IETF Logo Mail Archive

Re: [DNSOP] NXDOMAINs as in RFC 1034

Shumon Huque <shuque@gmail.com> Tue, 29 May 2018 01:46 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D22AA12E055 for <dnsop@ietfa.amsl.com>; Mon, 28 May 2018 18:46:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xdfc6Nmk1MTH for <dnsop@ietfa.amsl.com>; Mon, 28 May 2018 18:46:20 -0700 (PDT)
Received: from mail-yw0-x22b.google.com (mail-yw0-x22b.google.com [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D74812DB6E for <dnsop@ietf.org>; Mon, 28 May 2018 18:46:20 -0700 (PDT)
Received: by mail-yw0-x22b.google.com with SMTP id s201-v6so2970777ywg.8 for <dnsop@ietf.org>; Mon, 28 May 2018 18:46:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8sF7FncBSjdLnEAJFCVQUt7NZ2mG8MBpEiJv4PNUhi0=; b=KDIw5UwflVPuv1mprnF5TSCWj2xyeUlI1b/GIZB+qiAb1VpcjumMk16dgY7PHfgbS0 85yhW2bh3gojP5BUT6Qa9tVGfu8edyoyxFT1dZIo3asmMVDi/rGSkS4L8+jfrJSQgckg bDZnuoOD8Kr1BbdN2r7EiJXMRvV6X/kPn4hr3IGs1BqXUgFOJqM4fmXTd69K2Sk5ylMa cP/+GZd4AgStPiKhTY0hYdPMOa9bn4Zf0NFLahGhi4VJHXvKHL+RC12HukGEIFmdXJ8M P4IDPXKz+Vr1L31hMkKR9luNgdZw4ihf/8IhIWiAd5WsFTOSX2h7fwGqXsfua4QZ29Bs twBQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8sF7FncBSjdLnEAJFCVQUt7NZ2mG8MBpEiJv4PNUhi0=; b=VO6Lk9KUCzeaFwJbSIFIdYSYhWOzRU8jEti7J+Q1lHTZYWfyU/EWix7/gxJGHKeZFY IavckmHjCEjrY3M7+n4zugdfyqBEn3qSSN17pCmuDLPnIi4tlSdiieskQEaDAwPmgOaA LOaCb3mhyyxRo6HU8UxhGLMvsPTp0Hg+ppAKRDOCZ2BULdzzI6IyDh5ALGmPU5FIIT3w bHgvjtqYVS1Sd/H2rW02XXcD8HQ/bqjMz6/4dsLfgm0spYqWOA6GNjVZE0Q7uSs/x2QW bPB/pYvw9k2YaCm02GBnXr/sf211rkiMDTdEur3jHt13YWf14pCuIOj+x8l0vJTWH1Qq KDXA==
X-Gm-Message-State: ALKqPwd467i5cfcrB96b11l9bBlxuu0OJkezLjBuZuw1W7+pvHJgTyNx D93ikLLS2tqkfPe4rFXff2eYHj+6wG9FAxLxx5E=
X-Google-Smtp-Source: ADUXVKIXljrbUY3BeKR9EEEMAAUffIBxxjNEBdVvpcxGuiGZf4SCu0lqk1EGf7F5pnOWha8k5eUzxUPou5WAZ8B8SB4=
X-Received: by 2002:a81:7d06:: with SMTP id y6-v6mr3296062ywc.371.1527558379308; Mon, 28 May 2018 18:46:19 -0700 (PDT)
MIME-Version: 1.0
References: <20180528181236.GB26171@jurassic>
In-Reply-To: <20180528181236.GB26171@jurassic>
From: Shumon Huque <shuque@gmail.com>
Date: Mon, 28 May 2018 21:46:08 -0400
Message-ID: <CAHPuVdX8D38XfB98gRuBYr+Vn9v_j_5rxY12R+AF0Cyz04Ggag@mail.gmail.com>
To: muks@mukund.org
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000928e84056d4e668d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/WFOb0XxLsrirUa5cD9qDQEajxrw>
Subject: Re: [DNSOP] NXDOMAINs as in RFC 1034
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 May 2018 01:46:23 -0000

