Re: [DNSOP] Call for Adoption: draft-bortzmeyer-dnsop-nxdomain-cut
Shumon Huque <shuque@gmail.com> Sat, 26 December 2015 03:59 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EAFA1A01D6 for <dnsop@ietfa.amsl.com>; Fri, 25 Dec 2015 19:59:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.701
X-Spam-Level:
X-Spam-Status: No, score=0.701 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cBTPATnnBriI for <dnsop@ietfa.amsl.com>; Fri, 25 Dec 2015 19:59:36 -0800 (PST)
Received: from mail-qg0-x232.google.com (mail-qg0-x232.google.com [IPv6:2607:f8b0:400d:c04::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A1AA1A01BA for <dnsop@ietf.org>; Fri, 25 Dec 2015 19:59:36 -0800 (PST)
Received: by mail-qg0-x232.google.com with SMTP id k90so194717197qge.0 for <dnsop@ietf.org>; Fri, 25 Dec 2015 19:59:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=1yrlScnpDM6742y8C/zo+Bd61brYBERnXXlRowbUwKE=; b=gubG9uqahFM8Riichwutc10HChFInflL5UhKio+u7HHuagr3K002KNCQN4Pu9i/dJZ JdNkJ11khURcOPG6doVepK8IR4foePfMvXQcYsG3zo9+kyglCkb3gzjQsR4wRxTqcXmC wfm+m8EJpbkxF7u7qg7xh+icZSz0JeY/MRoshN1WiHfe7Z2dxpVEKIixU5JfrT55ZutO kVSDHsQ36e9t+CDot1D7M+bCPq+F7heP1ry18DS6ZrQJgSXOqup33ya9Gn40NSfczEPl MobvmMiGtlFJQJD6TL/nQ2wv4R5+0JuWZSHIxGsBDh7yKVb1k3w601rlGQyiLfnro3rV L0YQ==
MIME-Version: 1.0
X-Received: by 10.140.217.67 with SMTP id n64mr226532qhb.26.1451102375417; Fri, 25 Dec 2015 19:59:35 -0800 (PST)
Received: by 10.140.102.9 with HTTP; Fri, 25 Dec 2015 19:59:35 -0800 (PST)
In-Reply-To: <CAHPuVdUrPabJGDe2NEBwzb_RZ7orxdM7BpkkqJUetqXvNQODKQ@mail.gmail.com>
References: <56636011.7010702@gmail.com> <20151213215536.GA31550@sources.org> <CAHPuVdUrPabJGDe2NEBwzb_RZ7orxdM7BpkkqJUetqXvNQODKQ@mail.gmail.com>
Date: Fri, 25 Dec 2015 22:59:35 -0500
Message-ID: <CAHPuVdXyWfpeT18UGoO5=ns=bm8my_U_-GAVmY9BEiHdSntO5g@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="001a1139da7c9e9f2f0527c51988"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/WHbdFwIjQOBjPzqLWRnFJVD01kM>
Subject: Re: [DNSOP] Call for Adoption: draft-bortzmeyer-dnsop-nxdomain-cut
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Dec 2015 03:59:38 -0000
On Sun, Dec 13, 2015 at 11:12 PM, Shumon Huque <shuque@gmail.com> wrote: > On Sun, Dec 13, 2015 at 4:55 PM, Stephane Bortzmeyer <bortzmeyer@nic.fr> > wrote: > >> On Sat, Dec 05, 2015 at 05:07:13PM -0500, >> Tim Wicinski <tjw.ietf@gmail.com> wrote >> a message of 23 lines which said: >> >> > This starts a Call for Adoption for draft-bortzmeyer-dnsop-nxdomain-cut >> >> Funny, unlike what I wrote in the draft, there is at least a recursor >> with a partial support of NXDOMAIN cut (off by default): >> >> https://doc.powerdns.com/md/recursor/settings/#root-nx-trust >> >> root-nx-trust >> >> Boolean >> Default: no >> Available since: 3.7.0 >> If set, an NXDOMAIN from the root-servers will serve as a blanket >> NXDOMAIN for the entire TLD the query belonged to. The effect of this >> is far fewer queries to the root-servers. >> > I also recently discovered that Unbound also supports this (and more generally, not just for the root, but only for signed NXDOMAIN responses), via the configuration parameter "harden-below-nxdomain". from https://www.unbound.net/documentation/unbound.conf.html harden-below-nxdomain: <yes or no> From draft-vixie-dnsext-resimprove, returns nxdomain to queries for a name below another name that is already known to be nxdo- main. DNSSEC mandates noerror for empty nonterminals, hence this is possible. Very old software might return nxdomain for empty nonterminals (that usually happen for reverse IP address lookups), and thus may be incompatible with this. To try to avoid this only DNSSEC-secure nxdomains are used, because the old software does not have DNSSEC. Default is off. The signed negative response requirement probably indirectly addresses CDN/ENT misbehavior among others. Wonder if anyone uses this knob in production yet, and if there are experiences to report .. -- Shumon Huque
- [DNSOP] Call for Adoption: draft-bortzmeyer-dnsop… Tim Wicinski
- Re: [DNSOP] Call for Adoption: draft-bortzmeyer-d… John Levine
- Re: [DNSOP] Call for Adoption: draft-bortzmeyer-d… Stephane Bortzmeyer
- Re: [DNSOP] Call for Adoption: draft-bortzmeyer-d… Shumon Huque
- Re: [DNSOP] Call for Adoption: draft-bortzmeyer-d… Tim Wicinski
- Re: [DNSOP] Call for Adoption: draft-bortzmeyer-d… Shumon Huque