IETF Logo Mail Archive

Re: [DNSOP] NXDOMAIN and RFC 8020

Shumon Huque <shuque@gmail.com> Tue, 06 April 2021 19:51 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 995FE3A2E3C for <dnsop@ietfa.amsl.com>; Tue, 6 Apr 2021 12:51:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v0ndDPRZQ640 for <dnsop@ietfa.amsl.com>; Tue, 6 Apr 2021 12:51:32 -0700 (PDT)
Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03A1A3A2E3B for <dnsop@ietf.org>; Tue, 6 Apr 2021 12:51:31 -0700 (PDT)
Received: by mail-ej1-x629.google.com with SMTP id u5so23865613ejn.8 for <dnsop@ietf.org>; Tue, 06 Apr 2021 12:51:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=eHDqshmv+jVrCOLCMa5MvlevpMmH/ObkO2Yz+Qyr9UY=; b=UFZXDL7CUcfHfOb3RF+UQzC/jFVddUogCNvPyigNkBgh0WspcChpOd9Xt1ZOF5crx7 YFwbMDNZIjBQjNuOXjaPbq8ojD6e1R4+KwhoKVBOJ9jcKcv5Uoths5ZvR4al3HtygTVo F2OluG/AjrYLDgAeQP+XtSvJzGpA1G1Jss9QX71prVS75wpXZ7DLX7PUQyE30A7faq48 ouDyIFDDAPFb+6lHXfrFSp5tbFIC1SUC5GJQEMFHbB6++yEg3jsD9UGMrhqyHV296Atg weP98faznBFDWtD5PnOnOgkQuEFLBXIzI6y4T3BIbF5HODh42EI5xedeG4NZ3x74jAZj jSjQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=eHDqshmv+jVrCOLCMa5MvlevpMmH/ObkO2Yz+Qyr9UY=; b=B+ygpGABALGK2l9ULP4jMDEZD5y5g1ketlAKCLlXTlYtiQtbprEO0TnLzIDz9HvUJd AdHAGqHN+IgDGfqOr95qoC4kTXtRRkC3+pSQSZhjnBkT26yaU1yL4C9NTm66Mbbs1SiX /MPXfHxxLyOT9xe49WQdcvm/eXXqoekyJwJIlWjT5nh9DdwvOm0T1l2BHc40MSAWiNVx xBWnRZa/j8lvDi1koy7HyUt/hrA1FkoN6+Rht/rkNiLq7sg3AbKajTutgIomRUgt1z7v GEg5TYvDEYOO/YnVsWMoGnfCvaaBM3gBToGE08q7xLwuO3RGpKNr3DHruJKWPhaixMbV pNaA==
X-Gm-Message-State: AOAM5329egXCrIrYgSNM3gXinF31zODR30HnTIX36l3Wd6KgVJvMXrvG wBICg7TZUpzbvGvpIWGj7pt8ce1OgE9iYBhdPBE=
X-Google-Smtp-Source: ABdhPJywYYLYjP/RpfIZUtgzz9KWYqr5LxnQCO4iC9qHMabj6rBiFO09CvM0MIxJmsu32zM9bRP94zAONl3PIa8EbHc=
X-Received: by 2002:a17:906:23e9:: with SMTP id j9mr34743812ejg.78.1617738685047; Tue, 06 Apr 2021 12:51:25 -0700 (PDT)
MIME-Version: 1.0
References: <CAL0qLwai81BFYfG=u-Z+sVgE8aBvU1gGgOjO_vYH_aLP9GsnxA@mail.gmail.com> <CAHPuVdUHfc8+RiciDb2jyzfMbcZU--5VyKKg9ypGdTiMU__N8A@mail.gmail.com> <CAL0qLwbLKzb_rssVH2=HhPDVVSz50_59_HsG73=eL_S8GNeiBg@mail.gmail.com>
In-Reply-To: <CAL0qLwbLKzb_rssVH2=HhPDVVSz50_59_HsG73=eL_S8GNeiBg@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
Date: Tue, 06 Apr 2021 15:51:13 -0400
Message-ID: <CAHPuVdVuYm3WhEk7h8RSix7BGeGDVCEc6V75PFFTBshA=+SffA@mail.gmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a966fb05bf532309"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Is-pOVUdKxRKGd1Frx2mPfiWfgI>
Subject: Re: [DNSOP] NXDOMAIN and RFC 8020
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Apr 2021 19:51:35 -0000

On Tue, Apr 6, 2021 at 3:03 PM Murray S. Kucherawy <superuser@gmail.com>
wrote:

> On Tue, Apr 6, 2021 at 11:48 AM Shumon Huque <shuque@gmail.com> wrote:
>
>> Without DNSSEC, there is no current way to provide an indication about
>> the longest ancestor of the name that did exist. With DNSSEC, the NSEC or
>> NSEC3 records in the response can do this (as well as providing
>> cryptographic proof of this assertion with their signatures).
>>
>
> Thanks, this (and the others) is helpful.
>
> Focusing on "no current way", could the process described in RFC 8020
> theoretically be amended to do so?  It's fine if the answer is "no", but
> I'd love to understand why if that's the case.
>

I suspect the most common answer to your question will be "No, just deploy
DNSSEC". I'm sure one could devise a new protocol enhancement that an
authoritative server could use to convey this information, but I'm not sure
it is worth complicating the protocol to do so.

Also, even with 8020, there have been concerns raised that resolvers
implementing it, could be vulnerable to spoofing adversaries easily pruning
entire subtrees from their caches (rather than having to spoof many
individual names). Unbound, for example, implements 8020 only for signed
zones.

Shumon.

v2.23.0 | Report a Bug | By Email