IETF Logo Mail Archive

Re: [dnsext] perhaps we should reintroduce "resimprove"

Paul Vixie <vixie@isc.org> Wed, 15 February 2012 22:00 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4086621F85E1; Wed, 15 Feb 2012 14:00:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1329343217; bh=43W7jNpxcGJfI8ihfXbC3jmczJtQENWmiFfWTcKOn8A=; h=Message-ID:Date:From:MIME-Version:To:References:In-Reply-To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=aRwhbNWyT4770aITeSw1faCUTCQ0v6ewYU/n9fDJnFI1Nfdu772EPkN7EDUix912A p3AQ4xAsJ7mvYKIiuH9+SG8PDr7Ta0Zs379f3axQuWCo2Yuay60CoE3g6TqsiywpIq sYLDKpexsb+FkF3ox1D1ZPylQLp5+usu4PjTRrr8=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7F7B21F85C4 for <dnsext@ietfa.amsl.com>; Wed, 15 Feb 2012 14:00:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RPOsWytYbLrp for <dnsext@ietfa.amsl.com>; Wed, 15 Feb 2012 14:00:15 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 0DAB121F85E1 for <dnsext@ietf.org>; Wed, 15 Feb 2012 14:00:15 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.ams1.isc.org (Postfix) with ESMTPS id 95B415F98B6; Wed, 15 Feb 2012 21:59:55 +0000 (UTC) (envelope-from vixie@isc.org)
Received: from [IPv6:2001:4f8:3:30:2997:4bba:713:8fae] (unknown [IPv6:2001:4f8:3:30:2997:4bba:713:8fae]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id A2B63216C6D; Wed, 15 Feb 2012 21:59:53 +0000 (UTC) (envelope-from vixie@isc.org)
Message-ID: <4F3C2AD6.900@isc.org>
Date: Wed, 15 Feb 2012 21:59:50 +0000
From: Paul Vixie <vixie@isc.org>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: Mohan Parthasarathy <suruti94@gmail.com>
References: <4F33E1A6.4030902@isc.org> <CACU5sDnS1L0Tyd4S38uU78nMDpuC8tBgYM+3jwrmFDCTBjMhDg@mail.gmail.com>
In-Reply-To: <CACU5sDnS1L0Tyd4S38uU78nMDpuC8tBgYM+3jwrmFDCTBjMhDg@mail.gmail.com>
X-Enigmail-Version: 1.3.5
Cc: dnsext@ietf.org
Subject: Re: [dnsext] perhaps we should reintroduce "resimprove"
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On 2/15/2012 8:11 PM, Mohan Parthasarathy wrote:
> On Thu, Feb 9, 2012 at 7:09 AM, paul vixie <vixie@isc.org> wrote:
>> ... i did not
>> agree that this was a problem since RBL DNS queries are always full
>> length (that is, for all octets or all nybbles of an inverted host
>> address) and since the DNSSEC specification clarified non-terminal names
>> as existing but empty.
>>
> RFC 4035, "3.1.3.2.  Including NSEC RRs: Name Error Response" has the
> following text towards the end:
>
>    Note that this form of response includes cases in which SNAME
>    corresponds to an empty non-terminal name within the zone (a name
>    that is not the owner name for any RRset but that is the parent name
>    of one or more RRsets).
>
> I don't see anything clarified in the dnssec-bis-updates document
> regarding this. Could you clarify what you meant by "DNSSEC
> specification clarified non-terminal names as existing but empty" ?

what i mean is hard to quote a chapter and verse for, but in dnssec if
an authority server receives a query for a domain name which is empty of
rrsets but has children, then the answer is NOERROR not NXDOMAIN, and
there is no need to provide the usual proofs (of no wild card and so on)
that would accompany an NXDOMAIN response.

some dns implementations have been behaving this way for decades (BIND
for example). others have been returning NXDOMAIN under these
conditions. the original DNS spec didn't make either behaviour wrong. in
DNSSEC one way is right and the other way is wrong.

paul
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email