Re: [DNSOP] comments on draft-bortzmeyer-dnsop-nxdomain-cut-00

Stephane Bortzmeyer <bortzmeyer@nic.fr> Sun, 22 November 2015 13:59 UTC

Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78C2D1AC3CC for <dnsop@ietfa.amsl.com>; Sun, 22 Nov 2015 05:59:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.1
X-Spam-Level: *
X-Spam-Status: No, score=1.1 tagged_above=-999 required=5 tests=[BAYES_50=0.8, MIME_8BIT_HEADER=0.3] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9G4pH4S2W5fl for <dnsop@ietfa.amsl.com>; Sun, 22 Nov 2015 05:59:37 -0800 (PST)
Received: from mail.bortzmeyer.org (aetius.bortzmeyer.org [217.70.190.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FCD91A896B for <dnsop@ietf.org>; Sun, 22 Nov 2015 05:59:37 -0800 (PST)
Received: by mail.bortzmeyer.org (Postfix, from userid 10) id 44E193C025; Sun, 22 Nov 2015 14:59:35 +0100 (CET)
Received: by tyrion (Postfix, from userid 1000) id E38DFF00ABB; Sun, 22 Nov 2015 14:52:34 +0100 (CET)
Date: Sun, 22 Nov 2015 14:52:34 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: 神明達哉 <jinmei@wide.ad.jp>
Message-ID: <20151122135234.GA1475@laperouse.bortzmeyer.org>
References: <CAJE_bqe98gi0FHAhiug7w9HCrat_m4LpByqDuy=7m9afGiroug@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAJE_bqe98gi0FHAhiug7w9HCrat_m4LpByqDuy=7m9afGiroug@mail.gmail.com>
X-Transport: UUCP rules
X-Operating-System: Ubuntu 15.10 (wily)
X-Charlie: Je suis Charlie
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/0AnewNK9cVmApFfjVqnxG70GLS0>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] comments on draft-bortzmeyer-dnsop-nxdomain-cut-00
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Nov 2015 13:59:39 -0000

On Fri, Nov 20, 2015 at 12:12:20PM -0800,
 神明達哉 <jinmei@wide.ad.jp> wrote 
 a message of 79 lines which said:

> I've read draft-bortzmeyer-dnsop-nxdomain-cut-00

Do note that -01 will be out in the next days and there are
substantial changes. So, readers may prefer to wait 48h :-)

> - Abstract: s/status code/response code/

Stupid error fixed,
thanks.
<https://github.com/bortzmeyer/ietf-dnsop-nxdomain/commit/98d3e24cec1afa0feece328164519ba96112e7b1> 

>   I suspect this is highly implementation dependent and so the
>   RFC2119 'SHOULD' is not really appropriate.  First off, what
>   "delete" means isn't very clear.

It is now defined. ' "Deleted" means that subsequent requests for
these names will yield NXDOMAIN. '

>   But even if the resolver doesn't really "delete" the memory, it
>   could look as if it did as long as the resolver doesn't use it for
>   subsequent query handling

Correct, but this is a general rule with IETF protocols: we mandate
the external behavior, not the implementation.

> I suggest stating that more clearly.

Done

>   A minor corner case, but I suspect this is not fully accurate if
>   QNAME is the name specified in the question section.

Added.

If I remember
>   it correctly BIND 9 returns an NXDOMAIN if it finds a CNAME chain
>   that leads to a non-existent name.

And rightly so because of RFC 6604, that I initially forgot, and which
is now a normative reference. Thanks for the reminder.

>    [joost-dnsterror]
>               Joost, M., "About DNS Attacks and ICMP Destination
>               Unreachable Reports", December 2014,
>               <http://www.michael-joost.de/dnsterror.html>.
> 
>   Getting this URL resulted in 403 error.  Is that only for me?

Works for me.

  Trying 77.75.249.241...
* Connected to www.michael-joost.de (77.75.249.241) port 80 (#0)
> GET /dnsterror.html HTTP/1.1
> Host: www.michael-joost.de
> User-Agent: curl/7.43.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Sun, 22 Nov 2015 13:42:34 GMT
< Server: Apache
< Last-Modified: Tue, 08 Mar 2011 07:45:53 GMT
< ETag: "5208583f-4d-49df3cd4cd24c"
< Accept-Ranges: bytes
< Content-Length: 77
< Vary: Accept-Encoding,User-Agent
< X-Robots-Tag: noindex
< Content-Type: text/html; charset=utf-8
<