Re: [DNSOP] NXDOMAIN and RFC 8020
Manu Bretelle <chantr4@gmail.com> Tue, 06 April 2021 22:16 UTC
Return-Path: <chantr4@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4A683A332C for <dnsop@ietfa.amsl.com>; Tue, 6 Apr 2021 15:16:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GnzB0l3hUque for <dnsop@ietfa.amsl.com>; Tue, 6 Apr 2021 15:16:31 -0700 (PDT)
Received: from mail-ot1-x32a.google.com (mail-ot1-x32a.google.com [IPv6:2607:f8b0:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 288C03A331D for <dnsop@ietf.org>; Tue, 6 Apr 2021 15:16:30 -0700 (PDT)
Received: by mail-ot1-x32a.google.com with SMTP id v24-20020a9d69d80000b02901b9aec33371so16186187oto.2 for <dnsop@ietf.org>; Tue, 06 Apr 2021 15:16:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=OAvXQ59Cy7Alebcr9GFrtyTi+W21ownlSFoWlmb7fWI=; b=rLIfizvpWAMIXVBCrxdA08lAi8nxigHB4rJcYLp/GmPhysAHcJcqK1tVvaRokqpW3h ya3aUqDsvLq9rFM0BaRkY/LFxmajqBdONzYrvcRDbGGKtR+zZsZC6V9DaxL1X6o4SXMW OXnLoM6T2tz3ymK3KB/PFYoUSayqRR/nFQaZe4HKutkbVKcWNZNV3u50VPVwZ5fM5j9v T9lhCpP2HaaCRDLs0eJw2gLoRA61n4wpTNd49I/RZ6aQlVihvtL90vsaLbaFP0uTtxJ8 /ie7Q5LUISObVBuHi1lmYuUIM/UMN0tONiQ9o77+b8CpEQafwEbejAbV501hEvRcPblB CPRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=OAvXQ59Cy7Alebcr9GFrtyTi+W21ownlSFoWlmb7fWI=; b=QdIXeXIRM28NtHrby0dHCm1/SQufrx448694FzvQ4WB/06Ucls3lhjeZ6MZJsyem9A oWFUNXxxuNST3t9sQ/ubzHSngaqLsKFANpk6COs4rqEg2ZmaecluJlnhc2eQO3Bd4IVI bgLj9VvUEH9e8EA0b+RrDUScYESeZi0gT+YLq8AwsxEKQK1+TouL5JgHj+vGJk8plLdT DvARBMlkEBKeBf8NjVmsby4Rp0sse9jAUOxWeUOn/2DJh7Zww+9lj7RgZFN7DqdiE+Qs dkw1SJN9Ygv/ZNi3acJ4ZOk7w+q3lOJba/tnwY1FtVH1ozQKo21BdAnLe13hcJuo6QQT 0kNg==
X-Gm-Message-State: AOAM531KVuTVL2A2CJwD6pyz6gA8Kh97VHGqWk/y53DOT8xsAH86B0oW dPInOGWlNDjct/IXve8dWdCJMvp4TNay73OFAmQ=
X-Google-Smtp-Source: ABdhPJyHA4c+SAilXgm2VI2hqSz5Fzev25Pop70dtjkLDKUBBuj5q7gqxFvPyjyIuAkDhUYDEqxW9V6IClWM7Uyefvc=
X-Received: by 2002:a05:6830:15c5:: with SMTP id j5mr231870otr.274.1617747388571; Tue, 06 Apr 2021 15:16:28 -0700 (PDT)
MIME-Version: 1.0
References: <CAL0qLwai81BFYfG=u-Z+sVgE8aBvU1gGgOjO_vYH_aLP9GsnxA@mail.gmail.com> <CAHPuVdUHfc8+RiciDb2jyzfMbcZU--5VyKKg9ypGdTiMU__N8A@mail.gmail.com> <CAL0qLwbLKzb_rssVH2=HhPDVVSz50_59_HsG73=eL_S8GNeiBg@mail.gmail.com> <CAHPuVdVuYm3WhEk7h8RSix7BGeGDVCEc6V75PFFTBshA=+SffA@mail.gmail.com>
In-Reply-To: <CAHPuVdVuYm3WhEk7h8RSix7BGeGDVCEc6V75PFFTBshA=+SffA@mail.gmail.com>
From: Manu Bretelle <chantr4@gmail.com>
Date: Tue, 06 Apr 2021 15:16:17 -0700
Message-ID: <CAArYzrLXqUaxgUnvikTCnd4yKXC1Si4TqB-YxctT2dsoVXukww@mail.gmail.com>
To: Shumon Huque <shuque@gmail.com>
