IETF Logo Mail Archive

[DNSOP] Re: on the more general problem of delegating to other namespaces in the DNS

Petr Špaček <pspacek@isc.org> Tue, 22 July 2025 15:39 UTC

Return-Path: <pspacek@isc.org>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id C09204894D7D for <dnsop@mail2.ietf.org>; Tue, 22 Jul 2025 08:39:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.399
X-Spam-Level:
X-Spam-Status: No, score=-4.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b="UEaAi8eU"; dkim=pass (1024-bit key) header.d=isc.org header.b="FpH2zdq1"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qoP8Go61Xl-y for <dnsop@mail2.ietf.org>; Tue, 22 Jul 2025 08:39:49 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.2.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 1A4664894BF8 for <dnsop@ietf.org>; Tue, 22 Jul 2025 08:39:35 -0700 (PDT)
Received: from zimbra10.isc.org (zimbra10.isc.org [149.20.2.90]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id AC3784D124A; Tue, 22 Jul 2025 15:39:34 +0000 (UTC)
ARC-Filter: OpenARC Filter v1.0.0 mx.pao1.isc.org AC3784D124A
Authentication-Results: mx.pao1.isc.org; arc=none smtp.remote-ip=149.20.2.90
ARC-Seal: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1753198774; cv=none; b=J22CBVnZHVTAeI59TT6uCaV5lRHHgwg+HxqEd1PGKDR0qP5jUbT4LoveOi0ioFmDYdGZxdG4Ff0pvZf61jJNKnncgYkzxEBzSHGL9ijpWFUgZ7H8rueBTM5exH6BTbD4shPWECGgd5Y94TYcZdhKT7XOn1QFTsY4e9PevJoU1SQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=isc.org; s=ostpay; t=1753198774; c=relaxed/relaxed; bh=9IKt+xL4PysqwIbM88ugF05yx6oIIJ3N+MblVOvdJFA=; h=DKIM-Signature:DKIM-Signature:Message-ID:Date:MIME-Version: Subject:To:From; b=Dm3/9+GGYfORTF08eCfiUs0p0NBNHaHidRKxXBJ3/XfGTLXLLhK9cygUSAF8c3GeFa8nvd5hXTWZVdSgeuUiyhqWkpsQ6+zgTAZDsHWtkx5gN+BkDQ10yNKJAetTntLG4811rh4N+LMi7tRfzg6FGKramd/mXq3WevgEqy6XEkk=
ARC-Authentication-Results: i=1; mx.pao1.isc.org
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org AC3784D124A
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1753198774; bh=N26RCP/xuy37SSXfyx00lvoPmoI19u4QUjjcsHcAUrI=; h=Date:Subject:To:References:From:In-Reply-To; b=UEaAi8eUPFbLLv1WiqVcAg4cvC3IttsN2ThrPGrY5m6H1K7tfH9f6DXa00V3KRv8I ruxRT4gnPGzUdcF7pB4QByaW73r/+pKPQ9HthY1ukGQJdSUyuMS0y5pd3WktJdvy1H QjixQOIlwYxTAp52QB9SuHInhnAYrK88O+QQ1cgY=
Received: from zimbra10.isc.org (localhost [127.0.0.1]) by zimbra10.isc.org (Postfix) with ESMTPS id AD1D52E601BD; Tue, 22 Jul 2025 15:39:34 +0000 (UTC)
Received: from zimbra10.isc.org (localhost [127.0.0.1]) by zimbra10.isc.org (Postfix) with ESMTPS id A90D62E601BE; Tue, 22 Jul 2025 15:39:34 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbra10.isc.org A90D62E601BE
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1753198774; bh=9IKt+xL4PysqwIbM88ugF05yx6oIIJ3N+MblVOvdJFA=; h=Message-ID:Date:MIME-Version:To:From; b=FpH2zdq192U3+DTYBa+oMTq7tdbJNwcWPHKjGoiVH0FYG2JhXuSaylEP8YPGuXTJ+ 7wv+SRHJgNqvgM1rOLiTs+aK0V4ztdYNe9rAO8alMTT8obfJ4xAggJEmdriQRHGJsL 6GlrG0Nka1mkKOg2cChNDohv5YPXGwB9hGfkuKa0=
Received: from [192.168.0.121] (94-143-239-125.chrudim.cz [94.143.239.125]) by zimbra10.isc.org (Postfix) with ESMTPSA id 328372E601BD; Tue, 22 Jul 2025 15:39:34 +0000 (UTC)
