Re: [DNSOP] [EXT] Re: [Technical Errata Reported] RFC7686 (6761)

Joe Abley <> Mon, 29 November 2021 19:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id ECA153A0851 for <>; Mon, 29 Nov 2021 11:48:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4tjw20inBmh2 for <>; Mon, 29 Nov 2021 11:48:18 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::72b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 08C3B3A0855 for <>; Mon, 29 Nov 2021 11:48:17 -0800 (PST)
Received: by with SMTP id m192so24199789qke.2 for <>; Mon, 29 Nov 2021 11:48:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=pYK9wcAOt131FuaYQVcx4j+HprJf4OFY76obawNBJZw=; b=b1Eiswchk2qsqzSUgYcHkNecFlMMiN/KIrllnD3OiXuNn1nOXWpLcVKyxbdFr08nGR oAmBAbqZVTVkDoZ3qT9dyv+CXrVy4RfTnju/8iUaJd9T/SSgshLZk/bab3qojwmUr1O8 XSMXX3ZmwdeNDGDErqDBJRK3xs2A1Zwl1I6sE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20210112; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=pYK9wcAOt131FuaYQVcx4j+HprJf4OFY76obawNBJZw=; b=edyW8q9nSTf5GtVM/IgcX67no+SpcjtVQ/ifSvWIPMsLotNvozOJ9aJTRkfFX/kVzP 62TgQmY+Dl75erY9UIeFogUOwM+yw92lbfKK/0h8yqe+sgGtIiAlY+o8uMjO7prsOhVH oC3tDOP94LYnd8UbaPAQCiQDB8ueCRnDNWkZkK3/q1qHXkRtV5h2bTXrPdWa3S++LMNl gnu8i0Q2b8D52dItVAJ0Lqcp3QQHjceha+JttPmzzMJCmXd/nlU3o/YCIgKnOhbAcxxQ OaOW9cvvPhs5rcaR8SaZ+1sIFnh8caFYf3q9ZkhNn+IxaNujYBjKF4LlCLYcS9kPogii h4Lw==
X-Gm-Message-State: AOAM531LZxlHHzSYqrAtbIZDf28USeam5MK/UmfxmNuX+EcEjqK4crIk Zd8Tc0pgmaboIqZ9sY+JF42Mjs+LhKTDkJwd
X-Google-Smtp-Source: ABdhPJwNxOq00e3iA42RfriMMO3BsiLIxuKPnQz+frlgBLNKtrIMk1IAxlK/NFcAj5ELMFnSUsMHGA==
X-Received: by 2002:a05:620a:4006:: with SMTP id h6mr33798834qko.559.1638215296384; Mon, 29 Nov 2021 11:48:16 -0800 (PST)
Received: from ([2607:f2c0:e784:c7:4d66:cc6f:a9f3:1296]) by with ESMTPSA id u17sm8920716qki.2.2021. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 29 Nov 2021 11:48:15 -0800 (PST)
From: Joe Abley <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D60B9DE4-F59C-4769-BF68-F4577F97BBFD"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.\))
Date: Mon, 29 Nov 2021 14:48:14 -0500
In-Reply-To: <>
Cc: dnsop <>, RFC Errata System <>
To: Peter van Dijk <>
References: <> <> <>
X-Mailer: Apple Mail (2.3693.
Archived-At: <>
Subject: Re: [DNSOP] [EXT] Re: [Technical Errata Reported] RFC7686 (6761)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 29 Nov 2021 19:48:23 -0000

Hi Peter,

On 29 Nov 2021, at 14:25, Peter van Dijk <> wrote:

> On Mon, 2021-11-29 at 14:16 -0500, Paul Wouters wrote:
>> On Mon, 29 Nov 2021, RFC Errata System wrote:
>>> Original Text
>>> -------------
>>>  5.  Authoritative DNS Servers: Authoritative servers MUST respond to
>>>      queries for .onion with NXDOMAIN.
>>> Corrected Text
>>> --------------
>>>  5.  Authoritative DNS Servers: Authoritative servers MUST respond non-authoritatively to
>>>      queries for names in .onion.
>>> The original text for 5 and 6 is conflicting. A name server cannot respond with NXDOMAIN (which is an authoritative answer) without having a zone configured to serve that NXDOMAIN from. Clearly the intent of the text is that clients will not find authoritative answers to .onion queries anywhere in the DNS.
>> The corrected text does not describe what to return though. I guess the
>> text implies REFUSED, but perhaps the WG reasoned this was not good as
>> it would lead to more queries to other servers or instances of the
>> authoritative server set?
> Yes, it implies REFUSED. I was unsure REFUSED was standardised, or
> whether it is still a convention that almost all auths happen to
> follow. REFUSED would indeed lead to resolvers trying other auths
> (although that seems a bit theoretical - where did the resolver even
> come up with the idea to ask a bunch of auths about .onion names?).
> I also now realise that the root servers do not honour my new text, and
> their behaviour -is- correct, so perhaps:
> 5. Authoritative DNS Servers: Authoritative servers (other than the
> root servers) MUST respond non-authoritatively to queries for names in
> .onion.

Yes, the root servers respond with an authoritative name error for QNAMEs under .ONION. For them to do otherwise would arguably break the commitment they have made many times to serve precisely the root zone provided to them by the IANA.

I do see the problem that the proposed erratum is trying to address. However, I don't see much difference between clients of a resolver receiving a non-authoritative name error (e.g. a negative response from a root server that has been cached) vs. an authoritative name error (e.g. a negative response from a resolver that has been configured to answer in such a fashion). And I don't really see the point in any RFC suggesting that they can MUST operators into acting in any particular way, regardless of whether the servers they administer are acting as recursive or authoritative.

The idea of modifying the protocol to accommodate namespaces outside the DNS is causing me to throw up in my mouth a bit, to be honest. Perhaps the DNS could just concentrate on being the DNS and other namespaces can fight their own battles?