IETF Logo Mail Archive

Re: [DNSOP] Wildcard junk vs NXDOMAIN junk

Mark Andrews <marka@isc.org> Fri, 08 April 2022 00:21 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20D663A1AFA for <dnsop@ietfa.amsl.com>; Thu, 7 Apr 2022 17:21:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isc.org header.b=SgjCmrmD; dkim=pass (1024-bit key) header.d=isc.org header.b=Ui63r+rC
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id slD2dPjIVChl for <dnsop@ietfa.amsl.com>; Thu, 7 Apr 2022 17:21:55 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 263613A1AFB for <dnsop@ietf.org>; Thu, 7 Apr 2022 17:21:54 -0700 (PDT)
Received: from zimbrang.isc.org (zimbrang.isc.org [149.20.1.12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx.pao1.isc.org (Postfix) with ESMTPS id 0E8D73AB008; Fri, 8 Apr 2022 00:21:53 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 mx.pao1.isc.org 0E8D73AB008
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=isc.org; s=ostpay; t=1649377313; bh=aIn5fCtDno4wX+4fqgmQnjEMMyfLuRcxpGZ96nTn+UA=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=SgjCmrmDmtCWMEPaTlW/x2cQY+Ej33UZuWMd12nUZ9NyYvY8kvuLxtAzFH2pIz6tl vnY/JRoLX/IKCABXOrz0oEoOE9QCeX0QgZSm5/+OcGeIz+5V0S4UQLk9/D3qeo9fL2 rYIZjVy3CKlbOCNSgb+J8Kd+Wjx7J8BhsX0x49/s=
Received: from zimbrang.isc.org (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTPS id EFAEF98334A; Fri, 8 Apr 2022 00:21:52 +0000 (UTC)
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbrang.isc.org (Postfix) with ESMTP id C62DA9833A9; Fri, 8 Apr 2022 00:21:52 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.10.3 zimbrang.isc.org C62DA9833A9
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=05DFB016-56A2-11EB-AEC0-15368D323330; t=1649377312; bh=q3ABTyfSd67jzQuDrzkdQHWaLT6ngtOXPfgBSzbTdR4=; h=Mime-Version:From:Date:Message-Id:To; b=Ui63r+rCkoG9cpW8z/RtQJ1XdBitCxD7eZj4SMpAKSAHBFzYz5Wv7LXyRFyQ7656W q72yO86/zChi1jOi+S/JtAJ4sU1AjSg1DImeM2wx7r5uYi5NL5xo7hxlB18NuCmaY7 9TtWt3yop4+RD9ICYsxjEZRoaVffYEayKxfMVRMg=
Received: from zimbrang.isc.org ([127.0.0.1]) by localhost (zimbrang.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id IANqVDtOKwBe; Fri, 8 Apr 2022 00:21:52 +0000 (UTC)
Received: from smtpclient.apple (n114-74-26-107.bla4.nsw.optusnet.com.au [114.74.26.107]) by zimbrang.isc.org (Postfix) with ESMTPSA id 2137D98334A; Fri, 8 Apr 2022 00:21:51 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <0a5f3ac5-1901-28f5-c977-806d684710de@redbarn.org>
Date: Fri, 08 Apr 2022 10:21:48 +1000
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E1ADC675-CA48-457C-B3B0-451879CAE7E3@isc.org>
References: <9355318d-a779-400f-9e3b-27b53fa3e9bf@iecc.com> <CAH1iCioHeP93Txqk=fO0z5UdPX5XmDsFs5GzggySTmEAJDRrcg@mail.gmail.com> <0a5f3ac5-1901-28f5-c977-806d684710de@redbarn.org>
To: Paul Vixie <paul=40redbarn.org@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/c-CmAAW9a2Hc8h8OdEoCUSEqPy8>
Subject: Re: [DNSOP] Wildcard junk vs NXDOMAIN junk
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Apr 2022 00:22:00 -0000


> On 8 Apr 2022, at 09:12, Paul Vixie <paul=40redbarn.org@dmarc.ietf.org> wrote:
> Brian Dickson wrote on 2022-04-07 14:26:
>> ...
>> However, that does provide motivation for (a) signing zones, and (b) resolvers doing validation with synthesis.
>> Together, those reduce (a) load on auth servers, and (b) cache pollution. Win/win.
> if those pigs had wings, they could indeed fly. (the motivation is assymetric to the benefit, so this is like all other things dnssec related, and most things ipv6 related, and so on.)
> 
> wildcard synthesis should always have been resolver-side. now we live like this. a zero-length EDNS option with a name like REALWILD that asked the authority server to include *.example.com as an answer's owner name (rather than www.example.com by synthesis) is probably the way out of this hell.

Wildcard synthesis in the resolver only works if you have NSEC/NSEC3 records (or the equivalent) that shows the
non-existence of the QNAME otherwise the resolver would replace explicit data with synthesised data.  Real wildcard
+ covering NSEC/NSEC3 range would work.  Getting rid of OPTOUT would also help as you can’t synthesise using an OPTOUT
NSEC3 record.  Zone operators can turn off OPTOUT today.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email