Re: [DNSOP] Comment on section 2 of draft-ietf-dnsop-nxdomain-cut-05.txt

Matthew Pounsett <> Wed, 28 September 2016 18:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DD40112B09F for <>; Wed, 28 Sep 2016 11:38:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uEX8oNmW7PyU for <>; Wed, 28 Sep 2016 11:37:58 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F1B9512B012 for <>; Wed, 28 Sep 2016 11:37:57 -0700 (PDT)
Received: by with SMTP id j129so48066038qkd.1 for <>; Wed, 28 Sep 2016 11:37:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=j3jyJaN/M73vhKfA3rbZrFIkOAZ6JGUFuMkomDIIkDc=; b=mAUl+jmqSkRfCBWgp80wHZwOHATX1aygs7u1lsOBSkNcmui87cwfIswNCWj21oAvgG CyVo0wI8mw+li6Ww0jYS66lon38rCAXPA8KYaHiyLqq+z7iLCE1HP+iN9xpTAjpYVo6g rSw9MI9iNQV4rHHasrdm5YTM5XJagGc4/eIM5N4c5MHZfA+tAIFhMnuVbp08tyhGb7an aTI7hbDDDlSSemoVhGkL+BW0xZv9YUyxDq2SEyVaBul/Zkv+XS4HeVPmqa5IYNsilUfL YETA5EqGaEvkOchkQp6NHH9TZVa7e4fWi15p6R35DJOIVsl34a8erFUZIL7rMtEpFrQi K48g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=j3jyJaN/M73vhKfA3rbZrFIkOAZ6JGUFuMkomDIIkDc=; b=j4xnVIwLAmOFIFYbGUtiCdu6tZ9KpaHbGi5whaIOAgjjpEzos32jSv1fzT4L9PBOkF Zk0O8qsE+led62hXA/SXgBhRa67ggahMT4Ku3eRK7VhKYWMu2yydTlJZTKlfBZbfTBGr EJYUoVMQ9DW6p14JUEaNpMyEQ2nwot1ZUBxuN7CXyW5ablC6VZtLteOCgDBBnwd9Du35 ZKZzw6H72FYCfjkFnw47islLBdV+pJFMDd3IS380c1spnL0SujhjBnjMa/z9JUI0WBT5 au9z3Jij+ySvrqVLENzVTFxaHW5f0RWxm6/UeNfqXC0DTXSIjNvIZ6m6bLbWo1787PF8 ztbg==
X-Gm-Message-State: AA6/9RnepN6f9nD1TV+4JD6u5s/iU/JCeRa3q3E6qMr+pyo3Zn3JG87SMUqiwujxW+q/aEeeFOK7InQxmFYStA==
X-Received: by with SMTP id o133mr32923128qka.191.1475087877019; Wed, 28 Sep 2016 11:37:57 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 28 Sep 2016 11:37:56 -0700 (PDT)
X-Originating-IP: []
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <>
From: Matthew Pounsett <>
Date: Wed, 28 Sep 2016 11:37:56 -0700
Message-ID: <>
To: Shumon Huque <>
Content-Type: multipart/alternative; boundary=001a114891c0eccbef053d95a872
Archived-At: <>
Cc: Edward Lewis <>, "" <>
Subject: Re: [DNSOP] Comment on section 2 of draft-ietf-dnsop-nxdomain-cut-05.txt
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 28 Sep 2016 18:38:01 -0000

On 28 September 2016 at 10:29, Shumon Huque <> wrote:

> On Wed, Sep 28, 2016 at 11:39 AM, Matthew Pounsett <>
> wrote:
>> On 28 September 2016 at 06:42, Edward Lewis <>
>> wrote:
>>> On 9/27/16, 18:46, "Matthew Pounsett" <> wrote:
>>> >Would it be better then to leave early expiry as an implementation
>>> choice
>>> Ultimately, the goal of the draft is to tell a recursive server that if
>>> it can conclusively deduce existence of a name from what it has cached, it
>>> is allowed to do so.  Today if the conclusion is positive, that's how it
>>> is.  The draft proposes to add negative conclusions as well.  Perhaps
>>> getting into the details of managing what's in the cache, which is not
>>> covered beyond TTL expiry "rules" is causing the wrapping around the axle.
>>> (We are talking about the fairly odd example of there being conflicting
>>> data.)
>> Taking the view that this is only about interoperability, then I would
>> say the implementor MAY treat names below the NXDOMAIN response as
>> nonexistent, and MAY choose to expire those names early... perhaps with a
>> suggestion that this might be the better choice for data coherence, but
>> still leave it up to the implementor if they've got a better reason to do
>> it otherwise.
> The draft (by working group consensus) is written as "SHOULD treat names
> below as non-existent", but "MAY continue to answer existing positive
> cached entries". I think this managed to cover or at least placate all
> positions expressed by working group participants leading up to the last
> call.
> I'm not sure we'll get new agreement on your proposed revision.
> I phrased that badly.  Since we were on the subject of cached entries
already, I assumed that context in my wording.   I should have said "MAY
treat positively cached names below the NXDOMAIN response as nonexistent,
and MAY choose to expire those cached names early."  I think that's in
keeping with the intent of the current text.

There's probably some value in rewording that text though, if it's going to
cause confusion for implementors.  Maybe invert the text?

# When an interative caching DNS resolver receives a response NXDOMAIN, it
# SHOULD store it in its negative cache.  It MAY choose to immediately
# from its positive cache any previously cached names at or below the
# response.  If the cached entries below the NXDOMAIN response are not
# removed, it MAY choose to continue to answer positively for those names
# until the cached entries expire.

# The resolver SHOULD treat all other names at or below NXDOMAIN response
# nonexistant and SHOULD respond negatively to queries for such names.