Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-denial-of-existence-03.txt
Stephane Bortzmeyer <bortzmeyer@nic.fr> Sat, 16 March 2024 08:10 UTC
Return-Path: <stephane@laperouse.bortzmeyer.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71829C14F60D for <dnsop@ietfa.amsl.com>; Sat, 16 Mar 2024 01:10:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.658
X-Spam-Level:
X-Spam-Status: No, score=-1.658 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cOtB-xMD4trB for <dnsop@ietfa.amsl.com>; Sat, 16 Mar 2024 01:10:19 -0700 (PDT)
Received: from ayla.bortzmeyer.org (ayla.bortzmeyer.org [92.243.4.211]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BB3CC14F609 for <dnsop@ietf.org>; Sat, 16 Mar 2024 01:10:18 -0700 (PDT)
Received: by ayla.bortzmeyer.org (Postfix, from userid 10) id 5A5EAA012E; Sat, 16 Mar 2024 09:10:16 +0100 (CET)
Received: by smoking.sources.org (Postfix, from userid 1000) id CD9FD1BA24DB; Sat, 16 Mar 2024 08:48:57 +0100 (CET)
Date: Sat, 16 Mar 2024 17:48:57 +1000
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: dnsop@ietf.org
Message-ID: <ZfVO6R2YAmbr88Jb@laperouse.bortzmeyer.org>
References: <170959055561.39905.2007482768877029325@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <170959055561.39905.2007482768877029325@ietfa.amsl.com>
X-Transport: UUCP rules
X-Operating-System: Ubuntu 22.04 (jammy)
X-Charlie: Je suis Charlie
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/4LGgjbGvzOq_PtPZ3b3eMZeixis>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-denial-of-existence-03.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Mar 2024 08:10:23 -0000
On Mon, Mar 04, 2024 at 02:15:55PM -0800, internet-drafts@ietf.org <internet-drafts@ietf.org> wrote a message of 48 lines which said: > Internet-Draft draft-ietf-dnsop-compact-denial-of-existence-03.txt is now > available. It is a work item of the Domain Name System Operations (DNSOP) WG > of the IETF. I just implemented it at the IETF 119 hackathon in Brisbane (programming details at the end), on an authoritative-only server. I think I have done everything that's in the draft, including the EDNS signaling (new flag CO). This was quite simple and the draft is enough to guide the implementor. I find the draft clear and useful. Among the questions raised: * is there an EDE which is recommended when replying to an explicit request for a meta-type (like QTYPE=NXNAME)? The draft says to set the rcode to FormErr but does not discuss EDE. * the draft does not discuss the consequences of compact denial for synthesis of negative answers by a resolver (RFC 8020 and 8198). * [this one is outside the scope of the draft] Is it reasonable/legitimate to reply NODATA for a non-existing name when the client did not set the DO flag, or even when it did not use EDNS? Programming details: the change was made on the Drink authoritative dynamic server <https://framagit.org/bortzmeyer/drink/>. Since Drink only has dynamic signing, it implemented the white lies of RFC 4470. Adding compact denial was mostly removing code since, for the authoritative name server, compact denial is simpler than white lies. But it challenged some assumptions in the code (for instance that the rcode, once set, is not changed during processing of the request) and, in the case of Drink, required changes in several places. The code is in the branch compact-denial <https://framagit.org/bortzmeyer/drink/-/tree/compact-denial?ref_type=heads>.
- [DNSOP] I-D Action: draft-ietf-dnsop-compact-deni… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Peter Thomassen
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Shumon Huque
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Shumon Huque
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Shumon Huque
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Dave Lawrence
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Dave Lawrence
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… John Levine
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Shumon Huque
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… John R Levine
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Dave Lawrence
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Geoff Huston