Re: [DNSOP] Spencer Dawkins' Yes on draft-ietf-dnsop-nxdomain-cut-04: (with COMMENT)

Thu, 15 Sep 2016 01:50:27 -0700 


On 9/15/16 4:37 AM, Stephane Bortzmeyer wrote:

On Wed, Sep 14, 2016 at 02:33:58PM -0700,
 Shumon Huque <shu...@gmail.com> wrote
 a message of 146 lines which said:


The section [appendix A] is attempting to say that it is NOT OK to
use the SOA record owner name. We could make that clearer.


OK, but I don't see how.


Here is the paragraph in question:

   In this document, we deduce the non-existence of a domain only for
   NXDOMAIN answers where the denied name was this exact domain.  If a
   resolver sends a query to the name servers of the TLD example, and
   asks the MX record for www.foobar.example, and receives a NXDOMAIN,
   it can only register the fact that www.foobar.example (and everything
   underneath) does not exist.  Even if the accompanying SOA record is
   for example only, one cannot infer that foobar.example is
   nonexistent.  The accompanying SOA indicates the apex of the zone,
   not the closest existing domain name.

Here is a possible update (changes marked with *'s)

   In this document, we deduce the non-existence of a domain only for
   NXDOMAIN answers where the denied name was *the* exact domain.  If a
   resolver sends a query to the name servers of the TLD example, *then*
   asks *for* the MX record for www.foobar.example, and receives a
   NXDOMAIN,it can only register the fact that www.foobar.example (and
   everything underneath) does not exist.  *This is true regardless*
   if the accompanying SOA record is for example only*. O*ne cannot
   infer that foobar.example is nonexistent.
   The accompanying SOA *record* indicates the apex of the zone,
   not the closest existing domain name.

tim




I would personally be okay with removing this section also. I can't
recall what discussion happened that caused this scenario to be
included - maybe Stephane remembers.


This was mostly because I did not get the point at the beginning (I
think John Levine explained it to me). IMHO, it is important to keep
this appendix (not a "real" section) because other DNS people may make
the same mistake as I originally did and ask "why not use the SOA
record to find the NXDOMAIN cut?"



_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop






















					Reply via email to