Re: [DNSOP] Clarifying referrals (#35)

Andrew Sullivan <> Tue, 14 November 2017 06:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C5F9A127337 for <>; Mon, 13 Nov 2017 22:32:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key) header.b=UTPziQ7L; dkim=pass (1024-bit key) header.b=Dj4qTCm/
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5asXgHHeOxQI for <>; Mon, 13 Nov 2017 22:32:20 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3800812717E for <>; Mon, 13 Nov 2017 22:32:20 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9357BBF56B for <>; Tue, 14 Nov 2017 06:32:19 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1510641139; bh=t9AV0ZjfBorpJvQ4OpoHnKT69HEDuGYw71nf5b+ManY=; h=Date:From:To:Subject:References:In-Reply-To:From; b=UTPziQ7LqMj/rOAicw4G9YK7jq5BDwUk7JN51xMu40CbjPODEdydNxdDG7bM8uKBJ TQgc2BCodB85WWeUxBzzo9+dd2DDE9COSOlLEwI8at6yd/mIGfnO/tzW6qSgPrtEDr krLXKV4HQ02HC119YQnknbf97FXFk/z7sEyHSru4=
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KG4ar33ULZ78 for <>; Tue, 14 Nov 2017 06:32:17 +0000 (UTC)
Date: Tue, 14 Nov 2017 01:32:10 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1510641137; bh=t9AV0ZjfBorpJvQ4OpoHnKT69HEDuGYw71nf5b+ManY=; h=Date:From:To:Subject:References:In-Reply-To:From; b=Dj4qTCm/OOHKyrwkmeIHsUvVwpYb8O+UCqOXQ6TdEPwTpykTAt4nwxSJi1GsM3dYu 3webQpKbcjJP34vBOK8Fz4VZEmZgTIBlCXz+XJV08zJuVrdDsvSVxDnr++OVhB29Qu Z6ooGIinDSzfuYzHEX21uxF5LFqSAQf74X9tODyY=
From: Andrew Sullivan <>
Message-ID: <>
References: <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
Archived-At: <>
Subject: Re: [DNSOP] Clarifying referrals (#35)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 14 Nov 2017 06:32:22 -0000


On Mon, Nov 13, 2017 at 08:14:14AM -0800, Paul Vixie wrote:
> > If I ask the authoritative server for about a name
> >, in a graph-theoretic sense the NS RRset for the
> > root zone is clearly closer to than anything else I
> > can give.
> dns is not that kind of graph.
> if the qname is and the query is being processed by the
> authority server who knows that is a delegation, then
> is closer to than the root would be.

Obviously.  But your example is still on the current tree, just not
immediately below.  The example I gave is in a completely different
section of the tree, and my point is that none of the text you quoted
shows why "." isn't the "closer server" that an authoritative server
somewhere beneath com. can give in response to a qname that is
somewhere beneath net.  We might think today that is a misfeature in
STD13, but I don't think it's a misinterpretation of what STD13 says.
I don't know what kind of graph would make that false.

> as i wrote during the SOPA wars, REFUSED has been widely used as an
> administrative denial, and repurposing it would not be effective at this
> late date.

This, too, seems to be a claim that is at best poorly justified.  It
might be that it is how BIND interprets the RCODE, but it's not what
it is defined to be. I'm anyway not sure your description in the
circleid piece (or elsewhere) is inconsistent with the RFC 1035
definition of RCODE 5: "The name server refuses to perform the
specified operation for policy reasons."  Refusing to respond to this
or that IP address is a policy, and refusing to perform upward
referrals is also a policy, no?

Best regards,


Andrew Sullivan