv5oMrnJciJ/WlRnCws vfwAI8dCvMHXYc1Z43jD6e1TJJ+Uw+K0f0CqY=
MIME-Version: 1.0
Received: by with SMTP id hk3mr2892255icb.200.1303597982043; Sat, 23 Apr 2011 15:33:02 -0700 (PDT)
Received: by with HTTP; Sat, 23 Apr 2011 15:33:02 -0700 (PDT)
In-Reply-To: <alpine.BSF.2.00.1104231702040.22305@joyce.lan>
References: <> <alpine.BSF.2.00.1104231702040.22305@joyce.lan>
Date: Sat, 23 Apr 2011 17:33:02 -0500
Message-ID: <>
From: Sam Trenholme <>
To: "John R. Levine" <>
Content-Type: text/plain; charset="ISO-8859-1"
Subject: Re: [dnsext] MaraDNS and NXDOMAIN/NOERROR on non-terminal nodes
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 23 Apr 2011 22:33:04 -0000

[John: Sorry about giving you two copies of this email]

> the wrongness of returning NXDOMAIN for an
> empty node with other nodes below it

[citation needed].  In other words, accusations of RFC non-compliance
need to quote chapter and verse of the relevant RFC or are invalid.

> By the way, telling people "you're wrong, change it because it's hard for me
> to fix" is rarely a winning strategy

That's not what I said.  I said that Paul Vixie once said that the
opposite behavior was the correct behavior [1], so it was reasonable
for DNS implementers in the 2000s to feel the opposite behavior was
correct.  And, indeed, there are at least two DNS implementers which
did precisely that.

I do feel that, in light of that fact that can be very
sparse, it would be helpful to have a DNS server be able to say "not
only does this node not exist, but all child nodes also do not exist".
 [2]  But doing it in a way that breaks the existing internet and has
security problems [3] is, IMHO, not a good idea.

- Sam


[2] Actually, on second thought, I have promised a friend that I would
implement a simple DNS server that would convert all queries in the
form "
PTR" in to answers like
"" (and,
correspondingly, convert AAAA queries for
"" in to
"fedc:ba98:7654:3210:fedc:ba98:7654:3210"), so does not
necessarily have to be sparse.

[3] and