Re: [DNSOP] [EXT] Re: [Technical Errata Reported] RFC7686 (6761)

"libor.peltan" <> Tue, 30 November 2021 09:12 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C25083A118C for <>; Tue, 30 Nov 2021 01:12:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.752
X-Spam-Status: No, score=-3.752 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-1.852, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id lSnHZr3FOdRM for <>; Tue, 30 Nov 2021 01:11:59 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 12B4D3A11A2 for <>; Tue, 30 Nov 2021 01:11:58 -0800 (PST)
Received: from [] ( []) by (Postfix) with ESMTPSA id 9AD79140432 for <>; Tue, 30 Nov 2021 10:11:54 +0100 (CET)
Message-ID: <>
Date: Tue, 30 Nov 2021 10:11:53 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.3.1
Content-Language: en-US
References: <> <> <> <> <>
From: "libor.peltan" <>
In-Reply-To: <>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: clamav-milter 0.102.4 at mail
X-Virus-Status: Clean
Archived-At: <>
Subject: Re: [DNSOP] [EXT] Re: [Technical Errata Reported] RFC7686 (6761)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 30 Nov 2021 09:12:13 -0000

Hi John,
> If a query for a special use name, whether it's foo.onion or 
>, leaks to an authoritative server, NXDOMAIN is 
> the right answer.
not really. First of all, zone is normal part of DNS tree 
and various authoritative (depends for which zone) servers answer with 
proper delegations on it. Sure, is already an 
NXDOMAIN (according to auth servers for , but none 
others!) since is a private address space.

On the other hand, onion. zone does not exist in DNS, therefore, the 
root servers (authoritative for ".") answer such queries as NXDOMAIN, 
whereas all other authoritative servers (for example, authoritative for 
zone answer it with REFUSED, because it's out of their scope.

The requirement that all authoritative servers must answer onion. (or 
any subdomains) with NXDOMAIN does not make sense:
1) all (AFAIK) auth server implementations to date do not comply
2) would be an unnecessary exceptional behavior, possibly confusing things
3) would be probably in conflict with other DNS RFCs
4) it's not clear how such answers would be DNSSEC'ed

I suggest to remove any specific errcode (NXDOMAIN, REFUSED) mentions 
from such requirement. In the future, those errcodes and their names may 
be altered. I quite like the Peter's original proposal, though any 
wording can always be slightly improved. I don't dare to suggest any 
wording though.