IETF Logo Mail Archive

Re: [DNSOP] Barry Leiba's Yes on draft-ietf-dnsop-qname-minimisation-08: (with COMMENT)

Paul Wouters <paul@nohats.ca> Mon, 28 December 2015 03:02 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B9D51A87B3 for <dnsop@ietfa.amsl.com>; Sun, 27 Dec 2015 19:02:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.69
X-Spam-Level:
X-Spam-Status: No, score=0.69 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OLefVTzn0mM9 for <dnsop@ietfa.amsl.com>; Sun, 27 Dec 2015 19:02:17 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [193.110.157.68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99EF81A87B2 for <dnsop@ietf.org>; Sun, 27 Dec 2015 19:02:16 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 3pTNvn4p79z1H0 for <dnsop@ietf.org>; Mon, 28 Dec 2015 04:02:13 +0100 (CET)
Authentication-Results: mx.nohats.ca; dkim=pass (1024-bit key) header.d=nohats.ca header.i=@nohats.ca header.b=IkfDBpiB
X-OPENPGPKEY: Message passed unmodified
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id cE-phS65InI0 for <dnsop@ietf.org>; Mon, 28 Dec 2015 04:02:12 +0100 (CET)
Received: from bofh.nohats.ca (206-248-139-105.dsl.teksavvy.com [206.248.139.105]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS for <dnsop@ietf.org>; Mon, 28 Dec 2015 04:02:12 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPS id BBFD180060 for <dnsop@ietf.org>; Sun, 27 Dec 2015 22:02:09 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1451271729; bh=WL5sDz77TR7ZP9MAysBQYh1z7pwfvhUnDN45bOL+9NM=; h=Date:From:To:Subject:In-Reply-To:References; b=IkfDBpiBSL2fYQA8QvHX7MOQSp+46Pmya3juGfKcwWoLRUofs5+9uQZKsQ74v9+y2 0H5nhB83vF4pRXM3cB6OpxLJicJBe8O6axttYD/xoaa4e6hzwyXw6fvlgwGPCrn5f1 n9aOChIkYqAXokakt50T87kaxTRzgtQ4P+yG0zyI=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.15.2/8.15.2/Submit) with ESMTP id tBS3286X028321 for <dnsop@ietf.org>; Sun, 27 Dec 2015 22:02:09 -0500
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Sun, 27 Dec 2015 22:02:08 -0500
From: Paul Wouters <paul@nohats.ca>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <20151228023226.48008.qmail@ary.lan>
Message-ID: <alpine.LFD.2.20.1512272149120.27044@bofh.nohats.ca>
References: <20151228023226.48008.qmail@ary.lan>
User-Agent: Alpine 2.20 (LFD 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/XNa2RYx44dipogx9eUGzKOkm8aI>
Subject: Re: [DNSOP] Barry Leiba's Yes on draft-ietf-dnsop-qname-minimisation-08: (with COMMENT)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Dec 2015 03:02:20 -0000

On Sun, 28 Dec 2015, John Levine wrote:

>>> NEW
>>>    For instance, some authoritative name servers embedded in load
>>>    balancers reply properly to A queries but send REFUSED to NS queries.
>>>    This behaviour violates the DNS protocol (see Section ??? of [RFC??],
>>>    and improvements to the DNS are impeded if we accept such behaviour
>>>    as normal.
>>> END
>>
>> Does anyone has an idea of the reference to use to replace the "???"
>>
>> For me, such a behavior is so obviously wrong that I cannot think of a
>> precise chapter-and-verse to quote...
>
> I don't see why it's not valid behavior.  REFUSED means "The name
> server refuses to perform the specified operation for policy reasons."
> If my policy is not to tell you about NS records, that's my policy.
> It may be a stupid policy that causes downstream problems, but it's my
> right to be stupid.

Being listed as nameserver while unconditionally refusing all NS queries
leads to a guaranteed failure with DNSSEC as there would not be a signed
NS RRset published anywhere. It's much more than being stupid, it is a
blatant protocol violation and definitely NOT valid behaviour.

Where to point to is indeed tricky. Maybe one could point to
https://tools.ietf.org/html/rfc1035#section-3.3.11

 	The NS RR states that the named host should be expected to have a zone
 	starting at owner name of the specified class.

I would interpret that to mean that a parental NS glue record signifies
that the RDATA target must point to something that has that zone at the
owner name. Thus the NS queries at that target should return proper
results for NS queries (to itself)

Paul

v2.23.0 | Report a Bug | By Email