Re: [dnsext] WG opinion on draft : Improvements to DNS Resolvers, for Resiliency, Robustness, and Responsiveness

[Florian Weimer <fweimer@bfk.de>]

* Paul Vixie:

>> From: Florian Weimer <fweimer@bfk.de>
>> Date: Wed, 23 Feb 2011 15:48:24 +0000
>> 
>> > who is everyone?  i don't think bind or nominum or microsoft's or
>> > american internet's (now cisco's) authority servers have ever sent
>> > nxdomain on an empty non-terminal, and for a long time that was 100%
>> > of the market.
>> 
>> The handling of empty non-terminals was changed in BIND 9.2.3,
>> probably prompted by the standardization work on DNSSECbis.  According
>> to the CHANGES file, this is RT #4715 in your bug tracker.
>
> as marka has explained, this was a dnssec protocol bug, which bind9 tracked.

It is at odds with your ex-cathedra statement (partially quoted
above).

> either way this is unrelated to empty nonterminals, which atlas never had
> to deal with anyway, i should not have mentioned it.

Of course, ATLAS had to deal with them.  COM and NET were not
delegation-only at the time (even with Sitefinder switched off).  The
existance of authoritative child nodes in the zone looked like an
artefact in the way the zone was provisioned, but it still meant that
the particular authoritative server code paths existed, were exposed
and testable from the outside.

I don't know what else is hosted on the ATLAS infrastructure, so I
don't know if it's behavior in this corner cases is relevant.  In any
case, behavior has been changed (or has to be changed) for
DNSSEC-enabled zones, so it is slowly fading away, I guess.

-- 
Florian Weimer                <fweimer@bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99