IETF Logo Mail Archive

[DNSOP] Compact Denial of Existence updates

Shumon Huque <shuque@gmail.com> Thu, 25 July 2024 21:05 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D568C14F69E for <dnsop@ietfa.amsl.com>; Thu, 25 Jul 2024 14:05:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.862
X-Spam-Level:
X-Spam-Status: No, score=-0.862 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, NUMERIC_HTTP_ADDR=1.242, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IjsCuAuIqxyC for <dnsop@ietfa.amsl.com>; Thu, 25 Jul 2024 14:05:41 -0700 (PDT)
Received: from mail-io1-xd32.google.com (mail-io1-xd32.google.com [IPv6:2607:f8b0:4864:20::d32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EF5DC1D5C4B for <dnsop@ietf.org>; Thu, 25 Jul 2024 14:05:41 -0700 (PDT)
Received: by mail-io1-xd32.google.com with SMTP id ca18e2360f4ac-7f70a708f54so24438839f.3 for <dnsop@ietf.org>; Thu, 25 Jul 2024 14:05:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721941540; x=1722546340; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=LO6wdA14u3ah8SqaOWOC5GcMJrW9gsPT7bgWkJ5yDBE=; b=iW60zEg+w/eEjiOU5Ob7IuheVxcXzYS+EDUfqyBG3ONF8uNo+zMqCZO6OY/tcr74RG QNTpgwbJG6pfoN0POF6H1tndKtKWgFm6YidDUZw0XI68BL+pJAvApWLmdklGq5NPH3Iy vh+CF7Ym/2oGu674jhstANVtWl9KJe+H0dFXBzAUn/hAI3KAWZhKuuiPutFNmMRt6jon lCL3je8cFe6LsxEqs7CsnkfgmY/scyGRs7B9PQPtbZncO6OgrIPW7gezr/K5CPGk6PjP qO/m5Yzj1CqyXfnF2Bvkpt5XAHBbmW+qrOeYWOksHBfD+nk85Y7RipQnAww5FSvUs+C8 dIOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721941540; x=1722546340; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=LO6wdA14u3ah8SqaOWOC5GcMJrW9gsPT7bgWkJ5yDBE=; b=UPng986SlsIwvpE1lev9pC5iQcvMA9ErN8UdzW01miAs9CdbD2BCNN66t+de+/50G7 FPXNm4088mzd9FVVPfeItUgsaeLpHq/9By2D8V2kui6hAMGFQYcgXPbcwH+VV5kYJC35 aERwqiH2HDYi1JV57yUy3Oiof10heaeoyBfBzv9mn/mf6qMfo+nYuts90nwNwP2Gp1XM abkaSJFpYGEviie71Ef3tTvXJzlmrQNNPYV2pyXlkYxSfAbFjs/7ZFJsJhirefVW8fM8 l+5BJwrGC27RWvJBgOTeX15R/F7JB/i/Sa+o5AWjiQYjtSgJTx4ZMuoqCwFkQ6CSyg97 qPGA==
X-Gm-Message-State: AOJu0YxTZEVs4tGuZICpyCOnl4G0KmdaICTsBdjaPirENfyxxwEiiJUc PG4j6N5uOjgq7fwVUuc2W+nKc9KejD6SoE6uQDCcwMAU7kRuV+OsDa/FJTEXtS7keobN03bNqvU oK8kq2pS7CL8Bk1z1gKdgzz+/ac90xbM2A4QReQ==
X-Google-Smtp-Source: AGHT+IF4Y1Zy4+n8w8ajwHYPn7IaW6MLJ1F1lRmdvt6b0kG1gaNz4bs1gg2ehHuvqZGYg9qzLcmW1DPRwpSyOfX77r0=
X-Received: by 2002:a05:6602:6428:b0:804:f2be:ee21 with SMTP id ca18e2360f4ac-81f7bd00a4dmr642402539f.3.1721941540196; Thu, 25 Jul 2024 14:05:40 -0700 (PDT)
MIME-Version: 1.0
From: Shumon Huque <shuque@gmail.com>
Date: Thu, 25 Jul 2024 14:05:28 -0700
Message-ID: <CAHPuVdVPXu_J=byYw+Seqd138rmeh0NW9Ov9XpCkua7-g=SFqg@mail.gmail.com>
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d3dd25061e18c1fa"
Message-ID-Hash: 3LBDB37ASJ4NEJZVPSGFHMTR2NQZDNSX
X-Message-ID-Hash: 3LBDB37ASJ4NEJZVPSGFHMTR2NQZDNSX
X-MailFrom: shuque@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Compact Denial of Existence updates
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/VPPajm-VttvRmKsR4sGRJbXFLqQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

DNSOP colleagues,

(Reference:
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-compact-denial-of-existence-04
)

We didn't ask for IETF120 agenda time for Compact Denial of Existence
since we believe the spec is done, and we hope the chairs will see fit
to push out the WGLC notice soon.

