IETF Logo Mail Archive

[DNSOP] Re: on the more general problem of delegating to other namespaces in the DNS

Andrew McConachie <andrew@depht.com> Tue, 24 June 2025 10:20 UTC

Return-Path: <andrew@depht.com>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 03A6E38ACA9B for <dnsop@mail2.ietf.org>; Tue, 24 Jun 2025 03:20:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=depht.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f6JgGxJ6AuWB for <dnsop@mail2.ietf.org>; Tue, 24 Jun 2025 03:20:47 -0700 (PDT)
Received: from mout-b-106.mailbox.org (mout-b-106.mailbox.org [IPv6:2001:67c:2050:102:465::106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 813B838ACA89 for <dnsop@ietf.org>; Tue, 24 Jun 2025 03:20:47 -0700 (PDT)
Received: from smtp202.mailbox.org (smtp202.mailbox.org [IPv6:2001:67c:2050:b231:465::202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-106.mailbox.org (Postfix) with ESMTPS id 4bRLZ35XjDzDrRx; Tue, 24 Jun 2025 12:20:43 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=depht.com; s=MBO0001; t=1750760443; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=sITp/Ge0R/kQe0iFd2GLBbei3e5kpmCujSPuNM6VwT8=; b=C6ZPXg2jkjKsmJYGdxM7tnwMW3CEEK3BWr1HMkO+WYvEP+9IQQHbO7HV2LltBXV4NgZkYb ruIXvTwVmqAo3RqR93d8PqlRheeOmpCAojjqxqaQ9EAI6rxbwCMOWRcwe5Kg99Mm9Qs0w4 6GrPX24KMJv25uqDuhiKzlhSusX13Z053SgV1PE4mVf9GMRKyEmm7Q359Z86EjMNHTSstn 0gbQmLaLRB9VtzvEFrcoYMU/s1jX/VqUYjYKXworMDfqt1XX7J/vtxnrfJM2Wzx1Rekcf1 0n5bvScwf3gFNwT3pL6shoRWeU3NLe6pp+iQ0MPv0og0Ekf9ZQzRmN/urnTc2g==
From: Andrew McConachie <andrew@depht.com>
To: Joe Abley <jabley=40strandkip.nl@dmarc.ietf.org>
Date: Tue, 24 Jun 2025 12:20:31 +0200
Message-ID: <35BF9B4D-175B-4442-B379-3B4D9D6FDA2F@depht.com>
In-Reply-To: <D60A06A4-DC62-49A6-9351-BB7EE6323D05@strandkip.nl>
References: <33857674-E1AC-48E7-A4E5-B6953535A86F@depht.com> <D60A06A4-DC62-49A6-9351-BB7EE6323D05@strandkip.nl>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Rspamd-Queue-Id: 4bRLZ35XjDzDrRx
Message-ID-Hash: 5L4QKZ7TYBC26I7KGIIW476LZXSXECN7
X-Message-ID-Hash: 5L4QKZ7TYBC26I7KGIIW476LZXSXECN7
X-MailFrom: andrew@depht.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: on the more general problem of delegating to other namespaces in the DNS
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/-Iz-X4qTm3PH715Pfu6lkQZMk7Q>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>


On 23 Jun 2025, at 12:21, Joe Abley wrote:

> Hi Andrew,
>
> This seems like a clarifying question rather than the kind of 
> rehashing of an old question that our esteemed chairs would prefer to 
> be put on hold, and hence seems very reasonable to me. If I have 
> misunderstood the chairs' preference here I am sure one of them will 
> tell us :-)
>
Thanks for the detailed response!

> On 23 Jun 2025, at 11:34, Andrew McConachie <andrew@depht.com> wrote:
>
>> I’ve read through the draft as well as the messages on list, but I 
>> still don’t understand the use case for this draft. Why is creating 
>> a delegation to nowhere better than doing nothing?
>
> In practice, people have been using internal namespaces, with and 
> without DNSSEC validation on mobile devices, for long enough that I am 
> not convinced there is a widespread problem to solve. This, I think, 
> is John Levine's pragmatic perspective, which the chairs would like us 
> to stop going on and on an about regardless of whether we agree with 
> John or not.
>
> However, the point of the draft (if I'm right and it has one) is that 
> having a signed proof of non-existence for a (QNAME, QCLASS, QTYPE) 
> from one set of nameservers and answers for the same (QNAME, QCLASS, 
> QTYPE) from a different set of nameservers does introduce ambiguity. I 
> think we could probably all come up with scenarios where believing the 
> non-existence is the right thing to do (e.g. protection from bogus 
> responses), and also other scenarios where believing the responses is 
> the right thing to do (e.g. my local networks, my local rules).
>
> The difference in behaviour between (a) do nothing and (b) zone cut to 
> nowhere is that (a) necessarily leaves the door open to ambiguous 
> responses and (b) does not.
>
> The way that (b) avoids ambiguity is that it deliberately sabotages 
> resolution in the case where there is no definitive answer to give, 
> e.g. in the case where the root servers cannot say whether a name 
> under INTERNAL should exist given the circumstances of a particular 
> device that is asking. This means the device cannot cache an answer 
> that would cause ambiguity because no such answer can be found. You 
> either can't get an answer at all, or you can get an answer that has 
> local significance. As a bonus, this mechanism allows answers of local 
> significance to be signed in a way that can be validated

But a device can also not cache an answer if the name is not present in 
the parent zone. Adding a zone cut to nowhere doesn’t stop a device 
from caching some RRSet. It can stop a device from caching an NSEC RR or 
NXDOMAIN rcode. But the device still doesn’t know which side of the 
DNS-split horizon it currently sits on. I assume most modern devices 
flush their DNS cache at DHCP/SLAAC renewal, so maybe this is a moot 
point.

Regarding the DNSSEC trust chain, it’s broken with both a zone cut to 
nowhere and a non-existent name. I guess the point this draft makes is 
that a signed lame delegation is better than a signed proof of 
non-existence. Either way the private resolver or private authoritative 
will have to ‘fake’ some DNSSEC data, because there can never be a 
‘real’ signed DS RR in the parent zone.

>
> The trade-off may be that there is some operational consequence of the 
> lame delegation to a server that does not exist, e.g. problematic 
> levels of unwanted traffic sent to root servers or query storms or 
> other worrisome effects from resolvers that are dreadfully surprised 
> by the empty hostname. This is the science that Wes is currently 
> stirring in his cauldron.

More testing is always good!

<snip>

>> If so, how SHOULD a resolver on the private side of split-horizon dns 
>> behave when it encounters a zone cut to nowhere?
>
> A resolver that provides responses from a private namespace will not 
> encounter a zone cut to nowhere for that namespace. Such a resolver 
> will have access to DNS data that it can use to return responses, e.g. 
> by being configured to respond authoritatively to zones corresponding 
> to the internal-use namespace, or by having explicit "forwarder" 
> configuration so they know which authoritative nameservers to consult.

Regardless of whether a zone cut to nowehere exists for 
duckling.example.org the behavior of the authoritative server for 
duckling.example.org doesn’t change. There’s no difference between 
the two cases. Please correct me if I’m wrong.

I’m still left with the question of: Why is a (signed/unsigned) 
lame-delegation better than (signed/unsigned) non-existence?

>
> A resolver that is not configured like that or which encounters a zone 
> cut to nowhere for some namespace that it doesn't care about will 
> behave the same as it would when encountering a referral response to 
> servers that can't be resolved. It will fail, hopefully in a 
> predictable way.
>
>
> Joe
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org

v2.35.0 | Report a Bug | By Email | System Status