Re: [DNSOP] [internet-drafts@ietf.org: I-D Action: draft-bortzmeyer-dnsop-nxdomain-cut-00.txt]

"Wessels, Duane" <dwessels@verisign.com> Wed, 11 November 2015 01:15 UTC

Return-Path: <dwessels@verisign.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE1BD1B452C for <dnsop@ietfa.amsl.com>; Tue, 10 Nov 2015 17:15:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0basdVdkmmmz for <dnsop@ietfa.amsl.com>; Tue, 10 Nov 2015 17:15:40 -0800 (PST)
Received: from mail-oi0-x263.google.com (mail-oi0-x263.google.com [IPv6:2607:f8b0:4003:c06::263]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 336AE1B452F for <dnsop@ietf.org>; Tue, 10 Nov 2015 17:15:40 -0800 (PST)
Received: by oiww189 with SMTP id w189so991564oiw.2 for <dnsop@ietf.org>; Tue, 10 Nov 2015 17:15:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verisign_com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language :content-type:content-id:content-transfer-encoding:mime-version; bh=MvGVt9+/gZLj9jze35skOps/jzhmJU2HlJ4Usscyz7A=; b=XpdOXTjLQOwlE29W8X+ynbY0NPkJyBOmj/wNzDzq1En3ikHvybUKE5Zn6+MqWSHjvs GXt3R/l5YBN+cvSkf4ZPLCph9DmUwzvHxuxTwWhWR5olAnZPt+csFLx2bHEGDE8OLU2b jF3L+fKqhJGcfnIJyck8iHCgRWE12kPwJdNNaSks7zQeGr00eQ865f4v1SrMk57VAb71 Il8lmZp9bosICFqKK5TS59TrSdY5+JnC8MAuGb/5PbRy/f6b2jbdIJPlQJG5JGochWEc uXIY6tXEK7ESsySdK0gNR48uY6LpKriUNa4IF7KNBYhsFlF9Ii+8EKMjblgzYuL76Alc Wo9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index :date:message-id:references:in-reply-to:accept-language :content-language:content-type:content-id:content-transfer-encoding :mime-version; bh=MvGVt9+/gZLj9jze35skOps/jzhmJU2HlJ4Usscyz7A=; b=MDS9P/5eZOwZsVGVca6XbArLwImBBgoCbEpnIfsrxIVlbEu03xFHFRneD0lPUc4RoQ fegoo/1rjZtV4ViJg5iyqahUNd34MpVeZN/lMJMQgTgQQKUFRBQiR+PERWpXVlQfnq8p A3EsI35G2ao8NZ37sIUbbt8x4jP9Xw5BiKyQ+MeouwI3fVOuS1jMou7IdAZDledwWxqo SNZM+q991lzNYJ7JpCcohGfpiS/6vQ2687qgpRGSK2ytOjGDLf6SAWp2eoVJiN5Idlru 52qaRzG2AFdpKer7hQvleLWvoZf1L2rpsp0MRgibLL5Fnc8ao3E3oj13y5Gy+cvnSoi+ oJUQ==
X-Gm-Message-State: ALoCoQljAoG3DWGaKJmLFl7OoIdH/VtHBWsi/jbe8KSEXzjc0AO4B//Dj2Yfw5Ra7GsH08mJhwXOA8tEy7mijw62MpbqTAycuA==
X-Received: by 10.55.82.193 with SMTP id g184mr8336103qkb.65.1447204539462; Tue, 10 Nov 2015 17:15:39 -0800 (PST)
Received: from brn1lxmailout01.verisign.com (brn1lxmailout01.verisign.com. [72.13.63.41]) by smtp-relay.gmail.com with ESMTPS id p23sm566103qkl.0.2015.11.10.17.15.39 (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 10 Nov 2015 17:15:39 -0800 (PST)
X-Relaying-Domain: verisign.com
Received: from BRN1WNEXCHM01.vcorp.ad.vrsn.com (brn1wnexchm01 [10.173.152.255]) by brn1lxmailout01.verisign.com (8.13.8/8.13.8) with ESMTP id tAB1FcDE030334 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 10 Nov 2015 20:15:39 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by BRN1WNEXCHM01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Tue, 10 Nov 2015 20:15:38 -0500
From: "Wessels, Duane" <dwessels@verisign.com>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Thread-Topic: [DNSOP] [internet-drafts@ietf.org: I-D Action: draft-bortzmeyer-dnsop-nxdomain-cut-00.txt]
Thread-Index: AQHRGGxncx8hh3A2H0acQkx/z8YLJp6WX+EA
Date: Wed, 11 Nov 2015 01:15:37 +0000
Message-ID: <A62EC834-C954-446C-9F7A-AB6D1F955C7F@verisign.com>
References: <20151106082238.GA2307@nic.fr>
In-Reply-To: <20151106082238.GA2307@nic.fr>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <4E7AD5966D1CF743822455E9ECD3E9F9@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/9y0jL4jSp-e9Kzs5_uCHBKlt538>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Subject: Re: [DNSOP] [internet-drafts@ietf.org: I-D Action: draft-bortzmeyer-dnsop-nxdomain-cut-00.txt]
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2015 01:15:42 -0000

