Hi John,
If a query for a special use name, whether it's foo.onion or
7.8.9.10.in-addr.arpa, leaks to an authoritative server, NXDOMAIN is
the right answer.
not really. First of all, in-addr.arpa. zone is normal part of DNS tree
and various authoritative (depends for which zone) servers answer with
proper delegations on it. Sure, 9.10.in-addr.arpa. is already an
NXDOMAIN (according to auth servers for 10.in-addr.arpa. , but none
others!) since 10.0.0.0/8 is a private address space.
On the other hand, onion. zone does not exist in DNS, therefore, the
root servers (authoritative for ".") answer such queries as NXDOMAIN,
whereas all other authoritative servers (for example, authoritative for
zone example.com.) answer it with REFUSED, because it's out of their scope.
The requirement that all authoritative servers must answer onion. (or
any subdomains) with NXDOMAIN does not make sense:
1) all (AFAIK) auth server implementations to date do not comply
2) would be an unnecessary exceptional behavior, possibly confusing things
3) would be probably in conflict with other DNS RFCs
4) it's not clear how such answers would be DNSSEC'ed
I suggest to remove any specific errcode (NXDOMAIN, REFUSED) mentions
from such requirement. In the future, those errcodes and their names may
be altered. I quite like the Peter's original proposal, though any
wording can always be slightly improved. I don't dare to suggest any
wording though.
Libor
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
