IETF Logo Mail Archive

Re: [dnsext] perhaps we should reintroduce "resimprove"

Mark Andrews <marka@isc.org> Thu, 16 February 2012 01:24 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B2A621E8033; Wed, 15 Feb 2012 17:24:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1329355476; bh=/eOZCAzNnvk4zej13GeV2+p+eoU5Xr5By7aV5PXgiNo=; h=To:From:References:In-reply-to:Date:Message-Id:Cc:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: MIME-Version:Content-Type:Content-Transfer-Encoding:Sender; b=XQ1Ij9pXBNsGTH39gQcA4pmcDeSmgITnm+CkyyMvXOgjzNyxMVu0APD5cBpDwO1OF E8lOgFEWWRxZuUnmFTRDSZaKfNPv8XBNpZgKipgcN7vfNjJsp7H+khim3gNEEwgLGV V9ahFgncsVOhU/D8KhrPLaREJwgdqeBulcXxVU1w=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED07821E8033 for <dnsext@ietfa.amsl.com>; Wed, 15 Feb 2012 17:24:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.54
X-Spam-Level:
X-Spam-Status: No, score=-2.54 tagged_above=-999 required=5 tests=[AWL=0.059, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xgucvXY+mE77 for <dnsext@ietfa.amsl.com>; Wed, 15 Feb 2012 17:24:31 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 2A3AD21E800E for <dnsext@ietf.org>; Wed, 15 Feb 2012 17:24:31 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.ams1.isc.org (Postfix) with ESMTPS id AF7945F98B7; Thu, 16 Feb 2012 01:24:16 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:15e4:7811:3ea0:7a7]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 95078216C6A; Thu, 16 Feb 2012 01:24:14 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id 45BEF1D66273; Thu, 16 Feb 2012 12:24:10 +1100 (EST)
To: Mohan Parthasarathy <suruti94@gmail.com>
From: Mark Andrews <marka@isc.org>
References: <4F33E1A6.4030902@isc.org> <CACU5sDnS1L0Tyd4S38uU78nMDpuC8tBgYM+3jwrmFDCTBjMhDg@mail.gmail.com> <4F3C2AD6.900@isc.org> <CACU5sDnNUeSrW54AcodDF2MBiQP_rr2YmyFEbsqH5eAvCE5vrw@mail.gmail.com>
In-reply-to: Your message of "Wed, 15 Feb 2012 16:28:12 -0800." <CACU5sDnNUeSrW54AcodDF2MBiQP_rr2YmyFEbsqH5eAvCE5vrw@mail.gmail.com>
Date: Thu, 16 Feb 2012 12:24:10 +1100
Message-Id: <20120216012410.45BEF1D66273@drugs.dv.isc.org>
Cc: Paul Vixie <vixie@isc.org>, dnsext@ietf.org
Subject: Re: [dnsext] perhaps we should reintroduce "resimprove"
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

In message <CACU5sDnNUeSrW54AcodDF2MBiQP_rr2YmyFEbsqH5eAvCE5vrw@mail.gmail.com>,
 Mohan Parthasarathy writes:
> On Wed, Feb 15, 2012 at 1:59 PM, Paul Vixie <vixie@isc.org> wrote:
> > On 2/15/2012 8:11 PM, Mohan Parthasarathy wrote:
> >> On Thu, Feb 9, 2012 at 7:09 AM, paul vixie <vixie@isc.org> wrote:
> >>> ... i did not
> >>> agree that this was a problem since RBL DNS queries are always full
> >>> length (that is, for all octets or all nybbles of an inverted host
> >>> address) and since the DNSSEC specification clarified non-terminal names
> >>> as existing but empty.
> >>>
> >> RFC 4035, "3.1.3.2. =A0Including NSEC RRs: Name Error Response" has the
> >> following text towards the end:
> >>
> >> =A0 =A0Note that this form of response includes cases in which SNAME
> >> =A0 =A0corresponds to an empty non-terminal name within the zone (a name
> >> =A0 =A0that is not the owner name for any RRset but that is the parent n=
> ame
> >> =A0 =A0of one or more RRsets).
> >>
> >> I don't see anything clarified in the dnssec-bis-updates document
> >> regarding this. Could you clarify what you meant by "DNSSEC
> >> specification clarified non-terminal names as existing but empty" ?
> >
> > what i mean is hard to quote a chapter and verse for, but in dnssec if
> > an authority server receives a query for a domain name which is empty of
> > rrsets but has children, then the answer is NOERROR not NXDOMAIN, and
> > there is no need to provide the usual proofs (of no wild card and so on)
> > that would accompany an NXDOMAIN response.
> >
> > some dns implementations have been behaving this way for decades (BIND
> > for example). others have been returning NXDOMAIN under these
> > conditions. the original DNS spec didn't make either behaviour wrong. in
> > DNSSEC one way is right and the other way is wrong.
> >
> Ok. The problem is that RFC 4035, section 3.1.3.2, mentions about ENT
> under the name error response. That should be clarified in the
> dnssec-bis-updates document then.
> 
> -mohan
> 
> >
> > paul
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext

ENT exists in 1035.  The early DNSSEC RFC turned ENT into NXD by
say there were no *names* between the end points of the NSEC record.
4035 repaired that defect by saying there were no *records* between
the end points of the NSEC record.

As for the paragraph in question is is warning the ENT may exist
in the range covered by the NSEC record.  i.e. you can't assume
that because a name is in the range that NXD is correct.  You need
to do additional checks.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email