Re: [DNSOP] NXDOMAIN and RFC 8020
Shumon Huque <shuque@gmail.com> Tue, 06 April 2021 18:48 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5746A3A2C16 for <dnsop@ietfa.amsl.com>; Tue, 6 Apr 2021 11:48:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O0WTlj726M-I for <dnsop@ietfa.amsl.com>; Tue, 6 Apr 2021 11:48:56 -0700 (PDT)
Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C1223A2C15 for <dnsop@ietf.org>; Tue, 6 Apr 2021 11:48:56 -0700 (PDT)
Received: by mail-ej1-x630.google.com with SMTP id qo10so13205319ejb.6 for <dnsop@ietf.org>; Tue, 06 Apr 2021 11:48:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lrJTViDx/rgeFmTD7SGTjhMt3tJaeJXi6OqDc/36OT4=; b=QnzUn/OxAzjPDwcyM8Zut8yoXTFbIosy2Rd2C0j4hkkfUYWI7HyoQS0E213Rr1Subu gOLMRM/DevbVkVBHG4dhiVlk36VM+X0nqAeEF2PjN9zWld1qrfLxGFVMpw1qK+NjKp5Z hALmC12m8wBmscXpsCXY50uAXCn1yksrUayZ9/k8sBiOBuef1jvHL9D1UE36jYyd7LWk LvyPn91JBWKKf5NcJ51HXH+/OwWK1LuYm+kN51i5F1hGwhFuomJ4nL4WpU8nLo4nk04m nGoRytriLI+FOOD7B/ayPa5BRdTOVffdHOzGro+85nt8/mMqNeng2+rKkpD0IYN9xBW3 iRGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lrJTViDx/rgeFmTD7SGTjhMt3tJaeJXi6OqDc/36OT4=; b=klVSIp1jncAxtVOcew6LNGdctuPQtQV6/4HH0TRIyJIKQWdoxz3Ozwm5L1asv/XMXC Z8GjOyWcM4CY1PKF6WFS2GUL3Xtt9xR+MHp1AFChwiOlIAZO+Kvo2llEO12meoezDvOr lzndiEom7a4UzRI0QGa3/xxr8lvrqDCqYwBJvVO/nuC2tLl9QBPwJwx4GVfGVriQfRrB El+J85vpC2Bjg/jBqmnHxTLfX799VSngUYrOzKBp0k50GEESO+3sGb4wnvhikBtyfiFF Q36WdosvIYc32KUD90AbQCRb0hnlW/X/bHceWiD/9fxJChPp0ImHaGMxSHe4cV2BFfUP 0o/Q==
X-Gm-Message-State: AOAM530TZpcRGcgl4V58EwVyftlC+IKKKkulUZDTJ7AM/V8ih3vSgZcd i3MbKBCpqrm4i6GGqztM5kmMTdX4e6U7OgnsFBQ=
X-Google-Smtp-Source: ABdhPJz8Ps1auBKRoWMrjBb/x1jtksfB25anT26LO03ayjyqXelLC3pBIeaDMU0qlJjB1BxD9X5YJxi99UOwC2oL/2E=
X-Received: by 2002:a17:906:714a:: with SMTP id z10mr3283840ejj.455.1617734933243; Tue, 06 Apr 2021 11:48:53 -0700 (PDT)
MIME-Version: 1.0
References: <CAL0qLwai81BFYfG=u-Z+sVgE8aBvU1gGgOjO_vYH_aLP9GsnxA@mail.gmail.com>
In-Reply-To: <CAL0qLwai81BFYfG=u-Z+sVgE8aBvU1gGgOjO_vYH_aLP9GsnxA@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
Date: Tue, 06 Apr 2021 14:48:41 -0400
Message-ID: <CAHPuVdUHfc8+RiciDb2jyzfMbcZU--5VyKKg9ypGdTiMU__N8A@mail.gmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000096a9905bf52447b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/gHaTI6T7cpD_qRBhCxOvlLvuTkg>
Subject: Re: [DNSOP] NXDOMAIN and RFC 8020
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Apr 2021 18:48:58 -0000
On Tue, Apr 6, 2021 at 2:11 PM Murray S. Kucherawy <superuser@gmail.com> wrote: > I'm wondering something about tree walks, which John Levine asked about in > November, as it's a topic of interest to the evolution of DMARC. > > I've read RFC 8020 which says an NXDOMAIN cached for "foo.example" also > covers later queries for "bar.foo.example". Makes sense. > > Can this be used (or maybe amended) to cover the queries if they come in > the reverse order? For instance, if "bar.foo.example" arrives first, but > the authoritative server can determine that the entire "foo.example" tree > doesn't exist, could it reply with an NXDOMAIN for the question plus a > cacheable indication about the entire tree instead of just the name that > was in the question? > Yes, it can answer NXDOMAIN. Without DNSSEC, there is no current way to provide an indication about the longest ancestor of the name that did exist. With DNSSEC, the NSEC or NSEC3 records in the response can do this (as well as providing cryptographic proof of this assertion with their signatures). As mentioned by others, RFC8198 (which can be considered a superset of 8020 for signed zones) extends the semantics by allowing resolvers to infer non-existence not only below the name, but for all names that fall in the NSEC/NSEC3 spans. Shumon.
- [DNSOP] NXDOMAIN and RFC 8020 Murray S. Kucherawy
- Re: [DNSOP] NXDOMAIN and RFC 8020 libor.peltan
- Re: [DNSOP] NXDOMAIN and RFC 8020 Peter van Dijk
- Re: [DNSOP] NXDOMAIN and RFC 8020 Shumon Huque
- Re: [DNSOP] NXDOMAIN and RFC 8020 Murray S. Kucherawy
- Re: [DNSOP] NXDOMAIN and RFC 8020 Shumon Huque
- Re: [DNSOP] NXDOMAIN and RFC 8020 Brian Dickson
- Re: [DNSOP] NXDOMAIN and RFC 8020 Murray S. Kucherawy
- Re: [DNSOP] NXDOMAIN and RFC 8020 Shumon Huque
- Re: [DNSOP] NXDOMAIN and RFC 8020 John Levine
- Re: [DNSOP] NXDOMAIN and RFC 8020 Manu Bretelle
- Re: [DNSOP] NXDOMAIN and RFC 8020 Murray S. Kucherawy
- Re: [DNSOP] NXDOMAIN and RFC 8020 John R Levine
- Re: [DNSOP] NXDOMAIN and RFC 8020 Andrew Sullivan
- Re: [DNSOP] NXDOMAIN and RFC 8020 John R Levine
- Re: [DNSOP] NXDOMAIN and RFC 8020 sthaug