IETF Logo Mail Archive

Re: [DNSOP] Fwd: Comments on draft-ietf-dnsop-qname-minimisation

Shumon Huque <shuque@gmail.com> Tue, 06 January 2015 15:49 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F36051A8861 for <dnsop@ietfa.amsl.com>; Tue, 6 Jan 2015 07:49:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fFFL2Ggqykuc for <dnsop@ietfa.amsl.com>; Tue, 6 Jan 2015 07:49:09 -0800 (PST)
Received: from mail-ie0-x22e.google.com (mail-ie0-x22e.google.com [IPv6:2607:f8b0:4001:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 048671A8851 for <dnsop@ietf.org>; Tue, 6 Jan 2015 07:49:05 -0800 (PST)
Received: by mail-ie0-f174.google.com with SMTP id at20so3305164iec.5 for <dnsop@ietf.org>; Tue, 06 Jan 2015 07:49:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=ewzF6TLKdiSBTLjsj3In+3F1It6V6obp2f/0xydaIyU=; b=RUsKpKcWTQ5RyiafAJuwqo2HybeHfQ2h9Eh8jAzuP4Ujy9WemDu8oDI57q2ujevFPv jLG2RxT/Rn+4ag/E5akJ/Awrnm9VAoPKqAA71kGeeEDnim9uWq485mAfEHySB6hVUeJy KyLlcR2lOSg3gv2kpF1uoApcBPZ/YHbZpfTIIr74gCyUFjJL7bSIdt3q14u9sxGQLN3x VE1Dh9CZS6E+GgU4r/n1XvITfpkG9xIFSw24r+3P3N90KVQH5JjXi2yaMaEFSevkv79C O/6apj/1+rZdytu+IriiNJluk72RSoCwHIq0FkJ7UpgB9U26KEq7wR4UPcaQYsBdaple +mhg==
MIME-Version: 1.0
X-Received: by 10.50.117.41 with SMTP id kb9mr16736366igb.37.1420559344086; Tue, 06 Jan 2015 07:49:04 -0800 (PST)
Received: by 10.64.225.196 with HTTP; Tue, 6 Jan 2015 07:49:04 -0800 (PST)
In-Reply-To: <CAH1iCip7iGgM=eiaVcy3fHx+KdOJgd5Rh8zLsnDPMgoEnE-HvA@mail.gmail.com>
References: <CAH1iCirCRpJxHWu62nCSTCmSumXfTNHi=-jt5eWXzRgspJjm9w@mail.gmail.com> <CAH1iCip7iGgM=eiaVcy3fHx+KdOJgd5Rh8zLsnDPMgoEnE-HvA@mail.gmail.com>
Date: Tue, 06 Jan 2015 10:49:04 -0500
Message-ID: <CAHPuVdUh+wtq=-PPG-0t4+cODV29sjhaBfWTwC=vewydi4OiZg@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
To: Brian Dickson <brian.peter.dickson@gmail.com>
Content-Type: multipart/alternative; boundary="089e011605cc163f84050bfdbf76"
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/cAB4kzjZoU5_sQ8xIEfeN08Lrz0
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>
Subject: Re: [DNSOP] Fwd: Comments on draft-ietf-dnsop-qname-minimisation
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: shuque@gmail.com
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jan 2015 15:49:12 -0000

On Mon, Dec 29, 2014 at 5:22 PM, Brian Dickson <
brian.peter.dickson@gmail.com> wrote:

>
> - Another thing to possibly call out is the behavior of some name servers
> when the QNAME is an Empty Non-Terminal, e.g. a non-zone-cut with a child,
> but no RRs at the owner name. I seem to recall something along those lines
> but don't recall details, e.g. which software, version, etc., has this
> issue.
>

Here's one example I'm familiar with (the website of my previous employer,
U of Penn, which uses the Akamai CDN):

$ ./test.py www.upenn.edu

>> Query: edu. A IN at zone .
>>        [Got Referral to zone: edu.]
>> Query: upenn.edu. A IN at zone edu.
>>        [Got Referral to zone: upenn.edu.]
>> Query: www.upenn.edu. A IN at zone upenn.edu.
www.upenn.edu. 300 IN CNAME www.upenn.edu-dscg.edgesuite.net.
>> Query: net. A IN at zone .
>>        [Got Referral to zone: net.]
>> Query: edgesuite.net. A IN at zone net.
>>        [Got Referral to zone: edgesuite.net.]
>> Query: edu-dscg.edgesuite.net. A IN at zone edgesuite.net.
ERROR: NXDOMAIN: edu-dscg.edgesuite.net. not found

www.upenn.edu is an alias for www.upenn.edu-dscg.edgesuite.net.  The Akamai
DNS server for zone edgesuite.net incorrectly responds with NXDOMAIN
(rather than NOERROR, empty answer) for the intermediate qname "
edu-dscg.edgesuite.net." and thus halts the resolution there. It also
provides NXDOMAIN at the next query name "upenn.edu-dscg.edgesuite.net.".

This seems to be the case with other Akamaized sites too, e.g. www.apple.com,
which goes through akadns.net. I'm assuming this will get fixed as qname
minimization gets deployed, but I'm wondering if anyone from Akamai can
comment on this behavior.

Shumon.

v2.23.0 | Report a Bug | By Email