IETF Logo Mail Archive

Re: [DNSOP] [internet-drafts@ietf.org: I-D Action: draft-bortzmeyer-dnsop-nxdomain-cut-00.txt]

Mark Andrews <marka@isc.org> Wed, 11 November 2015 02:07 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4669E1B4681 for <dnsop@ietfa.amsl.com>; Tue, 10 Nov 2015 18:07:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sAx4GqsNAG8q for <dnsop@ietfa.amsl.com>; Tue, 10 Nov 2015 18:07:33 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5785B1B467E for <dnsop@ietf.org>; Tue, 10 Nov 2015 18:07:33 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.ams1.isc.org (Postfix) with ESMTPS id 700251FCAC3; Wed, 11 Nov 2015 02:07:29 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 585A316007B; Wed, 11 Nov 2015 02:07:53 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 4973416005D; Wed, 11 Nov 2015 02:07:53 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 5Iw4hJiylkLK; Wed, 11 Nov 2015 02:07:53 +0000 (UTC)
Received: from rock.dv.isc.org (c122-106-161-187.carlnfd1.nsw.optusnet.com.au [122.106.161.187]) by zmx1.isc.org (Postfix) with ESMTPSA id BE99C16004E; Wed, 11 Nov 2015 02:07:52 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 34CE83C82BB6; Wed, 11 Nov 2015 13:07:25 +1100 (EST)
To: "Wessels, Duane" <dwessels@verisign.com>
From: Mark Andrews <marka@isc.org>
References: <20151106082238.GA2307@nic.fr> <A62EC834-C954-446C-9F7A-AB6D1F955C7F@verisign.com>
In-reply-to: Your message of "Wed, 11 Nov 2015 01:15:37 -0000." <A62EC834-C954-446C-9F7A-AB6D1F955C7F@verisign.com>
Date: Wed, 11 Nov 2015 13:07:25 +1100
Message-Id: <20151111020725.34CE83C82BB6@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/QzNU-Q5tNyVn2rpM4a4OGCqFtWo>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Subject: Re: [DNSOP] [internet-drafts@ietf.org: I-D Action: draft-bortzmeyer-dnsop-nxdomain-cut-00.txt]
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2015 02:07:35 -0000


In message <A62EC834-C954-446C-9F7A-AB6D1F955C7F@verisign.com>, "Wessels, Duane
" writes:
> Hi Stephane,
> 
> I read over this and have a few thoughts to share:
> 
> This updates RFC 2308 (Negative Caching of DNS Queries).  This would seem to 
> be the
> key text from 2308 to update:
> 
>    A negative answer that resulted from a name error (NXDOMAIN) should
>    be cached such that it can be retrieved and returned in response to
>    another query for the same <QNAME, QCLASS> that resulted in the
>    cached negative response.
> 
> RFC 2308 defines four types of NXDOMAIN responses, all of which have a CNAME 
> RR
> in the answer section.  They differ in the contents of the authority and addi
> tional
> sections.  I'm not sure why 2308 doesn't have a simple NXDOMAIN type (with no
> answer RRs) but it seems likely the new draft will need to address CNAME and 
> friends.

Because the intent of the examples was to show the target of the CNAME was
the subject of the NXDOMAIN.  The surounding text makes it clear that CNAMES
are not required.  For some reason people like to take things out of context
when the context was written for a reason.
 
> I think the WG needs to discuss and agree whether or not to make the NXDOMAIN
>  cut
> based on QNAME only, or on the SOA owner name.  If the goal is to thwart rand
> om
> qname attacks, then it would be better to use the SOA (or hope for wide adopt
> ion
> of qname minimization).
> 
> Implementing NXDOMAIN cut should also reduce the effectiveness of a Kaminsky 
> attack
> since the attack relies on the cache to forward numerous non-existent names.
> 
> I think its a little dangerous to say that an NXDOMAIN response SHOULD cause
> a cache to delete already cached "positive" data.  Perhaps MAY is a better
> choice there.  Or SHOULD when DNSSEC validated, but MAY without.
> 
> In Acknowledgements, s/Roland/Rodney
> 
> DW
> 
> 
> 
> > On Nov 6, 2015, at 12:22 AM, Stephane Bortzmeyer <bortzmeyer@nic.fr> wrote:
> > 
> > The stuff discussed in Yokohama yesterday.
> > 
> > From: <internet-drafts@ietf.org>
> > Subject: I-D Action: draft-bortzmeyer-dnsop-nxdomain-cut-00.txt
> > Date: November 6, 2015 at 12:18:31 AM PST
> > To: <i-d-announce@ietf.org>
> > Reply-To: <internet-drafts@ietf.org>
> > 
> > 
> > 
> > A New Internet-Draft is available from the on-line Internet-Drafts director
> ies.
> > 
> > 
> >        Title           : NXDOMAIN really means there is nothing underneath
> >        Author          : Stephane Bortzmeyer
> > 	Filename        : draft-bortzmeyer-dnsop-nxdomain-cut-00.txt
> > 	Pages           : 7
> > 	Date            : 2015-11-06
> > 
> > Abstract:
> >   This document states clearly that when a DNS resolver receives a
> >   response with status code NXDOMAIN, it means that the name in the
> >   question section AND ALL THE NAMES UNDER IT do not exist.
> > 
> >   REMOVE BEFORE PUBLICATION: this document should be discussed in the
> >   IETF DNSOP (DNS Operations) group, through its mailing list.  The
> >   source of the document, as well as a list of open issues, is
> >   currently kept on at Github [1].
> > 
> > 
> > The IETF datatracker status page for this draft is:
> > https://datatracker.ietf.org/doc/draft-bortzmeyer-dnsop-nxdomain-cut/
> > 
> > There's also a htmlized version available at:
> > https://tools.ietf.org/html/draft-bortzmeyer-dnsop-nxdomain-cut-00
> > 
> > 
> > Please note that it may take a couple of minutes from the time of submissio
> n
> > until the htmlized version and diff are available at tools.ietf.org.
> > 
> > Internet-Drafts are also available by anonymous FTP at:
> > ftp://ftp.ietf.org/internet-drafts/
> > 
> > _______________________________________________
> > I-D-Announce mailing list
> > I-D-Announce@ietf.org
> > https://www.ietf.org/mailman/listinfo/i-d-announce
> > Internet-Draft directories: http://www.ietf.org/shadow.html
> > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
> > 
> > 
> > _______________________________________________
> > DNSOP mailing list
> > DNSOP@ietf.org
> > https://www.ietf.org/mailman/listinfo/dnsop
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email