IETF Logo Mail Archive

Re: [DNSOP] NXDOMAIN and RFC 8020

John R Levine <johnl@taugh.com> Wed, 07 April 2021 00:01 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED4483A36B1 for <dnsop@ietfa.amsl.com>; Tue, 6 Apr 2021 17:01:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=cF/CCEm4; dkim=pass (2048-bit key) header.d=taugh.com header.b=AVZmMcOc
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DZAzabEVQXyh for <dnsop@ietfa.amsl.com>; Tue, 6 Apr 2021 17:01:16 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28E243A36AE for <dnsop@ietf.org>; Tue, 6 Apr 2021 17:01:15 -0700 (PDT)
Received: (qmail 56893 invoked from network); 7 Apr 2021 00:01:13 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=de39.606cf649.k2104; bh=x1b0KSo4nXeZ7AbKuGoki/U8kxbTMNfgd87KOMBo9Iw=; b=cF/CCEm4oX0HFmvuHAnJpiSVrbmWq1A8FO+cnkCiBvpy1241vxeL9EKwgxvCaJ7hcKeUEgdC8N2M3jOoJe5ibF9rlMF7eDlJS4thfikWiW8DS6tG+S9GO4VL3DrBch0Rw5uJFBGEE9ExafcjW/QlcvtAETffREIxezEZHyOyp3o37gP18IZrMqhuYa6KwCaZKztBxUVrv4kmZgvW1VsvNGmTg6BemOa1obe9OGHTYAHUNWzNZQzt7kk6NOLKLcoWPktuHlJto0jwskLND7FQNi7LSSGl06P41PbsdKV1u1rzqTYY6lyeN7Wf+ut/5VNKeT+lPGV/yYv1p3c0KInwrg==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type; s=de39.606cf649.k2104; bh=x1b0KSo4nXeZ7AbKuGoki/U8kxbTMNfgd87KOMBo9Iw=; b=AVZmMcOcQVfmiDkEDDSeLRIpfI/TU9ZQAg6f4PotAsBEq8CjyiV2gZlvAXpUMiVaXSyjB7h0II66dFb6kYKhd6D9KlWAmt52+Q46j2SoirUGaxLJnx57t8koxBN08aN993OVMZ6b1Pd2Oq40Rwfs1Ws1GhC59Yl+QbZRDipmXnCAaDO/nfhl1D03rOro0h4JJVkIScIKPm4kj9cJfdHAGpL+dClswGYMNkYb2MA9KSydpHy77YpGmQ1rs/SMq1KMZGfxIAvWvq97XIcu7Yf0hP8j6Olo9puDSoyl4xwGClLjjPdzZWMYbSwDcavuEz9yoMzREZe1KFnCUsC2od518Q==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 07 Apr 2021 00:01:12 -0000
Received: by ary.qy (Postfix, from userid 501) id 0D25E721F120; Tue, 6 Apr 2021 20:01:11 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id 98702721F102; Tue, 6 Apr 2021 20:01:11 -0400 (EDT)
Date: Tue, 06 Apr 2021 20:01:11 -0400
Message-ID: <a338aa9-1a61-187c-13b1-1ebb548ef92@taugh.com>
From: John R Levine <johnl@taugh.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
X-X-Sender: johnl@ary.qy
In-Reply-To: <CAL0qLwbY22_oH163Ob+DKcojDzmb+ytKUQKr_Z2_9+5x7_dwuA@mail.gmail.com>
References: <CAL0qLwai81BFYfG=u-Z+sVgE8aBvU1gGgOjO_vYH_aLP9GsnxA@mail.gmail.com> <20210406214110.DFA40721DA12@ary.qy> <CAL0qLwbY22_oH163Ob+DKcojDzmb+ytKUQKr_Z2_9+5x7_dwuA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Dmp0vR9FmQPtqFrEIob7_2yPOOY>
Subject: Re: [DNSOP] NXDOMAIN and RFC 8020
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Apr 2021 00:01:22 -0000

>> _dmarc.newjersey.sales.bigcorp.wtf
>> _dmarc.sales.bigcorp.wtf
>> _dmarc.bigcorp.wtf

> Sure, but if I query "_dmarc.newjersey.sales.bigcorp.wtf" and I get back an
> NXDOMAIN for "sales.bigcorp.wtf", I can eliminate at least one query,

But you won't, you'll get back an answer for the name you looked up.

You could do a seprate check first for sales.bigcorp.wtf but as I said I 
don't think that will usually win.  It is my impression that the domain 
name tree is pretty flat, and if you limited a tree walk to four or five 
levels, that would catch every real DMARC record.

Also, if your DNS cache is synthesizing NXDOMAIN results either under a 
higher NXDOMAIN (RFC 8020) or using DNSSEC (RFC 8198) those queries will 
be pretty cheap to haandle since they won't cause any upstream queries, so 
you might as well just do the tree walk.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

v2.23.0 | Report a Bug | By Email