[dnsext] MaraDNS and NXDOMAIN/NOERROR on non-terminal nodes

Sam Trenholme <strenholme.usenet@gmail.com> Sat, 23 April 2011 19:11 UTC

Return-Path: <strenholme.usenet@gmail.com>
X-Original-To: dnsext@ietfc.amsl.com
Delivered-To: dnsext@ietfc.amsl.com
Received: from localhost (localhost []) by ietfc.amsl.com (Postfix) with ESMTP id CD708E0734 for <dnsext@ietfc.amsl.com>; Sat, 23 Apr 2011 12:11:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([]) by localhost (ietfc.amsl.com []) (amavisd-new, port 10024) with ESMTP id Iji6nNbdEQYe for <dnsext@ietfc.amsl.com>; Sat, 23 Apr 2011 12:11:42 -0700 (PDT)
Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com []) by ietfc.amsl.com (Postfix) with ESMTP id 410A3E06A8 for <dnsext@ietf.org>; Sat, 23 Apr 2011 12:11:42 -0700 (PDT)
Received: by iyn15 with SMTP id 15so617859iyn.31 for <dnsext@ietf.org>; Sat, 23 Apr 2011 12:11:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to:cc :content-type; bh=9hxgqxs5f5mqT/0dPieSN0AHMt3b0vTSmwh6JqmL8pU=; b=Ic2XZKjIaUL1Vfu6VdJog/ZmDdhdY9PjfVykRK4txwqiK8NdZh7p0Cs+yGTcUDlUY6 eeTGV+r0dy2nAD0zgATb7XfeeD+0e3F3yWXI00yJmUWqeGwxAfDgk74HjqQRRs+zYlwZ B0/poap3rxs0cYLcEeTauyuNZDtGIVSNOqRPE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:cc:content-type; b=Cfa6zyrOBxnrjs9eDRvVd8wIRWadHKA14yIos/t3iNCHxszWtlibEsMNtTRanz4TUV lP5JiF11/4h0Dm1Dt4jnH2daRp5ZHhCEqyrLDCpFTvagKXuUo0WoBqpDq3Vxcvc/eeMj n+0CgWTlF8g86izueVz/V1+ffaqMM3p582jcI=
MIME-Version: 1.0
Received: by with SMTP id f2mr2756102ice.468.1303585900198; Sat, 23 Apr 2011 12:11:40 -0700 (PDT)
Received: by with HTTP; Sat, 23 Apr 2011 12:11:40 -0700 (PDT)
Date: Sat, 23 Apr 2011 14:11:40 -0500
Message-ID: <BANLkTimgkfQFx8ocrXjv7UFjhCzenwDhKw@mail.gmail.com>
From: Sam Trenholme <strenholme.usenet@gmail.com>
To: dnsext@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Cc: johnl@iecc.com
Subject: [dnsext] MaraDNS and NXDOMAIN/NOERROR on non-terminal nodes
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Apr 2011 19:15:21 -0000

Hello, I am Sam Trenholme, the implementer and maintainer of MaraDNS.
This email discusses whether to return NXDOMAIN or NOERROR with
non-terminal nodes.

I apologize for not writing this email sooner.  I became aware of the
relevant discussion this morning.  A description is here:


To summarize:  Let us suppose we have the DNS name
www.sub.example.com, but, for whatever reason, sub.example.com does
not exist.  Let us further suppose that someone sends a request for
sub.example.com.  Do we return a NXDOMAIN or a "NOERROR" reply?

MaraDNS 1.0 returned a NOERROR reply.  MaraDNS 1.2 and later return a

The reason for the 1.0 -> 1.2 change is because I once got a private
email from a developer of an embedded DNS server.  This server was
unable to process "NOERROR" replies and thought it got a positive
reply if it received a NOERROR answer.

Since MaraDNS uses a hash to store records, it would be non-trivial to
return "NOERROR" for non-terminal nodes.  Since Paul Vixie has said
that "NOERROR" should not be returned in this case, this was
reasonable behavior when I implemented it thusly nearly six years ago.

MaraDNS does not have support for edns0 nor for DNSSEC, so mandating
this behavior only for DNSSEC-aware DNS servers would be reasonable.
However, since MaraDNS is only being maintained and is no longer
actively developed, it would be unfair to create a new RFC that
retcons under what circumstances a NXDOMAIN reply is sent from DNS
servers without edns0/DNSSEC support.

Please update http://tools.ietf.org/html/draft-vixie-dnsext-resimprove-00

Thank you for your time,

- Sam

P.S. As an aside, while I do side with DJB here, I do not always agree
with him.  For example: