Re: [DNSOP] [ I-D Action: draft-bortzmeyer-dnsop-nxdomain-cut-00.txt]

"Wessels, Duane" <> Thu, 12 November 2015 18:13 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7C2991B2C26 for <>; Thu, 12 Nov 2015 10:13:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id N1p86xB3c1lc for <>; Thu, 12 Nov 2015 10:13:07 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4003:c06::263]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 569941B2C25 for <>; Thu, 12 Nov 2015 10:13:07 -0800 (PST)
Received: by oie188 with SMTP id 188so4078826oie.0 for <>; Thu, 12 Nov 2015 10:13:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:to:cc:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language :content-type:content-id:content-transfer-encoding:mime-version; bh=iyJvwajzrc+ys2a+NfHnNTy2gxVWTBrgmhwbLc+DsaE=; b=1yYzk8V7fqQxQ1iyWlrcfWyof6NE/J7l/QLPjDPv9sasgKsxgdMHI+Q4AxYfUjCSP7 1NxbySq8HDkhYexvGu3WxE2FdUYhsQ0xR9TEZ5yTWft37N3ZY1oRiZu8LB2IeBFyyNJo P6I/GLvLEg8e1ge7vfniaJWQaXhoVN0Ri+3YE8mvmPDg5o8k/ow9iLkc76VulW3i/Spe PyAip47ov/0sjmqYtb3e3dJT9F9QWfLHjcHtcuyl+MGEavckcRJ05Bmgm3L3Fb4DZEdi +3Il4e07DQGVZxgWS/6hC4FtpMzAQZhVdMR/gvyCi7mmDKn4/r2x2N1bpXri/Mg3RSzn +eKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index :date:message-id:references:in-reply-to:accept-language :content-language:content-type:content-id:content-transfer-encoding :mime-version; bh=iyJvwajzrc+ys2a+NfHnNTy2gxVWTBrgmhwbLc+DsaE=; b=drck/dTK660YNQkm2ksF1EB9bpFQfq415QaF5fKAN2Noy0sWrCSMNxDelhf8ZG1zGC USw2wk8WiM2NHmW+f6mwvjk/aL2NPUhFDsXWgtHI+O7cN/GRdzvhmj6ATK+HowxAyxbo ZIm4DwP0GopOZZs1TjoOAt7Me8x93j+DxbO9SKdDI689fhPelxxuV9aAOeEoFkKKc6PH 1vyb9I9aWrBYSSvKuzCTy0PNuqW4Kwir+lFepI+UPE4JG2bd5VCk3/k1rjR3xUoGtgC2 /r4q9FaEGAxMnhESsDZjGoFSbSw8sXi1tV/WEoZTWI5IJuEW1QbnQCmUQubx9bWK1XA4 2stw==
X-Gm-Message-State: ALoCoQnxZVfT6JLDaDxd2zoHjEhZSGS1BYy7roWoQiLOZoN6Ii/qeB0TV04L/hhPSkHYrBSeV5kWY12PeFqz8M+s0xjEDLRg1A==
X-Received: by with SMTP id u78mr17671298qka.81.1447351986575; Thu, 12 Nov 2015 10:13:06 -0800 (PST)
Received: from ( []) by with ESMTPS id y123sm1201218qky.3.2015. (version=TLS1 cipher=AES128-SHA bits=128/128); Thu, 12 Nov 2015 10:13:06 -0800 (PST)
Received: from (brn1wnexchm01 []) by (8.13.8/8.13.8) with ESMTP id tACID6ID017936 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 12 Nov 2015 13:13:06 -0500
Received: from ([::1]) by ([::1]) with mapi id 14.03.0174.001; Thu, 12 Nov 2015 13:13:05 -0500
From: "Wessels, Duane" <>
To: Stephane Bortzmeyer <>
Thread-Topic: [ I-D Action: draft-bortzmeyer-dnsop-nxdomain-cut-00.txt]
Thread-Index: AQHRHSKCSnkHaanoakiNL7gy0B1pvZ6ZBQ8A
Date: Thu, 12 Nov 2015 18:13:04 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <>
Cc: "" <>
Subject: Re: [DNSOP] [ I-D Action: draft-bortzmeyer-dnsop-nxdomain-cut-00.txt]
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 12 Nov 2015 18:13:09 -0000

> On Nov 12, 2015, at 12:15 AM, Stephane Bortzmeyer <> wrote:
> On Wed, Nov 11, 2015 at 01:15:37AM +0000,
> Wessels, Duane <> wrote 
> a message of 107 lines which said:
>> This updates RFC 2308 (Negative Caching of DNS Queries).
> Good point, I'll add that. Also, I did not dare to add "Updates: RFC
> 1034". Should I?

That I don't know.  Someone with more experience should probably answer.

>> I think the WG needs to discuss and agree whether or not to make the
>> NXDOMAIN cut based on QNAME only, or on the SOA owner name.
> This is discussed (shortly) in section 5 of the draft. Apparently, it
> can be risky to rely on the SOA. More discussion welcome.

As Mark pointed out, we can't use the SOA to make NXDOMAIN more aggressive.

For a name like and an NXDOMAIN response from
we can't assume that there would be a zone cut between foo and bar.  

>> I think its a little dangerous to say that an NXDOMAIN response
>> SHOULD cause a cache to delete already cached "positive" data.
> Could you elaborate why is it dangerous? (See also the second
> paragraph of section 7.)

I'm thinking of worst-case scenarios where, say, an entire TLD is purged
from the cache due to a spoofed response.  Or, could you imagine a spoofed
"NXDOMAIN ." response?

In addition to denying service for the purged domain, a large purge also
causes the resolver to do a lot of (possibly CPU intensive) work, and
could also affect the traffic levels between a recursive and authoritatives.

Perhaps a cache may want to limit the number of nodes/records that it deletes
per NXDOMAIN response.  Or perhaps it could be configured to not "bulk delete"
TLDs (or root).  

Perhaps a recursive might be designed to negatively cache an entire zone
(including TLD) but continue answering positively cached answers in the zone
until they expire normally.