Re: [DNSOP] [Technical Errata Reported] RFC7686 (6761)

Peter van Dijk <peter.van.dijk@powerdns.com> Fri, 17 June 2022 13:09 UTC

Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0F3EC13C2C7 for <dnsop@ietfa.amsl.com>; Fri, 17 Jun 2022 06:09:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LULZ3yXUzS6G for <dnsop@ietfa.amsl.com>; Fri, 17 Jun 2022 06:09:42 -0700 (PDT)
Received: from mx3.open-xchange.com (mx3.open-xchange.com [87.191.57.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07E62C14CF11 for <dnsop@ietf.org>; Fri, 17 Jun 2022 06:09:06 -0700 (PDT)
Received: from imap.open-xchange.com (imap.open-xchange.com [86.85.149.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx3.open-xchange.com (Postfix) with ESMTPSA id 1207D6A147; Fri, 17 Jun 2022 15:02:59 +0200 (CEST)
Received: from plato.home ([86.85.149.247]) by imap.open-xchange.com with ESMTPSA id op8yAIN7rGKUOQAA3c6Kzw (envelope-from <peter.van.dijk@powerdns.com>); Fri, 17 Jun 2022 15:02:59 +0200
Message-ID: <b1847b9a64a14fd78bcedf7289d75045e004b3ce.camel@powerdns.com>
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: dnsop <dnsop@ietf.org>, RFC Errata System <rfc-editor@rfc-editor.org>
Date: Fri, 17 Jun 2022 15:02:58 +0200
In-Reply-To: <YaZWlevhnYT1ABCu@mycre.ws>
References: <20211129190711.E4E9B36417@rfc-editor.org> <19c96ba9-a582-a24-b73-8e86a08c7b68@nohats.ca> <794d45f4b9093a019b94aee4730161d358b5ba79.camel@powerdns.com> <YaZWlevhnYT1ABCu@mycre.ws>
Organization: PowerDNS.COM B.V.
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.38.3-1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/b_DqLEYX_k6BTfcn_eATIzV4GFY>
Subject: Re: [DNSOP] [Technical Errata Reported] RFC7686 (6761)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jun 2022 13:09:45 -0000

Hello Robert,

On Tue, 2021-11-30 at 11:51 -0500, Robert Edmonds wrote:
> If the goal is to avoid mandating extra code paths in typical
> authoritative servers

To me, this indeed is the goal.

> , I would suggest something like the following
> which narrowly answers only the questions asked in 6761 ("Are developers
> of authoritative domain name servers expected to make their
> implementations recognize these names as special and treat them
> differently?  If so, how?"):
> 
> Original Text
> -------------
>    5.  Authoritative DNS Servers: Authoritative servers MUST respond to
>        queries for .onion with NXDOMAIN.
> 
> Corrected Text
> --------------
>    5.  Authoritative DNS Servers: Authoritative servers SHOULD NOT
>        recognize .onion names as special and MUST NOT treat queries for
>        .onion names differently from other queries.

I like this.

> Splitting the "recognize ... treat" conjunction between "SHOULD NOT"
> and "MUST NOT" would, for instance, allow an authoritative server to
> log a warning message if an operator intentionally configured an
> "onion." zone in the server.
> 
> A slight expansion of the text might read:
> 
> Corrected Text
> --------------
>    5.  Authoritative DNS Servers: Authoritative servers SHOULD NOT
>        recognize .onion names as special and MUST NOT treat queries for
>        .onion names differently from other queries.  By default,
>        authoritative servers MUST NOT respond authoritatively to
>        queries for .onion names.

I like this even more.

> The "By default" qualifier covers the case of a non-default
> configuration (such as being configured to serve the root zone) where an
> authoritative server would need to respond authoritatively for .onion
> names.

Perfect.

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/