[DNSOP] ENT and NXDOMAIN: the case of RFC 4035

Stephane Bortzmeyer <bortzmeyer@nic.fr> Sun, 25 September 2016 08:22 UTC

Return-Path: <bortzmeyer@nic.fr>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 3128612B0EB for <dnsop@ietfa.amsl.com>; Sun, 25 Sep 2016 01:22:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id qI3keofEmpOK for <dnsop@ietfa.amsl.com>; Sun, 25 Sep 2016 01:22:53 -0700 (PDT)
Received: from mail.bortzmeyer.org (aetius.bortzmeyer.org [IPv6:2001:4b98:dc0:41:216:3eff:fece:1902]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21E4D12B0BE for <dnsop@ietf.org>; Sun, 25 Sep 2016 01:16:51 -0700 (PDT)
Received: by mail.bortzmeyer.org (Postfix, from userid 10) id 789A731CA6; Sun, 25 Sep 2016 10:16:48 +0200 (CEST)
Received: by godin (Postfix, from userid 1000) id 2C774EC0B6F; Sun, 25 Sep 2016 10:14:22 +0200 (CEST)
Date: Sun, 25 Sep 2016 10:14:22 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: dnsop@ietf.org
Message-ID: <20160925081422.GA6645@laperouse.bortzmeyer.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Transport: UUCP rules
X-Operating-System: Ubuntu 16.04 (xenial)
X-Charlie: Je suis Charlie
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/_eBxoCKAYQuUGwS4AAuTuS5WSRE>
Subject: [DNSOP] ENT and NXDOMAIN: the case of RFC 4035
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Sep 2016 08:22:54 -0000

[If you don't enjoy byzantine discussions, with a lot of
chapter-and-verse mentions of RFCs, please skip the thread.]

I've been directed recently to RFC 4035 and there is a question I would
like to ask about its handling of ENTs.

Section 3.1.3 says:

   No Data: The zone contains RRsets that exactly match <SNAME, SCLASS>
      but does not contain any RRsets that exactly match <SNAME, SCLASS,

   Name Error: The zone does not contain any RRsets that match <SNAME,
      SCLASS> either exactly or via wildcard name expansion.

The second item means that a "name error" (NXDOMAIN) is an appropriate
response for an ENT. It seems to contradict all recent RFCs.

Section mentions explicitely the ENT but just says to send
NSEC records, and does not mandate a specific error code (except in
its title, which is a bit ambiguous).

My gut feeling is that RFC 4035 is wrong. But I prefer to ask first:
how do you read it?