Hi Stephane,

I read over this and have a few thoughts to share:

This updates RFC 2308 (Negative Caching of DNS Queries).  This would seem to be the
key text from 2308 to update:

   A negative answer that resulted from a name error (NXDOMAIN) should
   be cached such that it can be retrieved and returned in response to
   another query for the same <QNAME, QCLASS> that resulted in the
   cached negative response.

RFC 2308 defines four types of NXDOMAIN responses, all of which have a CNAME RR
in the answer section.  They differ in the contents of the authority and additional
sections.  I'm not sure why 2308 doesn't have a simple NXDOMAIN type (with no
answer RRs) but it seems likely the new draft will need to address CNAME and friends.

I think the WG needs to discuss and agree whether or not to make the NXDOMAIN cut
based on QNAME only, or on the SOA owner name.  If the goal is to thwart random
qname attacks, then it would be better to use the SOA (or hope for wide adoption
of qname minimization).

Implementing NXDOMAIN cut should also reduce the effectiveness of a Kaminsky attack
since the attack relies on the cache to forward numerous non-existent names.

I think its a little dangerous to say that an NXDOMAIN response SHOULD cause
a cache to delete already cached "positive" data.  Perhaps MAY is a better
choice there.  Or SHOULD when DNSSEC validated, but MAY without.

In Acknowledgements, s/Roland/Rodney

DW



> On Nov 6, 2015, at 12:22 AM, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
> 
> The stuff discussed in Yokohama yesterday.
> 
> From: <internet-drafts@ietf.org>
> Subject: I-D Action: draft-bortzmeyer-dnsop-nxdomain-cut-00.txt
> Date: November 6, 2015 at 12:18:31 AM PST
> To: <i-d-announce@ietf.org>
> Reply-To: <internet-drafts@ietf.org>
> 
> 
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> 
> 
>        Title           : NXDOMAIN really means there is nothing underneath
>        Author          : Stephane Bortzmeyer
> 	Filename        : draft-bortzmeyer-dnsop-nxdomain-cut-00.txt
> 	Pages           : 7
> 	Date            : 2015-11-06
> 
> Abstract:
>   This document states clearly that when a DNS resolver receives a
>   response with status code NXDOMAIN, it means that the name in the
>   question section AND ALL THE NAMES UNDER IT do not exist.
> 
>   REMOVE BEFORE PUBLICATION: this document should be discussed in the
>   IETF DNSOP (DNS Operations) group, through its mailing list.  The
>   source of the document, as well as a list of open issues, is
>   currently kept on at Github [1].
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-bortzmeyer-dnsop-nxdomain-cut/
> 
> There's also a htmlized version available at:
> https://tools.ietf.org/html/draft-bortzmeyer-dnsop-nxdomain-cut-00
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> 
> _______________________________________________
> I-D-Announce mailing list
> I-D-Announce@ietf.org
> https://www.ietf.org/mailman/listinfo/i-d-announce
> Internet-Draft directories: http://www.ietf.org/shadow.html
> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
> 
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop