[DNSOP] [Qname minimisation] Tony Finch's algorithm on zone cut finding implemented

Sat, 28 Feb 2015 08:23:27 -0800 

For those who want to play with the zone cuts (finding them is
necessary for qname minimisation), here is a simple implementation of
appendix A of draft-ietf-dnsop-qname-minimisation-01:

https://github.com/bortzmeyer/my-IETF-work/blob/master/draft-ietf-dnsop-qname-minimisation/zonecut.go

Implemented in France, so I can safely ignore
<http://datatracker.ietf.org/ipr/2542/> (see
<http://en.wikipedia.org/wiki/Software_patents_under_the_European_Patent_Convention>)

This code implements the "aggressive" strategy (the most
privacy-efficient) of section 2 of
draft-ietf-dnsop-qname-minimisation-01.

Here are some interesting examples. Remember that this ultra-simple
program has no cache at all so it is the equivalent of a cold
resolver. First, a trivial case, www.icann.org:

% ./zonecut -q=1 -v  www.icann.org
Searching 1 for www.icann.org.

Zone cut at "."
Querying type 2 for name org. at server k.root-servers.net
Result for "org.": Referral(s)

Zone cut at "org."
Querying type 2 for name icann.org. at server d0.org.afilias-nst.org.
Result for "icann.org.": Referral(s)

Zone cut at "icann.org."
Querying type 2 for name www.icann.org. at server a.iana-servers.net.
Result for "www.icann.org.": Answer(s)
Querying type 1 for name www.icann.org. at server a.iana-servers.net.
Final result: [www.icann.org.   21600   IN      CNAME   www.vip.icann.org.]



Here, a case where there is a domain which is not a zone (gouv.fr):

% ./zonecut -q=1 -v  www.ssi.gouv.fr
Searching 1 for www.ssi.gouv.fr.

Zone cut at "."
Querying type 2 for name fr. at server k.root-servers.net
Result for "fr.": Referral(s)

Zone cut at "fr."
Querying type 2 for name gouv.fr. at server g.ext.nic.fr.
Result for "gouv.fr.": Referral(s)
Querying type 2 for name ssi.gouv.fr. at server g.ext.nic.fr.
Result for "ssi.gouv.fr.": Referral(s)

Zone cut at "ssi.gouv.fr."
Querying type 2 for name www.ssi.gouv.fr. at server dns1.ssi.gouv.fr.
Result for "www.ssi.gouv.fr.": Referral(s)
Querying type 1 for name www.ssi.gouv.fr. at server dns1.ssi.gouv.fr.
Final result: [www.ssi.gouv.fr. 300     IN      A       213.56.166.109]



This is of course much more common in arpa domains:

% ./zonecut -q=12 -v   
5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa 
Searching 12 for 
5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa.

Zone cut at "."
Querying type 2 for name arpa. at server k.root-servers.net
Result for "arpa.": Answer(s)

Zone cut at "arpa."
Querying type 2 for name ip6.arpa. at server m.root-servers.net.
Result for "ip6.arpa.": Referral(s)

Zone cut at "ip6.arpa."
Querying type 2 for name 2.ip6.arpa. at server e.ip6-servers.arpa.
Result for "2.ip6.arpa.": Referral(s)
Querying type 2 for name 0.2.ip6.arpa. at server e.ip6-servers.arpa.
Result for "0.2.ip6.arpa.": Referral(s)
Querying type 2 for name 0.0.2.ip6.arpa. at server e.ip6-servers.arpa.
Result for "0.0.2.ip6.arpa.": Referral(s)
Querying type 2 for name 1.0.0.2.ip6.arpa. at server e.ip6-servers.arpa.
Result for "1.0.0.2.ip6.arpa.": Referral(s)
Querying type 2 for name 0.1.0.0.2.ip6.arpa. at server e.ip6-servers.arpa.
Result for "0.1.0.0.2.ip6.arpa.": Referral(s)
Querying type 2 for name 6.0.1.0.0.2.ip6.arpa. at server e.ip6-servers.arpa.
Result for "6.0.1.0.0.2.ip6.arpa.": Answer(s)

Zone cut at "6.0.1.0.0.2.ip6.arpa."
Querying type 2 for name 7.6.0.1.0.0.2.ip6.arpa. at server ns3.nic.fr.
Result for "7.6.0.1.0.0.2.ip6.arpa.": Referral(s)
Querying type 2 for name c.7.6.0.1.0.0.2.ip6.arpa. at server ns3.nic.fr.
Result for "c.7.6.0.1.0.0.2.ip6.arpa.": Referral(s)
Querying type 2 for name 2.c.7.6.0.1.0.0.2.ip6.arpa. at server ns3.nic.fr.
Result for "2.c.7.6.0.1.0.0.2.ip6.arpa.": Referral(s)
Querying type 2 for name 2.2.c.7.6.0.1.0.0.2.ip6.arpa. at server ns3.nic.fr.
Result for "2.2.c.7.6.0.1.0.0.2.ip6.arpa.": Referral(s)
Querying type 2 for name 1.2.2.c.7.6.0.1.0.0.2.ip6.arpa. at server ns3.nic.fr.
Result for "1.2.2.c.7.6.0.1.0.0.2.ip6.arpa.": Referral(s)
Querying type 2 for name 8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa. at server ns3.nic.fr.
Result for "8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa.": Answer(s)

Zone cut at "8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa."
Querying type 2 for name 0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa. at server 
ns2.nic.fr.
Result for "0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa.": Referral(s)
Querying type 2 for name 0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa. at server 
ns2.nic.fr.
Result for "0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa.": Referral(s)
Querying type 2 for name 3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa. at server 
ns2.nic.fr.
Result for "3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa.": Referral(s)
Querying type 2 for name 0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa. at server 
ns2.nic.fr.
Result for "0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa.": Referral(s)
Querying type 2 for name 0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa. at server 
ns2.nic.fr.
Result for "0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa.": Referral(s)
Querying type 2 for name 0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa. at 
server ns2.nic.fr.
Result for "0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa.": Referral(s)
Querying type 2 for name 0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa. at 
server ns2.nic.fr.
Result for "0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa.": Referral(s)
Querying type 2 for name 0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa. at 
server ns2.nic.fr.
Result for "0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa.": Referral(s)
Querying type 2 for name 0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa. at 
server ns2.nic.fr.
Result for "0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa.": Referral(s)
Querying type 2 for name 0.0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa. 
at server ns2.nic.fr.
Result for "0.0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa.": Referral(s)
Querying type 2 for name 
0.0.0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa. at server ns2.nic.fr.
Result for "0.0.0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa.": 
Referral(s)
Querying type 2 for name 
0.0.0.0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa. at server ns2.nic.fr.
Result for "0.0.0.0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa.": 
Referral(s)
Querying type 2 for name 
0.0.0.0.0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa. at server 
ns2.nic.fr.
Result for "0.0.0.0.0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa.": 
Referral(s)
Querying type 2 for name 
0.0.0.0.0.0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa. at server 
ns2.nic.fr.
Result for "0.0.0.0.0.0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa.": 
Referral(s)
Querying type 2 for name 
0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa. at server 
ns2.nic.fr.
Result for "0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa.": 
Referral(s)
Querying type 2 for name 
0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa. at server 
ns2.nic.fr.
Result for "0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa.": 
Referral(s)
Querying type 2 for name 
0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa. at server 
ns2.nic.fr.
Result for 
"0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa.": 
Referral(s)
Querying type 2 for name 
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa. at server 
ns2.nic.fr.
Result for 
"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa.": 
Referral(s)
Querying type 2 for name 
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa. at 
server ns2.nic.fr.
Result for 
"0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa.": 
Referral(s)
Querying type 2 for name 
5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa. at 
server ns2.nic.fr.
Result for 
"5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa.": 
Referral(s)
Querying type 12 for name 
5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa. at 
server ns2.nic.fr.
Final result: 
[5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.8.1.2.2.c.7.6.0.1.0.0.2.ip6.arpa.      
  600     IN      PTR     web01.nic.fr.]




The algorithm may work with broken name servers. Here, the name
servers of www.ratp.fr do not properly reply to NS domains, but the
program does not query them for qtype=NS if it is arrived at the leaf:

% ./zonecut -q=1 -v  www.ratp.fr   
Searching 1 for www.ratp.fr.

Zone cut at "."
Querying type 2 for name fr. at server k.root-servers.net
Result for "fr.": Referral(s)

Zone cut at "fr."
Querying type 2 for name ratp.fr. at server g.ext.nic.fr.
Result for "ratp.fr.": Referral(s)

Zone cut at "ratp.fr."
Querying type 2 for name www.ratp.fr. at server indom30.indomco.fr.
Result for "www.ratp.fr.": Answer(s)

Zone cut at "www.ratp.fr."
Querying type 1 for name www.ratp.fr. at server lbns2.ratp.fr.
Final result: [www.ratp.fr.     30      IN      A       195.200.228.10 
www.ratp.fr.     30      IN      A       195.200.228.170]


On the other hand, it fails here, where a broken name server replies
NXDOMAIN for an ENT:

% ./zonecut -q=1 -v  cdn.cdn-tech.com.c.footprint.net
Searching 1 for cdn.cdn-tech.com.c.footprint.net.

Zone cut at "."
Querying type 2 for name net. at server k.root-servers.net
Result for "net.": Referral(s)

Zone cut at "net."
Querying type 2 for name footprint.net. at server m.gtld-servers.net.
Result for "footprint.net.": Referral(s)

Zone cut at "footprint.net."
Querying type 2 for name c.footprint.net. at server ns105.footprint.net.
Result for "c.footprint.net.": Referral(s)

Zone cut at "c.footprint.net."
Querying type 2 for name com.c.footprint.net. at server D.ns.c.footprint.net.
Error in retrieving the intermediate result: "NXDOMAIN"


You're welcome to test it on many domains and to report interesting
results (you can use the Github issues system
<https://github.com/bortzmeyer/my-IETF-work/issues>)

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to