Cc: "Murray S. Kucherawy" <superuser@gmail.com>, "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/80IZ0J2Gh6n9QcxZdLePSPyv_H8>
Subject: Re: [DNSOP] NXDOMAIN and RFC 8020
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Apr 2021 22:16:33 -0000
On Tue, Apr 6, 2021 at 12:51 PM Shumon Huque <shuque@gmail.com> wrote: > > On Tue, Apr 6, 2021 at 3:03 PM Murray S. Kucherawy <superuser@gmail.com> wrote: >> >> On Tue, Apr 6, 2021 at 11:48 AM Shumon Huque <shuque@gmail.com> wrote: >>> >>> Without DNSSEC, there is no current way to provide an indication about the longest ancestor of the name that did exist. With DNSSEC, the NSEC or NSEC3 records in the response can do this (as well as providing cryptographic proof of this assertion with their signatures). >> >> >> Thanks, this (and the others) is helpful. >> >> Focusing on "no current way", could the process described in RFC 8020 theoretically be amended to do so? It's fine if the answer is "no", but I'd love to understand why if that's the case. > > > I suspect the most common answer to your question will be "No, just deploy DNSSEC". I'm sure one could devise a new protocol enhancement that an authoritative server could use to convey this information, but I'm not sure it is worth complicating the protocol to do so. > > Also, even with 8020, there have been concerns raised that resolvers implementing it, could be vulnerable to spoofing adversaries easily pruning entire subtrees from their caches (rather than having to spoof many individual names). Unbound, for example, implements 8020 only for signed zones. Murray, an organization we both know very well, do not implement ENT/RFC8020 for instance... In the case of DNSSEC you get proper coverage with NSEC even if at best you use White (RFC4470) and Black (https://tools.ietf.org/html/draft-valsorda-dnsop-black-lies-00) lies. Manu
- [DNSOP] NXDOMAIN and RFC 8020 Murray S. Kucherawy
- Re: [DNSOP] NXDOMAIN and RFC 8020 libor.peltan
- Re: [DNSOP] NXDOMAIN and RFC 8020 Peter van Dijk
- Re: [DNSOP] NXDOMAIN and RFC 8020 Shumon Huque
- Re: [DNSOP] NXDOMAIN and RFC 8020 Murray S. Kucherawy
- Re: [DNSOP] NXDOMAIN and RFC 8020 Shumon Huque
- Re: [DNSOP] NXDOMAIN and RFC 8020 Brian Dickson
- Re: [DNSOP] NXDOMAIN and RFC 8020 Murray S. Kucherawy
- Re: [DNSOP] NXDOMAIN and RFC 8020 Shumon Huque
- Re: [DNSOP] NXDOMAIN and RFC 8020 John Levine
- Re: [DNSOP] NXDOMAIN and RFC 8020 Manu Bretelle
- Re: [DNSOP] NXDOMAIN and RFC 8020 Murray S. Kucherawy
- Re: [DNSOP] NXDOMAIN and RFC 8020 John R Levine
- Re: [DNSOP] NXDOMAIN and RFC 8020 Andrew Sullivan
- Re: [DNSOP] NXDOMAIN and RFC 8020 John R Levine
- Re: [DNSOP] NXDOMAIN and RFC 8020 sthaug