Re: [DNSOP] Clarifying referrals (#35)

Andrew Sullivan <> Mon, 13 November 2017 03:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D11A6129415 for <>; Sun, 12 Nov 2017 19:27:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key) header.b=LwzhBmJe; dkim=pass (1024-bit key) header.b=ACFrQGum
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id V8d2AC0Z7iXV for <>; Sun, 12 Nov 2017 19:27:25 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 17FA0129408 for <>; Sun, 12 Nov 2017 19:27:19 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6E259BF56B for <>; Mon, 13 Nov 2017 03:26:48 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1510543608; bh=Kbyy9+5GyEmvMKpzJ4haVadgbByQorYJXDyEwru/3HQ=; h=Date:From:To:Subject:References:In-Reply-To:From; b=LwzhBmJeX944+fyxVGpEqdcn8uxRk3MPg3R5OreS4Ogk2uJpCDuJcEVNJ1QMu5hdm Hm2zOyHGJ4tv0bWZBaN8KK3DEp3/5yEtVfD94eWjjwF8LjXCbXkw1xaH4ZBx7Y/MJc 2w/YFuE3mSnSLSKXoWSYbPH2TWr8UzphAp1wr/rU=
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uROe_fcIp8PO for <>; Mon, 13 Nov 2017 03:26:47 +0000 (UTC)
Date: Sun, 12 Nov 2017 22:26:41 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1510543607; bh=Kbyy9+5GyEmvMKpzJ4haVadgbByQorYJXDyEwru/3HQ=; h=Date:From:To:Subject:References:In-Reply-To:From; b=ACFrQGumoZUls8smIwgQxmPY1/GI2rlbmrZP1vaP1ib14a+mxtkV6vVzPJj0z912j 9Pba9BZeGlAPjZckLhqAHnkg3NzcNCtz4Akv8uzC5m4LZ2izWZl4Eu7OK9C1T+Xmts c85m9rnv/GjfgluTpkj89GNBEKfoyK5XqWl9MnHc=
From: Andrew Sullivan <>
Message-ID: <>
References: <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
Archived-At: <>
Subject: Re: [DNSOP] Clarifying referrals (#35)
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Nov 2017 03:27:33 -0000


This is quite a helpful response, thanks.  I wonder whether more of it
ought to go in discussion (or a new draft), however.  For I'm struck
by this:

On Sun, Nov 12, 2017 at 06:42:18PM -0800, Paul Vixie wrote:
> > always be generated using only local data, and either contains the
> > answer to the question or a referral to other name servers "closer" to
> > the desired information.
> the operative phrase is '"closer" to'. this is repeated in 4.3.1:

If I ask the authoritative server for about a name, in a graph-theoretic sense the NS RRset for the
root zone is clearly closer to than anything else I
can give.  So the upward referral doesn't seem prohibited by this at
all; on the contrary, it seems like a requirement.  Maybe I need to
read this again with better glasses.

The current approaches that people have for this are either NODATA
responses and REFUSED.  Only the latter seems obviously consistent
with the text, though I'm aware that there's controversy over using


Andrew Sullivan