A few updates on code point allocation: the draft had 3 actions for IANA:

1. Allocation of the NXNAME RR type code.
2. Allocation of the Invalid Query Type EDE (Extended DNS Error) code.
3. Allocation of the "CO" EDNS header flag (for signaled restoration of
  the NXDOMAIN RCODE).

The first two of these have been done: NXNAME (using the early allocation
process) has been allocated 128, the lowest number in the meta-type space.
Invalid Query Type has been allocated EDE code 30.

The third one requires Standards Action, so will need to await RFC
publication.

Christian Elmerot/Cloudflare and Jan Vcelak/NS1 are chatting about
a coordinated time (with likely pre-announcement to the DNS-OARC
dns-operations@ list) for switching their implementations of NXNAME
from the currently deployed private RR-type 65283 to 128.

In the meantime, for demonstration purposes, I have a test authority
server (using custom code) that implements NXNAME using 128, returns
the EDE code for explicit NXNAME queries, and implements NXDOMAIN
rcode restoration with the CO header flag. dig output follows ..

Shumon.


##
## Compact Denial NXDOMAIN response using RR type code 128 for NXNAME
##

$ dig +dnssec +nostats nxdomain.deleg.huque.com. A

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8779
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;nxdomain.deleg.huque.com.      IN      A

;; AUTHORITY SECTION:
deleg.huque.com.        1800    IN      SOA     mname.deleg.huque.com.
hostmaster.huque.com. 1000000001 43200 3600 3628800 3600
deleg.huque.com.        1800    IN      RRSIG   SOA 13 3 3600
20240727194648 20240725194648 64677 deleg.huque.com.
qWrM+jRNrJ7ZZfwNT1Rc0FUd+STnr3u9WXE95LIbQgif1mcFHvEn8Wqy
EpC9o/xKmFQE+nc4O835/fp/UCVIdg==
nxdomain.deleg.huque.com. 3600  IN      NSEC    \
000.NxdoMaIN.dELeG.HuqUE.COm. RRSIG NSEC TYPE128
nxdomain.deleg.huque.com. 3600  IN      RRSIG   NSEC 13 4 3600
20240727194648 20240725194648 64677 deleg.huque.com.
Qfgq/DwYwKyvESavY3xRRW4dgeydOzeOGqBsOVgtcPYrK0pjERA9DEde
1T1oTey7hzGNSZfU7gyCP8qo2/WWyg==


##
## Response to explicit NXNAME query: FORMERR + Invalid Query Type EDE code
##

$ dig @3.216.78.182 +dnssec +nostats +norecurse nxdomain.deleg.huque.com.
TYPE128

;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 7918
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; EDE: 30: (Invalid Query Type)
;; QUESTION SECTION:
;nxdomain.deleg.huque.com.      IN      TYPE128


##
## Signaled NXDOMAIN rcode restoration with "CO" (0x4000) EDNS header flag
##

$ dig @3.216.78.182 +ednsflags=0x4000 +dnssec +nostats +norecurse
nxdomain.deleg.huque.com. A

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55809
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; MBZ: 0x4000, udp: 1232
;; QUESTION SECTION:
;nxdomain.deleg.huque.com.      IN      A

;; AUTHORITY SECTION:
deleg.huque.com.        3600    IN      SOA     mname.deleg.huque.com.
hostmaster.huque.com. 1000000001 43200 3600 3628800 3600
deleg.huque.com.        3600    IN      RRSIG   SOA 13 3 3600
20240725215435 20240723215435 64677 deleg.huque.com.
v9m25W6kcss92fLv10YBp/LLgyICeVZy4mubT65ohl4odEnpGWG2PM6/
ti68sWHAAu8knsPJrmyiOOV6Oc79jQ==
nxdomain.deleg.huque.com. 3600  IN      NSEC    \
000.nxdomain.deleg.huque.com. RRSIG NSEC TYPE128
nxdomain.deleg.huque.com. 3600  IN      RRSIG   NSEC 13 4 3600
20240725215435 20240723215435 64677 deleg.huque.com.
9srODFf4XjKIanzfEpfhIe90JADXoU08OMZvoal9Uww06AqBlTh0i8zc
lrLuK5XIQVUgup4VMBjkxtFErtcvFw==

v2.39.1 | Report a Bug | By Email | System Status