IETF Logo Mail Archive

Re: [DNSOP] Call for Adoption: draft-bortzmeyer-dnsop-nxdomain-cut

Shumon Huque <shuque@gmail.com> Sat, 26 December 2015 03:59 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EAFA1A01D6 for <dnsop@ietfa.amsl.com>; Fri, 25 Dec 2015 19:59:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.701
X-Spam-Level:
X-Spam-Status: No, score=0.701 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cBTPATnnBriI for <dnsop@ietfa.amsl.com>; Fri, 25 Dec 2015 19:59:36 -0800 (PST)
Received: from mail-qg0-x232.google.com (mail-qg0-x232.google.com [IPv6:2607:f8b0:400d:c04::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A1AA1A01BA for <dnsop@ietf.org>; Fri, 25 Dec 2015 19:59:36 -0800 (PST)
Received: by mail-qg0-x232.google.com with SMTP id k90so194717197qge.0 for <dnsop@ietf.org>; Fri, 25 Dec 2015 19:59:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=1yrlScnpDM6742y8C/zo+Bd61brYBERnXXlRowbUwKE=; b=gubG9uqahFM8Riichwutc10HChFInflL5UhKio+u7HHuagr3K002KNCQN4Pu9i/dJZ JdNkJ11khURcOPG6doVepK8IR4foePfMvXQcYsG3zo9+kyglCkb3gzjQsR4wRxTqcXmC wfm+m8EJpbkxF7u7qg7xh+icZSz0JeY/MRoshN1WiHfe7Z2dxpVEKIixU5JfrT55ZutO kVSDHsQ36e9t+CDot1D7M+bCPq+F7heP1ry18DS6ZrQJgSXOqup33ya9Gn40NSfczEPl MobvmMiGtlFJQJD6TL/nQ2wv4R5+0JuWZSHIxGsBDh7yKVb1k3w601rlGQyiLfnro3rV L0YQ==
MIME-Version: 1.0
X-Received: by 10.140.217.67 with SMTP id n64mr226532qhb.26.1451102375417; Fri, 25 Dec 2015 19:59:35 -0800 (PST)
Received: by 10.140.102.9 with HTTP; Fri, 25 Dec 2015 19:59:35 -0800 (PST)
In-Reply-To: <CAHPuVdUrPabJGDe2NEBwzb_RZ7orxdM7BpkkqJUetqXvNQODKQ@mail.gmail.com>
References: <56636011.7010702@gmail.com> <20151213215536.GA31550@sources.org> <CAHPuVdUrPabJGDe2NEBwzb_RZ7orxdM7BpkkqJUetqXvNQODKQ@mail.gmail.com>
Date: Fri, 25 Dec 2015 22:59:35 -0500
Message-ID: <CAHPuVdXyWfpeT18UGoO5=ns=bm8my_U_-GAVmY9BEiHdSntO5g@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="001a1139da7c9e9f2f0527c51988"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/WHbdFwIjQOBjPzqLWRnFJVD01kM>
Subject: Re: [DNSOP] Call for Adoption: draft-bortzmeyer-dnsop-nxdomain-cut
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Dec 2015 03:59:38 -0000

On Sun, Dec 13, 2015 at 11:12 PM, Shumon Huque <shuque@gmail.com> wrote:

> On Sun, Dec 13, 2015 at 4:55 PM, Stephane Bortzmeyer <bortzmeyer@nic.fr>
> wrote:
>
>> On Sat, Dec 05, 2015 at 05:07:13PM -0500,
>>  Tim Wicinski <tjw.ietf@gmail.com> wrote
>>  a message of 23 lines which said:
>>
>> > This starts a Call for Adoption for draft-bortzmeyer-dnsop-nxdomain-cut
>>
>> Funny, unlike what I wrote in the draft, there is at least a recursor
>> with a partial support of NXDOMAIN cut (off by default):
>>
>> https://doc.powerdns.com/md/recursor/settings/#root-nx-trust
>>
>> root-nx-trust
>>
>> Boolean
>> Default: no
>> Available since: 3.7.0
>> If set, an NXDOMAIN from the root-servers will serve as a blanket
>> NXDOMAIN for the entire TLD the query belonged to. The effect of this
>> is far fewer queries to the root-servers.
>>
>
I also recently discovered that Unbound also supports this (and more
generally, not just for the root, but only for signed NXDOMAIN responses),
via the configuration parameter "harden-below-nxdomain".

from https://www.unbound.net/documentation/unbound.conf.html

       harden-below-nxdomain: <yes or no>
              From draft-vixie-dnsext-resimprove, returns nxdomain to
 queries
              for  a name below another name that is already known to be
nxdo-
              main.  DNSSEC mandates noerror  for  empty  nonterminals,
 hence
              this  is  possible.  Very old software might return nxdomain
for
              empty nonterminals (that usually happen for reverse  IP
 address
              lookups),  and  thus  may  be incompatible with this.  To try
to
              avoid this only DNSSEC-secure nxdomains are  used,  because
 the
              old software does not have DNSSEC.  Default is off.

The signed negative response requirement probably indirectly addresses
CDN/ENT misbehavior among others. Wonder if anyone uses this knob in
production yet, and if there are experiences to report ..

-- 
Shumon Huque

v2.23.0 | Report a Bug | By Email