Message-ID: <4f9e293e-0663-4bc7-b8ea-5497c43e38b5@isc.org>
Date: Tue, 22 Jul 2025 17:39:32 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: dnsop@ietf.org, Joe Abley <jabley@strandkip.nl>
References: <33857674-E1AC-48E7-A4E5-B6953535A86F@depht.com> <D60A06A4-DC62-49A6-9351-BB7EE6323D05@strandkip.nl> <35BF9B4D-175B-4442-B379-3B4D9D6FDA2F@depht.com> <C48B1F8A-808C-4EFA-A126-793DCFAD9241@strandkip.nl>
Content-Language: en-US
From: Petr Špaček <pspacek@isc.org>
Autocrypt: addr=pspacek@isc.org; keydata= xsFNBF/OJ/4BEAC0jP/EShRZtcI9KmzVK4IoD/GEDtcaNEEQzPt05G8xtC0P4uteXUwW8jaB CdcKIKR4eUJw3wdXXScLNlyh0i+gm5mIvKPrBYNAMOGGnkbAmMQOt9Q+TyGeTSSGiAjfvd/N nYg7L/KjVbG0sp6pAWVORMpR0oChHflzKSjvJITCGdpwagxSffU2HeWrLN7ePES6gPbtZ8HY KHUqjWZQsXLkMFw4yj8ZXuGarLwdBMB7V/9YHVkatJPjTsP8ZE723rV18iLiMvBqh4XtReEP 0vGQgiHnLnKs+reDiFy0cSOG0lpUWVGI50znu/gBuZRtTAE0LfMa0oAYaq997Y4k+na6JvHK hhaZMy82cD4YUa/xNnUPMXJjkJOBV4ghz/58GiT32lj4rdccjQO4zlvtjltjp9MTOFbRNI+I FCf9bykANotR+2BzttYKuCcred+Q7+wSDp9FQDdpUOiGnzT8oQukOuqiEh3J8hinHPGhtovH V22D0cU6T/u9mzvYoULhExPvXZglCLEuM0dACtjVsoyDkFVnTTupaPVuORgoW7nyNl0wDrII ILBqUBwzCdhQpYnyARSjx0gWSG1AQBKkk5SHQBqi1RAYC38M59SkpH0IKj+SaZbUJnuqshXh UIbY1GMHbW/GDhz7pNQFFYm2S4OPUBcmh/0O0Osma151/HjF7wARAQABzR9QZXRyIMWgcGHE jWVrIDxwc3BhY2VrQGlzYy5vcmc+wsGXBBMBCABBAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4B AheAAhkBFiEEEVO2++xeDVoSYmDzq9WHzfBlga4FAmd7vqsFCQmG4S0ACgkQq9WHzfBlga5H dA//SNIJAXyYxpoIrQwtTSOded93J+CIYHd2ArxCsS+ZXzeaSkHcqp2QfneLY2yyiQwjeivu MfqEBIASNZ94T+4OjhEHAFaAUJQtYMY7qmH69Q5h1PQMk/HZX4QNEDB6dihjz4wunB2mRcac GnRziAQUAnlHSSZDU2EtTddmRYTCaeX9rU8O5ja0+qPBJket7PjS0yT8DQJF+aKRsQz17ywT 3rNR7NBgeKrkBud4/zE7VRoxSRCPkWkgixEog+AotZt22psgQTv+kWx89+7cTiFZaLMmtV6v Ws8QTpDRDM3hCJBCI6qk61k8SLuQ+5VuVWBM/ozoN1ON2J9anxVTrxhNsFM3RLHV/Qh9p/0y T4our7JxB6dsos3HtlRR2npXS1PMrrXt7ZnnfYao+9zbOrZHC7NRY3feaLhieLx1pKmdDRHT CAbqaGnqX22hYYemtYFzSAv7stCdqdncAEkZJy4HByjQwFVGn8A6rp7H1xV2LmlkNAMEoWrT GJ+wH8A+VA3qbZF9Ab8Ht2GRj3mQQ4h8NnRYjKyqecCQOI5Xmn4S61nQ9y+wOBUSTlAQ6a5n LmMpCVe2/D4pWFxpUxc1z8Hq+uEN95sPgbihiSdgBR50DRdqW57ulFHA9LKJ0AEnBtQfvVth qAkvG8iBYl+UpoX1xW+dbX2g6nI5Rbx8u+EojKXOwU0EX84n/gEQANARNXihDNc1fLNFZK5s O14Yg2TouK9eo9gGh4yLSrmZ3pjtnuJSpTWmGD4g0EYzhwWA/T+CqjUnrhsvzLQ1ECYVqLpM VqK2OJ9PhLRbx1ITd4SKO/0xvXFkUqDTIF6a5mUCXH5DzTQGSmJwcjoRv3ye+Z1lDzOKJ+Qr gDHM2WLGlSZAVGcUeD1S2Mp/FroNOjGzrFXsUhOBNMo8PSC4ap0ZgYeVBq5aiMaQex0r+uM4 45S1z5N2nkNRYlUARkfKirqQxJ4mtj5XPC/jtdaUiMzvnwcMmLAwPlDNYiU0kO5IqJFBdzmJ yjzomVk1zK9AYS/woeIxETs+s6o7qXtMGGIoMWr6pirpHk4Wgp4TS02BSTSmNzParrFxLpEU dFKq3M0IsBCVGvfNgWL2pKKQVq34fwuBhJFQAigR9B3O9mfaeejrqt73Crp0ng0+Q74+Llzj EIJLOHYTMISTJyxYzhMCQlgPkKoj+TSVkRzBZoYFkUt4OXvlFj73wkeqeF8Z1YWoOCIjwXH9 0u2lPEq0cRHHyK+KSeH1zQJ4xgj0QDGPmkvi81D13sRaaNu3uSfXEDrdYYc+TSZd2bVh2VCr xrcfzQ1uz9fsdC9NPdNd7/mHvcAaNc5e9IhNh67L54aMBkzlJi18d0sWXOOHkyLSvbHnC/OP wv7qCf69PUJmtoeHABEBAAHCwXwEGAEIACYCGwwWIQQRU7b77F4NWhJiYPOr1YfN8GWBrgUC Z3u+zwUJCYbhUQAKCRCr1YfN8GWBrmljD/45mvtqiWzATkikxkJjTlxfhJBGUFXUoPXqvo8l 8zACTTnn6/K7v1TcFmtSHtLqQiTGwwq1vGQSjEG+UFzdXohex9MTv+7JHr+fcQfxFtxYeVGn k9fSkRkIdtpUzuCnBC27VYbq5S+nk4+ophmjm7rFVWd4tz+XTFZkuHTRImWxbaF9EZ/fuWmm