IETF Logo Mail Archive

[DNSOP] Verifying errata 5316 against RFC1034.

Warren Kumari <warren@kumari.net> Sun, 01 April 2018 17:34 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D9F712708C for <dnsop@ietfa.amsl.com>; Sun, 1 Apr 2018 10:34:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mIjVhif3LarK for <dnsop@ietfa.amsl.com>; Sun, 1 Apr 2018 10:34:00 -0700 (PDT)
Received: from mail-wr0-x22b.google.com (mail-wr0-x22b.google.com [IPv6:2a00:1450:400c:c0c::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70CAF12706D for <dnsop@ietf.org>; Sun, 1 Apr 2018 10:34:00 -0700 (PDT)
Received: by mail-wr0-x22b.google.com with SMTP id u11so11664306wri.12 for <dnsop@ietf.org>; Sun, 01 Apr 2018 10:34:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=20+0U4igtJRmvE0civFjoYkxLnlpRhjHIDYpZ4VjYZc=; b=Db8QiQDsszKhJHHXOrE0ty9KpZZrfbfCnWyNVT4n+jZ8Gsb9TizDh5QzSpUgKgwuqR x7ZWn6Bl1/T3X/NDtK7nAAHy6yIlJ+kbT4oxRlXpeumJoh+9JMpaiNkQgK6PmEPqTLp/ gp6lBmyj5T4LwJQbG8dn1wq383j+9zSjA/qPEwDpN8pCUgHHf+/mej/Q39Xz57JR7apv zyrJCEcBiqDjgse6K9NHYzSDtkrvm9LZCcsgJBN4JA+BXK5kLzBAP/eRkEX3spMFf+fm oRrWYBfgrIdz8VFnreDCoTpFlT2AWwsmOiPdPVuzG5K5e5bY+T0wFVN0xWhFnPuEeTSQ 6gVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=20+0U4igtJRmvE0civFjoYkxLnlpRhjHIDYpZ4VjYZc=; b=QIWSoOTEqcU0Kn5rZQHu3rxNLX1rLzZXpWEpmv9haarwVXPz7WqkO34w8JRjgTACcd NOzoqpBvfgS7mvcdDw2JHS9vSslz2n9ly8n00/0Smk6R53il0XeLYbEPNKvHCbfbaEQ7 uXS+1bQietefGocFM0hZhfZxD7DsfuCQOEi7vh1xOLi5IsxGYTqSEPL6DxhbJ5Alydab 2cmECYTD/rJrqR/EPKYGS/cacvGPN61bjNmPUOR6FtFXKBZMyDUv8bMSfeWdRK/a0mxx MIOW/eGkQSRb5tOhDbyZR/3Mzrdn8pw2d5U6tGS94xheHarQUohr851uFkX7irAWef+r peYw==
X-Gm-Message-State: AElRT7G3ntdF+qT6ygRch0Ons3D6HPjPKuF7ilgly0zvramiiiSJglX4 zS2hBtbsi2i6X+wlOnKSEtAK2OUgAFJAL5RjafX2UhqJoVw=
X-Google-Smtp-Source: AIpwx4/IqF7OnvcHtNHh2RMSCGSDkJFlL1BjdaXIV0GHWLshZcI+yqdsSceWNFhM8T0JYwQUwtwk9fsrwRBIMJbiTpA=
X-Received: by 10.223.225.4 with SMTP id d4mr4354723wri.24.1522604037866; Sun, 01 Apr 2018 10:33:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.226.76 with HTTP; Sun, 1 Apr 2018 10:33:17 -0700 (PDT)
From: Warren Kumari <warren@kumari.net>
Date: Sun, 01 Apr 2018 13:33:17 -0400
Message-ID: <CAHw9_iJugi-bucEqLA=wsgf5J7C7BDN2zqHsNeHuckx2QAkpiw@mail.gmail.com>
To: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/PFPRwLBE02SniDqaV6VaZ-Z4Uiw>
Subject: [DNSOP] Verifying errata 5316 against RFC1034.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Apr 2018 17:34:02 -0000

Hi all,

We have this errata:
https://www.rfc-editor.org/verify_errata_select.php?eid=5316

The document as published says:
"A * label appearing in a query name has no special effect, but can be

used to test for wildcards in an authoritative zone; such a query is the
only way to get a response containing RRs with an owner name with * in
it.  The result of such a query should not be cached.

Note that the contents of the wildcard RRs are not modified when used to
synthesize RRs."

and the Notes in the Errata says:
"It is perfectly OK for an RR with a wildcard label '*' to be cached
as long as it's not used to synthesize any RRs on a caching resolver.
The DNS implementations BIND and Unbound both cache such RRsets with
wildcard label in the owner name."


Sure enough, BIND caches the answer (I must admit that this surprised
me) but should the errata be approved? When the document was
published, was the intent that wildcard records should NOT be allowed
to be cached?

Note that if behaviors have changes, and implementations should now
cache the record, then we need to document that in a -bis (or similar)
document.

I'm also somewhat confused what the caching the wildcard answer
*means* - if I have *.example.com cached and then get a query for
foo.example.com I still need to query for it (note that this is all
before DNSSEC / Aggressive NSEC / etc) and so what is the "use" of the
cached wildcard? AFAICT, searching for the wildcard itself is only
useful for debugging, so caching it seems wasteful at best.


Can folk help me understand what should happen with this errata?
W


-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email