Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-denial-of-existence-03.txt
Shumon Huque <shuque@gmail.com> Sun, 17 March 2024 20:57 UTC
Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 896FFC14F60C for <dnsop@ietfa.amsl.com>; Sun, 17 Mar 2024 13:57:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t2_ZlX67PPgj for <dnsop@ietfa.amsl.com>; Sun, 17 Mar 2024 13:57:18 -0700 (PDT)
Received: from mail-il1-x136.google.com (mail-il1-x136.google.com [IPv6:2607:f8b0:4864:20::136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AF89C14F5F6 for <dnsop@ietf.org>; Sun, 17 Mar 2024 13:57:18 -0700 (PDT)
Received: by mail-il1-x136.google.com with SMTP id e9e14a558f8ab-366aee15850so8005265ab.2 for <dnsop@ietf.org>; Sun, 17 Mar 2024 13:57:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710709037; x=1711313837; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=8kPtt9RPM7DLhtVKdkGauCEFn9k/HB9uHBtmbRE4Me8=; b=G+PtPqiHaKM5qWyNzJVcKtRVEwtCB0p7KeySQk6Y5kJ85T0N9Kn75bZzl3fCF2tPZF J3sq09YR+vhfVRYCCmul+FWnVWeXP6ycZLain4VneDIgedugN71pHcq40hXjR7EU+Wgz YtbfPAsfInchNZTmwJLHc2peaB4bDf0NWwGsHHax8vdUoFo59T1N4AmpcME5d++nGp1j LPnXaNsm2cTz68xBAXuVOtJ/33AsW3HIK/M3w0Ts1Cf3cqyYW0vUJRD4+hSpKzqXBwXi /z4AsrXhIPto5DVmxLCu6qV+LYEWkrX5VVEoteLUiPtxHWpmW9n/Ya/zmHY9I+Mm2qTc h+rA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710709037; x=1711313837; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=8kPtt9RPM7DLhtVKdkGauCEFn9k/HB9uHBtmbRE4Me8=; b=hnQGgUGl0309fZoYcH3m+JyQz/2JNO7sA9jhKM3kqCZec0nDjAZuypAyK7PQE2h+PY QmQp6wthy4ecWR0ibHv0VufDaLIyUwHRKu2jFj9O0TB3EgWJ9o8J0NTgQbROAKXgDOX7 73UZx9e6s3GbfMRmxkpSl8lF/Q0U+BGZYdd+pxZ9ubd1Rky4WrPlywVexXn9chRoE1a4 NbC/LN/0Kfbl82Q9y26gZgO9G6JNyovKchq47ZThbAkyb5U7Q3FNZ+iRB2iZpbnMBOVL n82euOM6ZN+h7YQmxhStEsMBjTIse6qH0KbpdJT0I530kM8Scdg/hb0OM7nxxAQAv7nt qD3A==
X-Gm-Message-State: AOJu0Yz7Nz2fGsbJEnPwNw9VnPd/diNoxSIjKAz+Il9Oz4jdrRCikk3b 4dIEWpk7b+S9Ruu6tVL1LnQcG1LE+PED1rWOBRj6ugrOfgllvHZ3v56mFqJCRTb0LHTj7splDua TXNngKBmQh4YbQeF0+FbMdlfQ31Q=
X-Google-Smtp-Source: AGHT+IEuWOU5QAzmuuZ5kFuNPqXCIw0j/nwn81M3z+EbJR9q/j6NupvnM7BNh0m8vNxNdXjiW55frr6DGnIcJpMnYt0=
X-Received: by 2002:a92:c80d:0:b0:366:c260:4a6d with SMTP id v13-20020a92c80d000000b00366c2604a6dmr2008964iln.9.1710709036959; Sun, 17 Mar 2024 13:57:16 -0700 (PDT)
MIME-Version: 1.0
References: <26102.24462.696376.343194@gro.dd.org> <20240317160745.A4ED8858A5F3@ary.qy>
In-Reply-To: <20240317160745.A4ED8858A5F3@ary.qy>
From: Shumon Huque <shuque@gmail.com>
Date: Sun, 17 Mar 2024 13:57:06 -0700
Message-ID: <CAHPuVdXgS00nJqpvr-dfWAKoUiA=vvSORBtNrGG5kyBSxrkByQ@mail.gmail.com>
To: John Levine <johnl@taugh.com>, tale@dd.org
Cc: dnsop@ietf.org
Content-Type: multipart/alternative; boundary="0000000000007651a10613e17c71"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/lvoVmwIdSbGHgOkltXYDZTKJ1-k>
Subject: Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-denial-of-existence-03.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Mar 2024 20:57:18 -0000
On Sun, Mar 17, 2024 at 9:08 AM John Levine <johnl@taugh.com> wrote: > It appears that Dave Lawrence <tale@dd.org> said: > >Stephane Bortzmeyer writes: > >> > One current implementation does not differentiate DO=0 vs 1 and gives > the > >> > same NODATA answer for both cases. > >> > >> Yes. I see no practical problem with that but, from a philosophical > >> point of view, it disturbs me. Naive clients may make wrong > >> conclusions from the NODATA answer. > > > >Very much so, and not just naive programmatic clients but also > >non-naive real-life human clients. I myself have been misled by > >noerror/nodata where nxdomain would have been correct. It's > >frustrating. > > > >nxdomain is usefully distinct and auth servers really ought to be > >strongly encouraged to return it where applicable. > > We have an entire RFC 8020 about the difference and why it's important. > Yes, I agree with this of course. Compact Denial intentionally broke the NXDOMAIN signal. One of the main thrusts of this draft was to bring back the non-existence signal in the form of an authenticable record in the payload. The draft allows (but does not proscribe) NXDOMAIN to be inserted into the Rcode for non DNSSEC enabled responses. I guess the main reason for not being proscriptive was what I mentioned - there were deployments in the field that didn't. But I'm amenable to tightening up the language if there is consensus for it (and I'll also chat with the implementers). Since we also support signaled restoration of the NXDOMAIN RCODE field for DNSSEC enabled queries, I'm persuaded that we should probably close this divergence for non DNSSEC too. Shumon.
- [DNSOP] I-D Action: draft-ietf-dnsop-compact-deni… internet-drafts
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Peter Thomassen
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Shumon Huque
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Shumon Huque
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Stephane Bortzmeyer
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Shumon Huque
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Dave Lawrence
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Dave Lawrence
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… John Levine
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Shumon Huque
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… John R Levine
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Dave Lawrence
- Re: [DNSOP] I-D Action: draft-ietf-dnsop-compact-… Geoff Huston