On Mon, May 28, 2018 at 2:13 PM Mukund Sivaraman <muks@mukund.org> wrote:

> Something that keeps coming up recently in private discussions is that
> there's supposedly an ambiguity in RFC 1034/1035 about NXDOMAINs, that
> is practically observed in broken authoritatives on the internet when
> implementing RFC 7816 (qname minimization), and that it was only
> clarified in RFC 8020 (NXDOMAIN: there really is nothing
> underneath). I'm sorry I didn't pay attention when RFC 8020 was being
> discussed, and the RFC itself is nice to have.
>
> There really is no ambiguity in RFC 1034/1035 about NXDOMAINs.  RFC 1034
> doesn't introduce the DNS as a collection of names; names only come
> afterwards. The domain name space is introduced as a tree structure
> composed of nodes. Each node has an associated label of 1-63 octets
> except the root that has a 0 length label. Only then, is a domain name
> defined as the concatenation of labels from a node to the
> root. Everything in the global DNS is this domain name space. There are
> nodes, not names, and names are identifiers for the nodes. A name can't
> be "present" without the corresponding node existing in the domain name
> space.  Due to the tree, it follows that for some node to exist, its
> ancestor nodes on the path to the root must exist. For a domain name to
> exist, all its superdomain names must exist. Hence if a domain name
> (node identifier) does not exist, there can be nothing under it.
>
> There is no ambiguity in RFC 1034/1035, and implementations that return
> NXDOMAIN for empty non-terminals are broken against RFC 1034.
>

Yes, I agree with all of this. As you say, the tree structure of the domain
name
space implies the very interpretation of NXDOMAIN that RFC 8020 attempted
to clarify more explicitly.

As for ambiguities in RFC 1034, the text in 8020 that mentions this issue:

  "This is due to an ambiguity in
   [RFC1034] that failed to distinguish Empty Non-Terminal (ENT) names
   ([RFC7719]) from nonexistent names (Section 3.1)."

came directly from Vixie et. al's resimprove draft (Section 3), which was
RFC 8020's
starting point. Personally, I did not find any ambiguities in RFC 1034 with
respect
to how DNS servers should respond to empty non-terminals, but clearly a
number
of implementations did not do the right thing, so the topic likely did
deserve some
clarification. Also, if I recall correctly, RFC 1034 does not explicitly
mention empty
non-terminals - they did not have a definitional term at that time although
the concept
was surely known.


On Mon, May 28, 2018 at 3:45 PM Paul Vixie <paul@redbarn.org> wrote:

> Mukund Sivaraman wrote:
> > There is no ambiguity in RFC 1034/1035, and implementations that return
> > NXDOMAIN for empty non-terminals are broken against RFC 1034.
>
> while i agree with this (+1), we can look also to 4034/4035, in which an
> NSEC[3] proof treats an ENT as existing. so that's a second way to imply
> what 8020 is explicit about. there was never a time, at any stage of the
> evolution of the DNS specification, when NXD was correct for ENT.
>


Yes, if there was any ambiguity in RFC 1034/1035 regarding NXDOMAIN,
arguably the DNSSEC specs  (and not RFC 8020) were the first to clarify the
issue definitively. I'll additionally mention that authenticated denial
proofs in
DNSSEC do not work at all without the interpretation of NXDOMAIN described
in RFC 8020. For example, the NSEC[3] record that proves that domain name
X does not exist, also proves that no descendant of X exists either (they
all fall
in the same NSEC[3] span. To add another finer detail, an NSEC3
authenticated
denial statement, proves that the "next closer name" does not exist, which
in the
general case, is some ancestor of the qname. That is enough to prove that
the
qname below it does not exist.

-- 
Shumon Huque

v2.23.0 | Report a Bug | By Email