Re: [DNSOP] ENT and NXDOMAIN: the case of RFC 4035

Matthijs Mekking <matthijs@pletterpet.nl> Mon, 26 September 2016 07:49 UTC

Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FF4F12B0A1 for <dnsop@ietfa.amsl.com>; Mon, 26 Sep 2016 00:49:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f8thRUIBgFWj for <dnsop@ietfa.amsl.com>; Mon, 26 Sep 2016 00:49:46 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (open.nlnetlabs.nl [185.49.140.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 095E112B00A for <dnsop@ietf.org>; Mon, 26 Sep 2016 00:49:46 -0700 (PDT)
Received: from [IPv6:2001:981:19be:1:9d5c:5945:13b2:3108] (unknown [IPv6:2001:981:19be:1:9d5c:5945:13b2:3108]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id A7EA1B246 for <dnsop@ietf.org>; Mon, 26 Sep 2016 09:49:43 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none header.from=pletterpet.nl
To: dnsop@ietf.org
References: <20160925081422.GA6645@laperouse.bortzmeyer.org>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <3bc6c5c9-6cfc-9456-2658-580186cc8bfb@pletterpet.nl>
Date: Mon, 26 Sep 2016 09:49:42 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <20160925081422.GA6645@laperouse.bortzmeyer.org>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/AcjJDnQV7A0uZfTOo-8Gj-C_FIw>
Subject: Re: [DNSOP] ENT and NXDOMAIN: the case of RFC 4035
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2016 07:49:48 -0000

Stephane,

On 25-09-16 10:14, Stephane Bortzmeyer wrote:
> [If you don't enjoy byzantine discussions, with a lot of
> chapter-and-verse mentions of RFCs, please skip the thread.]
> 
> I've been directed recently to RFC 4035 and there is a question I would
> like to ask about its handling of ENTs.
> 
> Section 3.1.3 says:
> 
>    No Data: The zone contains RRsets that exactly match <SNAME, SCLASS>
>       but does not contain any RRsets that exactly match <SNAME, SCLASS,
>       STYPE>.
> 
>    Name Error: The zone does not contain any RRsets that match <SNAME,
>       SCLASS> either exactly or via wildcard name expansion.
> 
> The second item means that a "name error" (NXDOMAIN) is an appropriate
> response for an ENT. It seems to contradict all recent RFCs.
> 
> Section 3.1.3.2 mentions explicitely the ENT but just says to send
> NSEC records, and does not mandate a specific error code (except in
> its title, which is a bit ambiguous).
> 
> My gut feeling is that RFC 4035 is wrong. But I prefer to ask first:
> how do you read it?

I think you are right that 4035 is wrong. I think it meant to say
something like:

  Name Error: The node <SNAME, SCLASS> does not exist in the zone either
exactly or via wildcard name expansion.

where existence is defined in the at time not yet existing RFC 4592
Section 2.2.3.

Best regards,
  Matthijs



> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>