XaICw+lzGan9BteM1ZSLIjzSPd7LoG55SuoVtAV91J5oLPo6KDOzgPEffalm2LJo7+ZaAeW6 diQUXxQpvAAROR/l1D1DIIQ0OJOqv0QRFyHt/zBbKgWmGaTQqF5aNab4ukVAt0LMsCkCjA11 HhcUnUwrixHR4V8G3UlHTQsWReiXfPerv/BewTsPHSzIfmufNlrBDfS/uIYdwquZfhOSsK9Z DUJFkaHudJC6tRVQ5LBVFqjgtZDllpAj1cOG7WmlTwHblj/r2+LMpOVHApByNkehEOA2c4Bn tcQ/8qSeorJCyd1/5A5+bUFIfIAJbRz4Ja21JgH107oCMX3hsGEzMnuwplYTf9NP4Dq0FQhK vkXzdnDhhXef8nUqF7l32hj9x1BCLFZ4FFe6iuKD7Q9p83Ca1HDdxauIrsrXTsEr1bjg2o/A JXI4A3sUunmiIf/tu+3riXUhA10P1IG11yEQ4y9ogE6knvOraRBwZ8gvFT7J2YLXJrF5mQ==
In-Reply-To: <C48B1F8A-808C-4EFA-A126-793DCFAD9241@strandkip.nl>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: 74RZ2EW7HZE3KGAFT6JEOF2FNI7GW7ZO
X-Message-ID-Hash: 74RZ2EW7HZE3KGAFT6JEOF2FNI7GW7ZO
X-MailFrom: pspacek@isc.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: on the more general problem of delegating to other namespaces in the DNS
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3oeXjbA0bkmdKbbHGfXdUb3Ceyc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On 24. 06. 25 13:39, Joe Abley wrote:
> On 24 Jun 2025, at 12:20, Andrew McConachie <andrew@depht.com> wrote:
> 
>> But a device can also not cache an answer if the name is not present in the parent zone.
> 
> Ah, so this is not actually true. A device can cache a negative response from the parent zone, see RFC 2308.
> 
>> Adding a zone cut to nowhere doesn’t stop a device from caching some RRSet.
> 
> It stops a device from caching the non-existence of a name, because a referral response is a signal that the name exists (unlike a NODATA response or an NXDOMAIN response, with or without DNSSEC).
> 
>> Regarding the DNSSEC trust chain, it’s broken with both a zone cut to nowhere and a non-existent name.
> 
> In some cases, the point is to break the chain of trust. An insecure delegation to nowhere is thought by some to be useful in the case of .INTERNAL, for example, so that there is no signed proof of non-existence of the INTERNAL domain possible from a root server that might contradict the existence of the INTERNAL domain in a private namespace.
> 
> In other cases, the opportunity is to preserve a chain of trust. A secure delegation to nowhere for INTERNAL.COMPANY.EXAMPLE zone might be installed in the global-scope COMPANY.EXAMPLE zone; the DS RRSet installed in public might match the KSKs used to sign the DNSKEY RRSet at the INTERNAL.COMPANY.EXAMPLE zone which is visible in a private network. This might allow devices to be able to get secure responses from internal-network nameservers without needing keys to be distributed through mobile device management systems.
> 
>> I guess the point this draft makes is that a signed lame delegation is better than a signed proof of non-existence. Either way the private resolver or private authoritative will have to ‘fake’ some DNSSEC data, because there can never be a ‘real’ signed DS RR in the parent zone.
> 
> See above for a real-world example of when such a secure delegation to nowhere might be useful.
> 
>> I’m still left with the question of: Why is a (signed/unsigned) lame-delegation better than (signed/unsigned) non-existence?


