Re: [dnsext] draft-vixie-dnsext-resimprove - NXDOMAIN for emptynon-terminals

Edward Lewis <Ed.Lewis@neustar.biz> Tue, 29 March 2011 16:28 UTC

Return-Path: <Ed.Lewis@neustar.biz>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 20B2E3A695D for <dnsext@core3.amsl.com>; Tue, 29 Mar 2011 09:28:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.579
X-Spam-Level:
X-Spam-Status: No, score=-102.579 tagged_above=-999 required=5 tests=[AWL=0.020, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X8BpF1FK9lOL for <dnsext@core3.amsl.com>; Tue, 29 Mar 2011 09:28:21 -0700 (PDT)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by core3.amsl.com (Postfix) with ESMTP id 1E2BA3A68FD for <dnsext@ietf.org>; Tue, 29 Mar 2011 09:28:21 -0700 (PDT)
Received: from Work-Laptop-2.local (gatt.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id p2TGTw6l065903; Tue, 29 Mar 2011 12:29:58 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Received: from [10.31.200.119] by Work-Laptop-2.local (PGP Universal service); Tue, 29 Mar 2011 12:29:58 -0400
X-PGP-Universal: processed; by Work-Laptop-2.local on Tue, 29 Mar 2011 12:29:58 -0400
Mime-Version: 1.0
Message-Id: <a06240809c9b7b7143e51@[10.31.200.119]>
In-Reply-To: <55128075215341BD92DCAAD00450FA85@local>
References: <alpine.LSU.2.00.1103281507410.5244@hermes-1.csi.cam.ac.uk><8EA8D1A36B8F49 68ABE973C39CA5E0E0@local> <a06240800c9b78d52751f@[10.31.200.116]><FCB25297BFF0419692724D36AF3BC99E@l ocal> <a06240804c9b79c870558@[10.31.200.119]> <55128075215341BD92DCAAD00450FA85@local>
Date: Tue, 29 Mar 2011 12:29:23 -0400
To: dnsext@ietf.org
From: Edward Lewis <Ed.Lewis@neustar.biz>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.68 on 10.20.30.4
Cc: Edward Lewis <Ed.Lewis@neustar.biz>
Subject: Re: [dnsext] draft-vixie-dnsext-resimprove - NXDOMAIN for emptynon-terminals
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Mar 2011 16:28:22 -0000

At 17:16 +0100 3/29/11, George Barwood wrote:

>I agree it's quite common for zones to give non-deterministic positive answers
>as a form of load-balancing, where a limited set of A records is randomly
>(or otherwise) selected from a large set. This is not affected.

Using that...when you have A, AAAA, and fallback answers like DNAME 
and CNAME, for example.  It might not be just which A to return, but 
whether to withhold the AAAA and or use a query redirection tool. 
Consider that ANY queries may come.

With IPv6 whitelisting 
(http://tools.ietf.org/html/draft-livingood-dns-whitelisting-implications-01) 
as an example, I might want to withhold the existence of a AAAA 
record from some queriers but not others.

The way the standards read now, it's possible to generate NSEC/3's 
owning a private type for all names that warrant one (NSEC does not 
represent empty non-terminals, NSEC3 does) claiming just a private 
type and things would work.  That's because you don't get a NSEC/3 in 
a positive answer (other than ANY).
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Me to infant son: "Waah! Waah! Is that all you can say?  Waah?"
Son: "Waah!"