On Mon, 2021-11-29 at 14:16 -0500, Paul Wouters wrote: > On Mon, 29 Nov 2021, RFC Errata System wrote: > > > Original Text > > ------------- > > 5. Authoritative DNS Servers: Authoritative servers MUST respond to > > queries for .onion with NXDOMAIN. > > Corrected Text > > -------------- > > 5. Authoritative DNS Servers: Authoritative servers MUST respond > > non-authoritatively to > > queries for names in .onion. > > The original text for 5 and 6 is conflicting. A name server cannot respond > > with NXDOMAIN (which is an authoritative answer) without having a zone > > configured to serve that NXDOMAIN from. Clearly the intent of the text is > > that clients will not find authoritative answers to .onion queries anywhere > > in the DNS. > > The corrected text does not describe what to return though. I guess the > text implies REFUSED, but perhaps the WG reasoned this was not good as > it would lead to more queries to other servers or instances of the > authoritative server set?
Yes, it implies REFUSED. I was unsure REFUSED was standardised, or whether it is still a convention that almost all auths happen to follow. REFUSED would indeed lead to resolvers trying other auths (although that seems a bit theoretical - where did the resolver even come up with the idea to ask a bunch of auths about .onion names?). I also now realise that the root servers do not honour my new text, and their behaviour -is- correct, so perhaps: 5. Authoritative DNS Servers: Authoritative servers (other than the root servers) MUST respond non-authoritatively to queries for names in .onion. ? > So I agree the Original text has an issue. I haven't been convinced yet > the suggested solution is the right one. After all, we are talking about > "special domains", so perhaps it does warrant an NXDOMAIN despite that > normally being used only within an authoritative context. I don't think we should be prescribing extra code paths in authoritative servers in this document, and I think non-authoritative NXDOMAINs would be very confusing. In particular, resolvers would not believe them anyway. That all said, I can certainly see that other texts than my suggestion could make sense. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
