Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-01.txt

神明達哉 <jinmei@wide.ad.jp> Tue, 14 July 2015 17:00 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC4B21A0197 for <dnsop@ietfa.amsl.com>; Tue, 14 Jul 2015 10:00:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H3-KGE73HC3K for <dnsop@ietfa.amsl.com>; Tue, 14 Jul 2015 10:00:50 -0700 (PDT)
Received: from mail-ie0-x22a.google.com (mail-ie0-x22a.google.com [IPv6:2607:f8b0:4001:c03::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91DFE1A039B for <dnsop@ietf.org>; Tue, 14 Jul 2015 10:00:50 -0700 (PDT)
Received: by iecuq6 with SMTP id uq6so15736368iec.2 for <dnsop@ietf.org>; Tue, 14 Jul 2015 10:00:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=9aO1ETUUaUFC5tgi0ug4HqAVziEOjS+wU7mA2UhiN1w=; b=D0+jxhHBJubOBrAcrjxucgL24PJPIHI5L6W5/DpWquuxE8HXNvM7hUly6kKtn1Qovb mGk0GbmIcnkvzBu1CM4JsswPZ1dAYJsR4BVdo0jE6w9HwXXAmQH5QAn3L0MHWTaxLATo Hs+DekQt2uk1vTvce9PD09l3xJ4qzbp0YkAWsnznRzEmtOi9qLTCBnyuc0TkndjvhnoH HrYpyxacOtERGsXX5lImfAVh9SevdO+ORpUFMTM8g5NtdFX8yETz7xLw69ql75Z7CzFi G8J+0q8G18SWUuReLPQhCvQ26y2Oofy6qURdtgzarm89bUvRR3ko0FIzgHz0Rz8AVcD0 +1rg==
MIME-Version: 1.0
X-Received: by 10.50.142.98 with SMTP id rv2mr4769203igb.41.1436893249945; Tue, 14 Jul 2015 10:00:49 -0700 (PDT)
Sender: jinmei.tatuya@gmail.com
Received: by 10.107.169.140 with HTTP; Tue, 14 Jul 2015 10:00:49 -0700 (PDT)
In-Reply-To: <CAHPuVdU-1e_7KPH9JdSvbPn-tYptaXbHrQvQz=UEv+QJdseJxw@mail.gmail.com>
References: <20150310.191541.52184726.fujiwara@jprs.co.jp> <20150707.182043.193693838.fujiwara@jprs.co.jp> <CAJE_bqcRQH0WGTaLqtMSuiOty4KHe9nN6T-wmqf3x_ohuA6TcA@mail.gmail.com> <CAHPuVdU-1e_7KPH9JdSvbPn-tYptaXbHrQvQz=UEv+QJdseJxw@mail.gmail.com>
Date: Tue, 14 Jul 2015 10:00:49 -0700
X-Google-Sender-Auth: lZiDoLpE8M3mvb6Dp1WwzHKMMjg
Message-ID: <CAJE_bqdAuOns+1tjsXpyEsoaYHtcHH+=HSThMcjhUEkCX0gGxw@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: shuque@gmail.com
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/iXNG3A4V_5J27K_4joTLZsytKz0>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-01.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jul 2015 17:00:51 -0000

At Mon, 13 Jul 2015 22:01:29 -0400,
Shumon Huque <shuque@gmail.com> wrote:

> > While I see what it tries to say and don't disagree with it, I think
> > this is not very accurate.  In fact, NXDOMAIN for "a.example.com" says
> > there is no such name *or any subdomain of it*.  So it would still be
> > usable to suppress unnecessary external query for, e.g.,
> > foo.a.example.com.
>
> That's indeed the literal meaning of NXDOMAIN, but it turns out most
> current resolver implementations don't treat it that way. The wording in
> RFC2308, Section 5 is not entirely precise, but it seems to say that
> negative answers should be cached only for the exact qname, and not
> (necessarily) for anything below it.

Ah, yes, thanks for pointing it out.  I don't know or didn't check
other resolver implementations, but BIND 9 certainly behaves that way.
I should have known this, but I guess I was confused about the
"meaning of NXDOMAIN", the behavior of authoritative server
implementations and the behavior of recursive server implementations.

> Regarding Section 5 (possible side effect on root servers), I wonder
> > about the implication of qname-minimization (which I expect will be
> > deployed much sooner than this proposal).  A resolver that supports
> > qname-minimization would first send a query to "local." to the root
> > server upon receiving a "foo.local" query, and cache the result of
> > NXDOMAIN for "local.".  It will suppress subsequent external queries
> > for any subdomain of it.
>
> Yes, this will certainly be a very beneficial result of qname minimization.

And the same remark should apply here, too.  We'd need "Stopping
Downward Cache Search on NXDOMAIN" in addition to qname minimization
for this to work.

--
JINMEI, Tatuya