Re: [DNSOP] Comment on section 2 of draft-ietf-dnsop-nxdomain-cut-05.txt

[Shumon Huque <shuque@gmail.com>]

On Wed, Sep 28, 2016 at 9:42 AM, Edward Lewis <edward.lewis@icann.org>
wrote:

> On 9/27/16, 18:46, "Matthew Pounsett" <matt@conundrum.com> wrote:
> >Would it be better then to leave early expiry as an implementation choice
>
> I think it comes down to implementer's choice.  The goal of the (IETF in
> general) documents is interoperability. Whether or not a cache chooses to
> keep the cached entries or remove them, or the way in which it chooses
> which of two (or more) valid answers to give doesn't impact
> interoperability.  So long as the response given is protocol-appropriate.
>
> The issue is, which response (of a set of possible responses) is correct
> is not definable within the DNS protocol.  So, there's no winner here.
>

I agree, and this seems entirely in keeping with the loosely coherent
distributed database model of the DNS.

[...]

>
> As far as DNSSEC, this only works with DNSSEC in place, right?  You need
> the missing span proofs or you are NXDOMAIN'ing entire zones, not just
> entire domains (within a zone).
>

The draft does not currently require DNSSEC. It's true that without DNSSEC,
the impact of a spoofed NXDOMAIN is much larger, and for this reason the
draft does mention that implementations could choose to deploy this
enhancement only for signed data (and some implementations have already
taken this route).

To be precise, I would say we are not necessarily always pruning out entire
zones. For a leaf zone, we are pruning all names within that zone below the
nxdomain-cut, modulo cached entries, i.e. a subset of the zone. But yes,
for non-leaf zones, all zones below too are pruned.

-- 
Shumon Huque