Re: [DNSOP] Comment on section 2 of draft-ietf-dnsop-nxdomain-cut-05.txt

Shumon Huque <shuque@gmail.com> Tue, 27 September 2016 19:10 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 274A312B2D7 for <dnsop@ietfa.amsl.com>; Tue, 27 Sep 2016 12:10:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rjdmmBwRoS6e for <dnsop@ietfa.amsl.com>; Tue, 27 Sep 2016 12:10:18 -0700 (PDT)
Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D890A12B2DF for <dnsop@ietf.org>; Tue, 27 Sep 2016 12:10:17 -0700 (PDT)
Received: by mail-wm0-x229.google.com with SMTP id 197so30967754wmk.1 for <dnsop@ietf.org>; Tue, 27 Sep 2016 12:10:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ziHgi2kU/H6wdVsW2Fee/4Zyna1fiuApH1ype///4O8=; b=km25vJf5Eu3Dpe5hvfekX4zr/IA3ku29EoW53Jgir14gKZ73ju+yph+TWEtEABM5iu 379GpsK+ZJxM910C7mz6TrYSm00QWjDIoMandSZMfjEoadvTGuNGMtyAg24JM7MxV4vD 6ZmvrH+OLYWiGz4ONzVRDdDJXjXOD7lBNMGwqcPwh22fJhuuomi3aV75200giooCWyua XynNMP1FThh+Rnxk08+r0UeHI23dZwjkzrQhTsfnSRXOuyWbJmFVZHc963tIG5O8DLrs FkDJ+gFfYvY24ThShbSM20Iz/pC/w9czMeRVZ9xKRy7SpQwhKg/aeOUrwlD5QpVnkza3 imJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ziHgi2kU/H6wdVsW2Fee/4Zyna1fiuApH1ype///4O8=; b=fEIhxLaJZ7C6QuoGwmZwO9oJs8I1c1J+CzNQy/wOo+vdMCiPwgeolZRRPqtBVQ1TvQ Zd4Vcy5c+5WZFkt1aDpTviuauN31ssl0ZC7E6LwG3dQbAS4oAa5vE//vgi4sc5V9qMHK OIMFLnB2GvawKN4mBQLagprlxrn+RmQyLYQ51/b0csWzqscGlABUkSn5MHRnjed+kXGW pOX6Y8dpGObA49w4zgtUVTYXODX2YGIH4F0MHvMBEgZDbbBJSTlqKSiDXN+xgj6Ls8s+ z2R5BtiFxzjHVJff+JhFc/lNgbELEOYl+B36mGOtnIWxr4VOLstJ/9BBi25+Aa4FcJcd QLEQ==
X-Gm-Message-State: AE9vXwPU2Q2G5NrgQVS+xq+RAnmH7trPHoEtjSnJa2WOdkvQpfWplS9OckyyYMEm0yRuJpQf4JCKiayh+gAGBA==
X-Received: by 10.194.243.10 with SMTP id wu10mr23728387wjc.130.1475003416437; Tue, 27 Sep 2016 12:10:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.194.165.168 with HTTP; Tue, 27 Sep 2016 12:10:15 -0700 (PDT)
In-Reply-To: <d1da7014063b4525a25502408d9fbdc1@SC58MEXGP032.CORP.CHARTERCOM.com>
References: <29B4A430-80C7-44C8-A6FA-54A1560D3FD7@icann.org> <20160927004928.22EAE5515C31@rock.dv.isc.org> <89B42AE2-0377-42A4-B943-E65C52B7CB55@icann.org> <CAHPuVdVneekn9NL_u72KFk7aFQ8uWLkUDqAaW9c46SG-KDVuMg@mail.gmail.com> <d1da7014063b4525a25502408d9fbdc1@SC58MEXGP032.CORP.CHARTERCOM.com>
From: Shumon Huque <shuque@gmail.com>
Date: Tue, 27 Sep 2016 15:10:15 -0400
Message-ID: <CAHPuVdVV_fqaiMuLuFKudFaT=FXTKE57+aYuf_HS+x-0OkOk0g@mail.gmail.com>
To: "White, Andrew" <Andrew.White2@charter.com>
Content-Type: multipart/alternative; boundary=089e0141a202ade849053d81fec3
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/c2xvlygPEWNDAPWVe6WRS8mYwag>
Cc: Edward Lewis <edward.lewis@icann.org>, "dnsop@ietf.org" <dnsop@ietf.org>
Subject: Re: [DNSOP] Comment on section 2 of draft-ietf-dnsop-nxdomain-cut-05.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Sep 2016 19:10:20 -0000

On Tue, Sep 27, 2016 at 2:48 PM, White, Andrew <Andrew.White2@charter.com>
wrote:

> Hi Shumon,
>
>
> What about this?
>
>
>
> # When an iterative caching DNS resolver receives a response with RCODE
> being NXDOMAIN,
>
> # the resolver SHOULD store the response in its (negative) cache.  During
> the time the response
>
> # is cached, any query with a QNAME at or descended from the denied name
> that is not otherwise
>
> #cached (positively), can be assumed to result in a name error.  Responses
> to those queries
>
> # SHOULD set RCODE=NXDOMAIN (using the DNSSEC records cached as proof).
>
>
>
> When an iterative caching DNS resolver receives a query response with
> RCODE as NXDOMAIN,
>
> The resolver should store the NXDOMAIN response in cache. During the time
> that this response
>
> is cached, any query with a QNAME at or descended from the query that
> resulted in NXDOMAIN
>
> and that is not already in cache can be assumed to result in a name error.
> Responses to such
>
> queries SHOULD respond with RCODE as NXDOMAIN using DNSSEC records from
> cache as proof.
>
>
>
> Andrew
>

Andrew - this looks very similar to Ed's rewrite.

The problem I see with both is that it says to reply with NXDOMAIN for all
names at or below the cut, except for RRsets already positively cached. But
the current draft also allows resolvers to immediately invalidate cached
entries below the cut and also return NXDOMAIN for them. Your rewrite
appears to remove (or at least not mention) that possibility.

-- 
Shumon Huque