Re: [DNSOP] [Technical Errata Reported] RFC7686 (6761)

Paul Wouters <paul@nohats.ca> Mon, 29 November 2021 19:16 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 670D93A07D9 for <dnsop@ietfa.amsl.com>; Mon, 29 Nov 2021 11:16:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qRAOuLCunn1E for <dnsop@ietfa.amsl.com>; Mon, 29 Nov 2021 11:16:42 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C964D3A07DA for <dnsop@ietf.org>; Mon, 29 Nov 2021 11:16:42 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4J2w7r0r28z1pl; Mon, 29 Nov 2021 20:16:40 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1638213400; bh=lmxfgvBkqmOIZqlIsD87+YKP1lSYC6/8aBZzrjNfGuk=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=O1sikiNo80YQuKhCe/elexE/jdd8IUm6i6QDukQUGx5eX+WTNNKhdUzvJM5gAxAJE SQSk+D7qcBfkfarG4F3npwzgLpas2Y2s1yEbMX+XJKMZ89DpoH6774Ie8lNTAr/euV 5ToJx2SH6HJJ0vq1muQBsjlwOeLX/ifi3aNSm6hw=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id mea8GET8hTk7; Mon, 29 Nov 2021 20:16:39 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Mon, 29 Nov 2021 20:16:38 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id 0AB7F1817D8; Mon, 29 Nov 2021 14:16:38 -0500 (EST)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 075E41817D7; Mon, 29 Nov 2021 14:16:38 -0500 (EST)
Date: Mon, 29 Nov 2021 14:16:38 -0500 (EST)
From: Paul Wouters <paul@nohats.ca>
To: RFC Errata System <rfc-editor@rfc-editor.org>
cc: dnsop <dnsop@ietf.org>, peter.van.dijk@powerdns.com
In-Reply-To: <20211129190711.E4E9B36417@rfc-editor.org>
Message-ID: <19c96ba9-a582-a24-b73-8e86a08c7b68@nohats.ca>
References: <20211129190711.E4E9B36417@rfc-editor.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Ewtx8aR4DCnbTNkhyXLNjPEIUoQ>
Subject: Re: [DNSOP] [Technical Errata Reported] RFC7686 (6761)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Nov 2021 19:16:48 -0000

On Mon, 29 Nov 2021, RFC Errata System wrote:

> Original Text
> -------------
>   5.  Authoritative DNS Servers: Authoritative servers MUST respond to
>       queries for .onion with NXDOMAIN.

> Corrected Text
> --------------
>   5.  Authoritative DNS Servers: Authoritative servers MUST respond non-authoritatively to
>       queries for names in .onion.

> The original text for 5 and 6 is conflicting. A name server cannot respond with NXDOMAIN (which is an authoritative answer) without having a zone configured to serve that NXDOMAIN from. Clearly the intent of the text is that clients will not find authoritative answers to .onion queries anywhere in the DNS.

The corrected text does not describe what to return though. I guess the
text implies REFUSED, but perhaps the WG reasoned this was not good as
it would lead to more queries to other servers or instances of the
authoritative server set?

So I agree the Original text has an issue. I haven't been convinced yet
the suggested solution is the right one. After all, we are talking about
"special domains", so perhaps it does warrant an NXDOMAIN despite that
normally being used only within an authoritative context.

Paul