Re: [dnsext] draft-vixie-dnsext-resimprove - NXDOMAIN for emptynon-terminals

Edward Lewis <> Tue, 29 March 2011 16:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 20B2E3A695D for <>; Tue, 29 Mar 2011 09:28:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.579
X-Spam-Status: No, score=-102.579 tagged_above=-999 required=5 tests=[AWL=0.020, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id X8BpF1FK9lOL for <>; Tue, 29 Mar 2011 09:28:21 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 1E2BA3A68FD for <>; Tue, 29 Mar 2011 09:28:21 -0700 (PDT)
Received: from Work-Laptop-2.local ( []) by (8.14.4/8.14.4) with ESMTP id p2TGTw6l065903; Tue, 29 Mar 2011 12:29:58 -0400 (EDT) (envelope-from
Received: from [] by Work-Laptop-2.local (PGP Universal service); Tue, 29 Mar 2011 12:29:58 -0400
X-PGP-Universal: processed; by Work-Laptop-2.local on Tue, 29 Mar 2011 12:29:58 -0400
Mime-Version: 1.0
Message-Id: <a06240809c9b7b7143e51@[]>
In-Reply-To: <55128075215341BD92DCAAD00450FA85@local>
References: <><8EA8D1A36B8F49 68ABE973C39CA5E0E0@local> <a06240800c9b78d52751f@[]><FCB25297BFF0419692724D36AF3BC99E@l ocal> <a06240804c9b79c870558@[]> <55128075215341BD92DCAAD00450FA85@local>
Date: Tue, 29 Mar 2011 12:29:23 -0400
From: Edward Lewis <>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.68 on
Cc: Edward Lewis <>
Subject: Re: [dnsext] draft-vixie-dnsext-resimprove - NXDOMAIN for emptynon-terminals
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 29 Mar 2011 16:28:22 -0000

At 17:16 +0100 3/29/11, George Barwood wrote:

>I agree it's quite common for zones to give non-deterministic positive answers
>as a form of load-balancing, where a limited set of A records is randomly
>(or otherwise) selected from a large set. This is not affected.

Using that...when you have A, AAAA, and fallback answers like DNAME 
and CNAME, for example.  It might not be just which A to return, but 
whether to withhold the AAAA and or use a query redirection tool. 
Consider that ANY queries may come.

With IPv6 whitelisting 
as an example, I might want to withhold the existence of a AAAA 
record from some queriers but not others.

The way the standards read now, it's possible to generate NSEC/3's 
owning a private type for all names that warrant one (NSEC does not 
represent empty non-terminals, NSEC3 does) claiming just a private 
type and things would work.  That's because you don't get a NSEC/3 in 
a positive answer (other than ANY).
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Me to infant son: "Waah! Waah! Is that all you can say?  Waah?"
Son: "Waah!"