Re: [dnsext] CNAME/DNAME and NXDOMAIN
Matthijs Mekking <matthijs@NLnetLabs.nl> Mon, 14 November 2011 10:42 UTC
Return-Path: <matthijs@nlnetlabs.nl>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A61411E8157 for <dnsext@ietfa.amsl.com>; Mon, 14 Nov 2011 02:42:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lsVIHpfNgWnX for <dnsext@ietfa.amsl.com>; Mon, 14 Nov 2011 02:42:46 -0800 (PST)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by ietfa.amsl.com (Postfix) with ESMTP id A429711E8162 for <dnsext@ietf.org>; Mon, 14 Nov 2011 02:42:45 -0800 (PST)
Received: from [IPv6:2001:7b8:206:1:219:d1ff:feb1:85e8] (zoidberg.nlnetlabs.nl [IPv6:2001:7b8:206:1:219:d1ff:feb1:85e8]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.4/8.14.4) with ESMTP id pAEAghTF028758; Mon, 14 Nov 2011 11:42:44 +0100 (CET) (envelope-from matthijs@nlnetlabs.nl)
Message-ID: <4EC0F0A3.1090501@nlnetlabs.nl>
Date: Mon, 14 Nov 2011 11:42:43 +0100
From: Matthijs Mekking <matthijs@NLnetLabs.nl>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.23) Gecko/20110922 Thunderbird/3.1.15
MIME-Version: 1.0
To: Mark Andrews <marka@isc.org>
References: <a06240803cad9af9e1e04@[192.168.128.112]> <20111104231715.AA38F16AD6F6@drugs.dv.isc.org>
In-Reply-To: <20111104231715.AA38F16AD6F6@drugs.dv.isc.org>
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]); Mon, 14 Nov 2011 11:42:44 +0100 (CET)
Cc: Edward Lewis <Ed.Lewis@neustar.biz>, dnsext@ietf.org
Subject: Re: [dnsext] CNAME/DNAME and NXDOMAIN
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Nov 2011 10:42:46 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/05/2011 12:17 AM, Mark Andrews wrote: > > Both answers are self consistant and neither should cause a problem. > > Following CNAME records, when not recursing for the client, is a > security issue as the target of the CNAME may not be delegated to > the same machine leading to potential, accidental, cache poisioning. An authoritative server should follow CNAME records while the target is actually being served. If it is delegated to another machine, you return the chain of CNAMEs until then. The recursive name server can continue recursing. > We (ISC) have looked at not following CNAME records when generating > such replies. We already discard the rest of the response and > requery for the target of the CNAME. So you would query the same machine, despite that server is giving you a chain? Refocusing on Ed Lewis initial question, regarding the RCODE. One server is giving NXDOMAIN, the other NOERROR. Given the fact that CNAME records where followed, the status code should not be switched to NXDOMAIN. This is conform the server algorithm in RFC2672. Also, it was questioned if this should be changed in the dname-bis document: http://www.ietf.org/mail-archive/web/dnsext/current/msg09224.html Although the response was minimal, the suggestion was to make no change. For NSD, because it is not considered an NXDOMAIN response (following step 3c of the server algorithm), the SOA record is not added to the Authority Section. Though, the target does not exist, so the NSEC3 records are still added. I don't know if adding the NSEC3 records is the right thing to do, I seem to be unable to find the text what to do in this specific case. Although, both NSD and BIND seem to be in some sort of agreement that the records are needed. Best regards, Matthijs -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOwPCjAAoJEA8yVCPsQCW5PjwIAKB5FYDCBkGgml/o2EoKyxDw KY4cSquPk2u7JAN3GBW3Q5v2xU+6vATg/JrYjDmKjTH+IElT2lmoNVKRNe5C42/i 4UvoyIwMgF9LIVp0pnaPLE1RaGyCurqVkQiFZ7OqNtmB5rLzncXMYAtc2fKQfnYQ oiNsjaKGHoVcJAmYBQHQ26Y+FwL8kD8PELVBU666jkOJQp2S1xQhqxgzfzOswUtS 7cXkob79yTC4BgB/Fqmdfyt326In+jstpfYE3vAnmfpvaKzOYYp7pnX56k54YC7x 39sZoum9njlxSShLTCEWGR7eUL7TlyZIVgwWh7xUE01hUwDxbk/uazTLZAZC2xQ= =2W0Q -----END PGP SIGNATURE-----
- [dnsext] CNAME/DNAME and NXDOMAIN Edward Lewis
- Re: [dnsext] CNAME/DNAME and NXDOMAIN Mark Andrews
- Re: [dnsext] CNAME/DNAME and NXDOMAIN Matthijs Mekking
- Re: [dnsext] CNAME/DNAME and NXDOMAIN Evan Hunt
- Re: [dnsext] CNAME/DNAME and NXDOMAIN Nicholas Weaver