Re: [DNSOP] [Ext] RCODE and CNAME chain

Donald Eastlake <d3e3e3@gmail.com> Wed, 05 April 2017 13:54 UTC

Return-Path: <d3e3e3@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54ADF129437 for <dnsop@ietfa.amsl.com>; Wed, 5 Apr 2017 06:54:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YqAWAGKoQXPV for <dnsop@ietfa.amsl.com>; Wed, 5 Apr 2017 06:54:21 -0700 (PDT)
Received: from mail-it0-x231.google.com (mail-it0-x231.google.com [IPv6:2607:f8b0:4001:c0b::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E11F128D3E for <dnsop@ietf.org>; Wed, 5 Apr 2017 06:54:21 -0700 (PDT)
Received: by mail-it0-x231.google.com with SMTP id a140so8877917ita.0 for <dnsop@ietf.org>; Wed, 05 Apr 2017 06:54:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=oa95MsfVJrfvb26ujzuAksNKPxihlh1DkWoFUCaUzHA=; b=oAaE/Ml63KLWslmaixtOrWbCsBDqIlWzJQVLZo3OdmQapQsllzAiIvfJbam3vx5qo5 U2eDeVltIgs71mVFxzb338sW97Bn4/giGNxKT9/r7Ebgk41TC3FHBgQ57Z/zgFIOMEyk Tg5jHTfcHDazfL+zhgwWugTu85mxsIauMxHCra24xVs4sSo2emjfML2cPMrq6AqCGi2y zOHJYw5y1Pc74gUrZcqpy1XWZQfD652sKLhgmLAphLKxekCMzQaGjap27Kb4QBaeHoBC QTvzIiK0T5Dh6zTNUjNENGA8i39YAZccRE/e6F9G6i5E7xqWxNiNdMoraXQQeQRf0r4y er1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=oa95MsfVJrfvb26ujzuAksNKPxihlh1DkWoFUCaUzHA=; b=FeGAJVUujHXxDRZtBglxGUyr1uabjOKHXUKusjx4ltgEXj/yKWCb7tOShXhycBwObd liRg43GHhVj/LK6SQAjDnYPa7X8cF2yf6EmFclu9Y5iuJfK3a3Eojzkj7UqnN1AWgwX3 NC9AshGyuHkY7fMJB3vVwCGcKDS1NWlRNT7zrjxXEMuDoX0hZoSKUxm1v/aIqjpleSrI Ix3Ua8J5JHe6/k0gBJE0XYbJ8zcM4lmH4Esl+mIc7WRWglA4axbWCGSt2+Ewriurdj6k zr2oRNmtRH7GyHVh5hPnPSYBcroGDyGJpXk9peOCXhXjWr8PD7eLpBiXEqGI9hYbr5U9 S6gw==
X-Gm-Message-State: AFeK/H2J1p438Iq1YFvOURism+mTA5EbRTHnF6RhT/rq1kRJ0OqcS6YT JVZo8k1mG6lxUphws1wOTxTBioToSQ==
X-Received: by 10.36.155.11 with SMTP id o11mr21209431itd.11.1491400460711; Wed, 05 Apr 2017 06:54:20 -0700 (PDT)
MIME-Version: 1.0
References: <20170405054338.GA15831@jurassic> <797A6C99-C9B7-4671-A29D-6ECFEF6A5B6D@icann.org>
In-Reply-To: <797A6C99-C9B7-4671-A29D-6ECFEF6A5B6D@icann.org>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Wed, 05 Apr 2017 13:54:09 +0000
Message-ID: <CAF4+nEHqyDdRYC7Mv-v+W9Q1sTVke-TXieEc--ao_tm9oG09nQ@mail.gmail.com>
To: Edward Lewis <edward.lewis@icann.org>, Mukund Sivaraman <muks@isc.org>, "dnsop@ietf.org" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary=001a114f0a14adc371054c6bba79
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/aXmG1HGtDIs9lctvfTzAUVyr9BY>
Subject: Re: [DNSOP] [Ext] RCODE and CNAME chain
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Apr 2017 13:54:26 -0000

See RFC 6604.

Donald

from iPhone

On Wed, Apr 5, 2017 at 09:34 Edward Lewis <edward.lewis@icann.org> wrote:

> On 4/5/17, 01:43, "DNSOP on behalf of Mukund Sivaraman" <
> dnsop-bounces@ietf.org on behalf of muks@isc.org> wrote:
>
> >It seems BIND currently returns NXDOMAIN in this case, and the change in
> >behavior between looking-into-other-zones and
> >not-looking-into-other-zones in the nameserver algorithm caused a system
> >test failure, hence the question.
>
> I don't think there is one right answer.  There may be a more efficient
> answer (in terms of some metric).  The goal of the RFCs was
> interoperability, keep that in mind.
>
> You allude above to an implementation changing its behavior (answering
> from all available data vs. sticking to one zone).  This is not something
> that is explicitly dealt with in the original RFCs, perhaps in later ones.
> Both choices have merit, have downsides, still the two are interoperable.
> As far as the protocol matters, either is a valid choice, and one that
> influences whether the query in question results in NOERROR/CNAME chain or
> NXDOMAIN.
>
> In this case, I think you don't need to worry about the querier.  Rules
> seem to be explicit about caching responses here.
>
> If anything, make sure your test script is accurate.  (Back in the day of
> DNSSEC protocol/code development, 1 out of 3 times DNSSEC had a protocol
> bug, 1 out of 3 times it was a software bug, and 1 out of 3 times
> everything was right but the tester - me - was expecting the wrong result.)
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
-- 
Sent from Gmail Mobile