Re: [DNSOP] Comment on section 2 of draft-ietf-dnsop-nxdomain-cut-05.txt

Edward Lewis <> Wed, 28 September 2016 13:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5EA0E12B446 for <>; Wed, 28 Sep 2016 06:42:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.517
X-Spam-Status: No, score=-6.517 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.316, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mmCu6kpgC6zJ for <>; Wed, 28 Sep 2016 06:42:22 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 71C5D12B430 for <>; Wed, 28 Sep 2016 06:42:22 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Wed, 28 Sep 2016 06:42:20 -0700
Received: from ([]) by PMBX112-W1-CA-1.PEXCH112.ICANN.ORG ([]) with mapi id 15.00.1178.000; Wed, 28 Sep 2016 06:42:20 -0700
From: Edward Lewis <>
To: Matthew Pounsett <>, "White, Andrew" <>
Thread-Topic: [DNSOP] Comment on section 2 of draft-ietf-dnsop-nxdomain-cut-05.txt
Date: Wed, 28 Sep 2016 13:42:19 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
user-agent: Microsoft-MacOutlook/f.1a.1.160916
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="B_3557900539_1988189847"
MIME-Version: 1.0
Archived-At: <>
Cc: "" <>
Subject: Re: [DNSOP] Comment on section 2 of draft-ietf-dnsop-nxdomain-cut-05.txt
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Sep 2016 13:42:26 -0000

On 9/27/16, 18:46, "Matthew Pounsett" <> wrote:
>Would it be better then to leave early expiry as an implementation choice

I think it comes down to implementer's choice.  The goal of the (IETF in general) documents is interoperability. Whether or not a cache chooses to keep the cached entries or remove them, or the way in which it chooses which of two (or more) valid answers to give doesn't impact interoperability.  So long as the response given is protocol-appropriate.

The issue is, which response (of a set of possible responses) is correct is not definable within the DNS protocol.  So, there's no winner here.

Implementors ought to be aware of choices, but let them choose because they know best what's optimal for their goals.  Well, "ought" might be too strong, implementors just "need" to produce acceptable responses.  If this is over constrained, goodbye innovation.

For me, I'd never think to cull validated entries because of conflicting information and I'd use the routing-area principle of longest match to decide what to return.  But those are whimsical choices.  I can see that some might want to cull, I just don't see spending cycles managing that.

Ultimately, the goal of the draft is to tell a recursive server that if it can conclusively deduce existence of a name from what it has cached, it is allowed to do so.  Today if the conclusion is positive, that's how it is.  The draft proposes to add negative conclusions as well.  Perhaps getting into the details of managing what's in the cache, which is not covered beyond TTL expiry "rules" is causing the wrapping around the axle.  (We are talking about the fairly odd example of there being conflicting data.)

As far as DNSSEC, this only works with DNSSEC in place, right?  You need the missing span proofs or you are NXDOMAIN'ing entire zones, not just entire domains (within a zone).