IETF Logo Mail Archive

Re: [dnsext] perhaps we should reintroduce "resimprove"

Mohan Parthasarathy <suruti94@gmail.com> Thu, 16 February 2012 18:59 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DAC921F8566; Thu, 16 Feb 2012 10:59:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1329418765; bh=uQj0/N9gWh2y/3d3017Gz69/bAEjKENtwSGP1OYYBPM=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:From:To:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=DyYY6v5Z8TTJI9ohvs1bhR3SeG+OQlBGZrVg9KRR+OkMfPiC+oGCYZutOwdc33UAK nzNFhHgmhy+vIOo4k2yuiVIBwSYzlIHK+WwfXWMvbpIGiLYhgv9qfrn7tdKjc71RYd M62thfGrI4neutQdtld9wM2GIzoxXrmghmN21W+8=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24B1B21F8552 for <dnsext@ietfa.amsl.com>; Thu, 16 Feb 2012 10:59:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.492
X-Spam-Level:
X-Spam-Status: No, score=-3.492 tagged_above=-999 required=5 tests=[AWL=0.107, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9vI2Jvvtq9cO for <dnsext@ietfa.amsl.com>; Thu, 16 Feb 2012 10:59:19 -0800 (PST)
Received: from mail-qw0-f44.google.com (mail-qw0-f44.google.com [209.85.216.44]) by ietfa.amsl.com (Postfix) with ESMTP id 6C12A21F8566 for <dnsext@ietf.org>; Thu, 16 Feb 2012 10:59:19 -0800 (PST)
Received: by qafi29 with SMTP id i29so4709368qaf.10 for <dnsext@ietf.org>; Thu, 16 Feb 2012 10:59:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=Y1aRVFcPYmhqLgg/Jl8M38ouwfZjuq0YhLUXWo0MblM=; b=GBcsse11oKrqmDQMSsxWq/VBxpeeVH6PNoOle1G0XAnhPqe4TT38Mpj8xjVpepqqeo wkvAZP6bjU29WNRuv7nq8LeZtSu4idRiEPjhqerFFQ4CJDwtcnEC4AgsW4IVgNr5aDL+ YyoD7QNlvhXgicwY5/mjjMLfsO3bVNHXFlxm8=
MIME-Version: 1.0
Received: by 10.229.114.222 with SMTP id f30mr2581012qcq.13.1329418758849; Thu, 16 Feb 2012 10:59:18 -0800 (PST)
Received: by 10.229.159.17 with HTTP; Thu, 16 Feb 2012 10:59:18 -0800 (PST)
In-Reply-To: <20120216012410.45BEF1D66273@drugs.dv.isc.org>
References: <4F33E1A6.4030902@isc.org> <CACU5sDnS1L0Tyd4S38uU78nMDpuC8tBgYM+3jwrmFDCTBjMhDg@mail.gmail.com> <4F3C2AD6.900@isc.org> <CACU5sDnNUeSrW54AcodDF2MBiQP_rr2YmyFEbsqH5eAvCE5vrw@mail.gmail.com> <20120216012410.45BEF1D66273@drugs.dv.isc.org>
Date: Thu, 16 Feb 2012 10:59:18 -0800
Message-ID: <CACU5sD=8ubRtByeWq9D8je5a-93spe87KrFfMU_9RTvS55Aa3g@mail.gmail.com>
From: Mohan Parthasarathy <suruti94@gmail.com>
To: Mark Andrews <marka@isc.org>
Cc: Paul Vixie <vixie@isc.org>, dnsext@ietf.org
Subject: Re: [dnsext] perhaps we should reintroduce "resimprove"
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On Wed, Feb 15, 2012 at 5:24 PM, Mark Andrews <marka@isc.org> wrote:
>
> In message <CACU5sDnNUeSrW54AcodDF2MBiQP_rr2YmyFEbsqH5eAvCE5vrw@mail.gmail.com>,
>  Mohan Parthasarathy writes:
>> On Wed, Feb 15, 2012 at 1:59 PM, Paul Vixie <vixie@isc.org> wrote:
>> > On 2/15/2012 8:11 PM, Mohan Parthasarathy wrote:
>> >> On Thu, Feb 9, 2012 at 7:09 AM, paul vixie <vixie@isc.org> wrote:
>> >>> ... i did not
>> >>> agree that this was a problem since RBL DNS queries are always full
>> >>> length (that is, for all octets or all nybbles of an inverted host
>> >>> address) and since the DNSSEC specification clarified non-terminal names
>> >>> as existing but empty.
>> >>>
>> >> RFC 4035, "3.1.3.2. =A0Including NSEC RRs: Name Error Response" has the
>> >> following text towards the end:
>> >>
>> >> =A0 =A0Note that this form of response includes cases in which SNAME
>> >> =A0 =A0corresponds to an empty non-terminal name within the zone (a name
>> >> =A0 =A0that is not the owner name for any RRset but that is the parent n=
>> ame
>> >> =A0 =A0of one or more RRsets).
>> >>
>> >> I don't see anything clarified in the dnssec-bis-updates document
>> >> regarding this. Could you clarify what you meant by "DNSSEC
>> >> specification clarified non-terminal names as existing but empty" ?
>> >
>> > what i mean is hard to quote a chapter and verse for, but in dnssec if
>> > an authority server receives a query for a domain name which is empty of
>> > rrsets but has children, then the answer is NOERROR not NXDOMAIN, and
>> > there is no need to provide the usual proofs (of no wild card and so on)
>> > that would accompany an NXDOMAIN response.
>> >
>> > some dns implementations have been behaving this way for decades (BIND
>> > for example). others have been returning NXDOMAIN under these
>> > conditions. the original DNS spec didn't make either behaviour wrong. in
>> > DNSSEC one way is right and the other way is wrong.
>> >
>> Ok. The problem is that RFC 4035, section 3.1.3.2, mentions about ENT
>> under the name error response. That should be clarified in the
>> dnssec-bis-updates document then.
>>
>> -mohan
>>
>> >
>> > paul
>> _______________________________________________
>> dnsext mailing list
>> dnsext@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsext
>
> ENT exists in 1035.  The early DNSSEC RFC turned ENT into NXD by
> say there were no *names* between the end points of the NSEC record.
> 4035 repaired that defect by saying there were no *records* between
> the end points of the NSEC record.
>
> As for the paragraph in question is is warning the ENT may exist
> in the range covered by the NSEC record.  i.e. you can't assume
> that because a name is in the range that NXD is correct.  You need
> to do additional checks.
>
Ok, but I can't see how the text that I quoted translates to this. I
would have expected to see some text for the NOERROR case. It looks
like someone proposed text for this case longtime back and it did not
make it to the draft.

http://fixunix.com/dns/57177-rfc4035-missing-text-empty-non-terminal-proof.html

Can't tell where this was proposed.

-mohan

> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email