Re: [DNSOP] Refusing NS queries, was Barry Leiba's Yes on draft-ietf-dnsop-qname-minimisation-08: (with COMMENT)

Paul Vixie <> Mon, 28 December 2015 04:05 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 46B0F1A885B for <>; Sun, 27 Dec 2015 20:05:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.011
X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ahbQ5_pAp43I for <>; Sun, 27 Dec 2015 20:05:17 -0800 (PST)
Received: from ( [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 80BE01A885A for <>; Sun, 27 Dec 2015 20:05:17 -0800 (PST)
Received: from linux-85bq.suse (unknown []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 75E4013B46; Mon, 28 Dec 2015 04:05:17 +0000 (UTC)
From: Paul Vixie <>
Date: Sun, 27 Dec 2015 20:05:17 -0800
Message-ID: <1488266.dYqgaJyQTX@linux-85bq.suse>
Organization: Vixie Enterprises
User-Agent: KMail/4.14.10 (Linux/4.1.13-5-default; KDE/4.14.10; x86_64; ; )
In-Reply-To: <>
References: <20151228032023.48153.qmail@ary.lan> <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="nextPart16154981.gGfpOLzUX8"
Content-Transfer-Encoding: 7bit
Archived-At: <>
Cc: Paul Wouters <>
Subject: Re: [DNSOP] Refusing NS queries, was Barry Leiba's Yes on draft-ietf-dnsop-qname-minimisation-08: (with COMMENT)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 28 Dec 2015 04:05:19 -0000

On Sunday, December 27, 2015 10:31:52 PM Paul Wouters wrote:
> The section in question of the draft under discussion talks about the
> specific case where a load balancer is returning REFUSED because it
> did not implement NS queries, and that such behaviour is a violation
> of the RFC.

strictly speaking, rfc's are guidelines, not to be violated or not, but only sometimes to be 
followed. an rfc guides sender behaviour and receiver interpretation. sometimes the 
receivers don't follow the interpretation guidelines, and so it is with REFUSED. REFUSED is 
considered by initiators to pertain to the specific <qname,qtype,qclass,clientIP,serverIP> and 
are not therefore dispositive toward the originating application. "not dispositive" means the 
iteration will continue, trying other serverIP's if any are known, and eventually returning 
SERVFAIL to the originating application if all servers known for this closest encloser refuse or 
fail or time out. in that sense REFUSED is underspecified since these semantics are the same 
as if the server returned SERVFAIL, except the time domain. that is, SERVFAIL pertains to the 
<qname,qtype,qclass,clientIP,serverIP,$now> and as such, a SERVFAIL response should only 
be cached for a limited period. REFUSED is "forever".

> Not implementing NS queries on an authoritative nameserver
> results in a DNS implementation that indeed violates the RFC. The question
> was, which part of which RFC is the best reference to point to.

"violates" is the wrong rubric. the signal is ambiguous as specified and even more ambiguous 
as widely implemented. so, first mover advantage was abused, and you fight now as and 
where and when you are, not as and where and when you might wish to have been. in today's 
world, the safest interpretation is not "what the framers intended" but "how the world 
actually works." and that means treating REFUSED as a synonym for SERVFAIL but with longer 
cache retention.

do not, therefore, treat the REFUSED coming out of these load balancers as dispositive, and 
regard it as being specific to <qname, qtype, qclass, clientIP, serverIP> such that varying any 
member of that tuple could be expected to produce a non-REFUSED answer.

"DNS: You will never find a more wretched hive of slop and ambiguity. We must be cautious." 
(Obi-Wan Mockapetris)

see also:

P Vixie