IETF Logo Mail Archive

Re: [DNSOP] NXDOMAIN and RFC 8020

Shumon Huque <shuque@gmail.com> Tue, 06 April 2021 18:48 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5746A3A2C16 for <dnsop@ietfa.amsl.com>; Tue, 6 Apr 2021 11:48:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O0WTlj726M-I for <dnsop@ietfa.amsl.com>; Tue, 6 Apr 2021 11:48:56 -0700 (PDT)
Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C1223A2C15 for <dnsop@ietf.org>; Tue, 6 Apr 2021 11:48:56 -0700 (PDT)
Received: by mail-ej1-x630.google.com with SMTP id qo10so13205319ejb.6 for <dnsop@ietf.org>; Tue, 06 Apr 2021 11:48:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lrJTViDx/rgeFmTD7SGTjhMt3tJaeJXi6OqDc/36OT4=; b=QnzUn/OxAzjPDwcyM8Zut8yoXTFbIosy2Rd2C0j4hkkfUYWI7HyoQS0E213Rr1Subu gOLMRM/DevbVkVBHG4dhiVlk36VM+X0nqAeEF2PjN9zWld1qrfLxGFVMpw1qK+NjKp5Z hALmC12m8wBmscXpsCXY50uAXCn1yksrUayZ9/k8sBiOBuef1jvHL9D1UE36jYyd7LWk LvyPn91JBWKKf5NcJ51HXH+/OwWK1LuYm+kN51i5F1hGwhFuomJ4nL4WpU8nLo4nk04m nGoRytriLI+FOOD7B/ayPa5BRdTOVffdHOzGro+85nt8/mMqNeng2+rKkpD0IYN9xBW3 iRGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lrJTViDx/rgeFmTD7SGTjhMt3tJaeJXi6OqDc/36OT4=; b=klVSIp1jncAxtVOcew6LNGdctuPQtQV6/4HH0TRIyJIKQWdoxz3Ozwm5L1asv/XMXC Z8GjOyWcM4CY1PKF6WFS2GUL3Xtt9xR+MHp1AFChwiOlIAZO+Kvo2llEO12meoezDvOr lzndiEom7a4UzRI0QGa3/xxr8lvrqDCqYwBJvVO/nuC2tLl9QBPwJwx4GVfGVriQfRrB El+J85vpC2Bjg/jBqmnHxTLfX799VSngUYrOzKBp0k50GEESO+3sGb4wnvhikBtyfiFF Q36WdosvIYc32KUD90AbQCRb0hnlW/X/bHceWiD/9fxJChPp0ImHaGMxSHe4cV2BFfUP 0o/Q==
X-Gm-Message-State: AOAM530TZpcRGcgl4V58EwVyftlC+IKKKkulUZDTJ7AM/V8ih3vSgZcd i3MbKBCpqrm4i6GGqztM5kmMTdX4e6U7OgnsFBQ=
X-Google-Smtp-Source: ABdhPJz8Ps1auBKRoWMrjBb/x1jtksfB25anT26LO03ayjyqXelLC3pBIeaDMU0qlJjB1BxD9X5YJxi99UOwC2oL/2E=
X-Received: by 2002:a17:906:714a:: with SMTP id z10mr3283840ejj.455.1617734933243; Tue, 06 Apr 2021 11:48:53 -0700 (PDT)
MIME-Version: 1.0
References: <CAL0qLwai81BFYfG=u-Z+sVgE8aBvU1gGgOjO_vYH_aLP9GsnxA@mail.gmail.com>
In-Reply-To: <CAL0qLwai81BFYfG=u-Z+sVgE8aBvU1gGgOjO_vYH_aLP9GsnxA@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
Date: Tue, 06 Apr 2021 14:48:41 -0400
Message-ID: <CAHPuVdUHfc8+RiciDb2jyzfMbcZU--5VyKKg9ypGdTiMU__N8A@mail.gmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000096a9905bf52447b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/gHaTI6T7cpD_qRBhCxOvlLvuTkg>
Subject: Re: [DNSOP] NXDOMAIN and RFC 8020
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Apr 2021 18:48:58 -0000

On Tue, Apr 6, 2021 at 2:11 PM Murray S. Kucherawy <superuser@gmail.com>
wrote:

> I'm wondering something about tree walks, which John Levine asked about in
> November, as it's a topic of interest to the evolution of DMARC.
>
> I've read RFC 8020 which says an NXDOMAIN cached for "foo.example" also
> covers later queries for "bar.foo.example".  Makes sense.
>
> Can this be used (or maybe amended) to cover the queries if they come in
> the reverse order?  For instance, if "bar.foo.example" arrives first, but
> the authoritative server can determine that the entire "foo.example" tree
> doesn't exist, could it reply with an NXDOMAIN for the question plus a
> cacheable indication about the entire tree instead of just the name that
> was in the question?
>

Yes, it can answer NXDOMAIN.

Without DNSSEC, there is no current way to provide an indication about the
longest ancestor of the name that did exist. With DNSSEC, the NSEC or NSEC3
records in the response can do this (as well as providing cryptographic
proof of this assertion with their signatures).

As mentioned by others, RFC8198 (which can be considered a superset of 8020
for signed zones) extends the semantics by allowing resolvers to infer
non-existence not only below the name, but for all names that fall in the
NSEC/NSEC3 spans.

Shumon.

v2.23.0 | Report a Bug | By Email