Disclaimer:
I very much support this draft. It makes sense to me conceptually and it 
also solves several operational issues related to delegation vs. DS 
RRset non-existence & private namespaces.


Having said that, I violently disagree with this:

> Because non-existence is a cacheable signal and unreachable is not.
Sorry but this statement is as incorrect as it gets.

The draft section '4. Interpreting a Referral to Nowhere' explicitly 
specifies this is NOT the case and that all normal caching rules apply. 
Here's walk through an example to explain.


Assume these RRsets are in the root zone:
internal. 172800 NS .
. 86400 SOA ... 86400

Let's explore RD=1 query for 'example.internal. A':
- The resolver will get the referral 'internal. NS .'
- Address records will be missing in the referral so it will try to 
fetch '. A' + '. AAAA'
- '. A/AAAA' do not exist and this information will get cached for 
duration specified by '. SOA', see RFC 2308 section 3 and 4.
- This will ultimately cause resolution failure and SERVFAIL will be 
sent back to the client.
- This SERVFAIL will most likely be further cached by RFC 2308 section 
7, at least for 'example.internal. A' tuple. (BAD cache, implementation 
dependent.)

Now imagine a client re-queries again for 'example.internal. A':
- Resolver will check the BAD cache. If it still has previous failure 
cached immediate SERVFAIL ensues.
- If BAD cache expired, resolver will try to resolve the stuff again and 
number of queries sent out to root will depend on state of 'internal. 
NS' and '. A/AAAA' in cache.


For the fun of it, imagine client asked for 'somethingelse.internal. A':
Number of queries going out will depend on state of cache again, except 
that BAD cache might not be applicable if it is keyed on exact 
(QNAME,QTYPE) - depends on implementation.


So all in all, the primary difference will be RCODE SERVFAIL vs. 
NXDOMAIN in response from resolver. Consequently RFC 8198 will not be 
effective for SERVFAILs and a validating resolver has to do marginally 
more work to arrive at the SERVFAIL (consulting cache several times to 
find out there's nobody to contact), but other than that, the end effect 
_of caching_ is effectively the same, including TTLs involved.



This draft potentially could specifying special handling for 'NS .' so a 
nowhere-aware resolver could do less work for these cases and perhaps 
modify it's caching strategy somehow (like, skip BAD cache, shorter TTLs 
and what not). But hey, perhaps there's some insane private instance of 
DNS where '. AAAA' exists!

-- 
Petr Špaček
Internet Systems Consortium

v2.35.0 | Report a Bug | By Email | System Status