Re: [DNSOP] [EXT] Re: [Technical Errata Reported] RFC7686 (6761)

Paul Vixie <> Tue, 30 November 2021 15:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1AAC13A13BF for <>; Tue, 30 Nov 2021 07:43:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.951
X-Spam-Status: No, score=-3.951 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-1.852, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WeEXivoBe3Uy for <>; Tue, 30 Nov 2021 07:43:52 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 34A733A13BE for <>; Tue, 30 Nov 2021 07:43:49 -0800 (PST)
Received: from ( []) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by (Postfix) with ESMTPS id C8C881B242A for <>; Tue, 30 Nov 2021 15:43:46 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=util; t=1638287026; bh=aR6KoKYYO2PLzBPH0Ei9PmbgcbjFRwzgQ2qm3XcS1w8=; h=Subject:To:References:From:Date:In-Reply-To; b=m3kIOjpeua2t/1rXAUfrqWB4r12iPI6x7MEWmTIiboaCWlCQnGx6wTNrCuHEnGyzb tGwghYUmKHEOciAuCzMXLpPCQQD9QBS6CRwdxF31zCthzgGLsQYWTWg8MR6iX+zW/B oPwmFDNheXBqpkD7iOFijWyzNGfNEwL9aptXOESU=
Received: from [IPv6:2001:559:8000:c9:3129:49f8:14c7:f25d] (unknown [IPv6:2001:559:8000:c9:3129:49f8:14c7:f25d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id B20687597E for <>; Tue, 30 Nov 2021 15:43:46 +0000 (UTC)
References: <> <> <> <> <> <>
From: Paul Vixie <>
Message-ID: <>
Date: Tue, 30 Nov 2021 07:43:47 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/7.0.52
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [DNSOP] [EXT] Re: [Technical Errata Reported] RFC7686 (6761)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 30 Nov 2021 15:43:58 -0000

libor.peltan wrote on 2021-11-30 01:11:
> ...
> I suggest to remove any specific errcode (NXDOMAIN, REFUSED) mentions 
> from such requirement. In the future, those errcodes and their names may 
> be altered. I quite like the Peter's original proposal, though any 
> wording can always be slightly improved. I don't dare to suggest any 
> wording though.

a query for example.onion or even "onion" has no business being sent to 
an authority server to which this domain has not been delegated. so 
there is a right answer and it is generally not NXDOMAIN since that 
would be a knowledge signal (end to end) and the server can have no 
knowledge. obviously the root servers have and can signal such knowledge 
so NXDOMAIN would be the right answer from them.

the right answer is likewise not REFUSED since that's a policy signal 
and we won't be asking that server implementers hard code "onion" or 
other special-use names, nor that server operators configure such names. 
there are too many servers, and the list of special-use domains will 
change over time. a policy signal for special-use names cannot scale. 
this also rules out "don't answer at all" which is also a policy signal.

for any non-root server, an RD=0 question for example.onion should be 
answered with SERVFAIL. this is a condition signal, and the condition is 
"since i'm hearing this query, someone thinks i'm holding a delegation, 
and i'm not, so i might be lame for some zone, so the server (me, this 
authority server) has failed."