Re: [DNSOP] [EXT] Re: [Technical Errata Reported] RFC7686 (6761)

"libor.peltan" <libor.peltan@nic.cz> Tue, 30 November 2021 20:06 UTC

Return-Path: <libor.peltan@nic.cz>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 621E23A1512 for <dnsop@ietfa.amsl.com>; Tue, 30 Nov 2021 12:06:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.752
X-Spam-Level:
X-Spam-Status: No, score=-3.752 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-1.852, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WNQGb0PTzHJ3 for <dnsop@ietfa.amsl.com>; Tue, 30 Nov 2021 12:06:15 -0800 (PST)
Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 649D63A1511 for <dnsop@ietf.org>; Tue, 30 Nov 2021 12:06:14 -0800 (PST)
Received: from [172.16.60.22] (81-18-208-198.static.chello.pl [81.18.208.198]) by mail.nic.cz (Postfix) with ESMTPSA id AABE3140943; Tue, 30 Nov 2021 21:06:10 +0100 (CET)
Message-ID: <9dacfae6-0dca-8687-466a-6ce20b7d9e88@nic.cz>
Date: Tue, 30 Nov 2021 21:06:10 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.3.1
Content-Language: en-US
To: Paul Vixie <paul=40redbarn.org@dmarc.ietf.org>, dnsop@ietf.org
References: <20211129190711.E4E9B36417@rfc-editor.org> <19c96ba9-a582-a24-b73-8e86a08c7b68@nohats.ca> <794d45f4b9093a019b94aee4730161d358b5ba79.camel@powerdns.com> <198228F8-F970-47E3-8690-5B13FB324231@hopcount.ca> <d3957532-33e8-f79f-a94f-8775948c886b@iecc.com> <28d5129a-b543-7d65-6d91-c87b421bbe1c@nic.cz> <d666dd21-10b2-c8d2-16b8-c5c723712613@redbarn.org>
From: "libor.peltan" <libor.peltan@nic.cz>
In-Reply-To: <d666dd21-10b2-c8d2-16b8-c5c723712613@redbarn.org>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.102.4 at mail
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/7hCB9KQVCSqAE15TNHZ4LDzBqQw>
Subject: Re: [DNSOP] [EXT] Re: [Technical Errata Reported] RFC7686 (6761)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2021 20:06:22 -0000

Hi Paul,
>
> for any non-root server, an RD=0 question for example.onion should be 
> answered with SERVFAIL. this is a condition signal, and the condition 
> is "since i'm hearing this query, someone thinks i'm holding a 
> delegation, and i'm not, so i might be lame for some zone, so the 
> server (me, this authority server) has failed."
>
from what I've observed so far, there seem to be a consensus among the 
authoritative servers out there :) They all answer out-of-bailiwick 
queries with REFUSED. I haven't met any that would say SERVFAIL or 
NOTAUTH or anything else. If you propose to normatively change this, 
with the idea that it would make more sense, then OK, but dunno if it 
has any benefit.

$ kdig @d.in-addr-servers.arpa. nonexistent-tld. +nordflag +noall +header
;; ->>HEADER<<- opcode: QUERY; status: REFUSED; id: 2834
;; Flags: qr; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
$ kdig @a.ns.nic.cz. nonexistent-tld. +nordflag +noall +header
;; ->>HEADER<<- opcode: QUERY; status: REFUSED; id: 63681
;; Flags: qr; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
$ kdig @a0.org.afilias-nst.info. nonexistent-tld. +nordflag +noall +header
;; ->>HEADER<<- opcode: QUERY; status: REFUSED; id: 45946
;; Flags: qr; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0

If you propose that onion. TLD (non-existing) and its subtree shall be 
an exception (for very all auth servers) and answered differently than 
other non-existent TLDs, then OK, but I simply don't like the idea.

Libor