On Thu, Mar 2, 2023 at 2:10 AM Paul Vixie <paul=40redbarn....@dmarc.ietf.org> wrote:
> > > > Address lookup functions typically invoked by applications won't see > > a practical impact from this indistinguishability. For a non- > > existent name, the getaddrinfo() function for example will return a > > value of EAI_NODATA rather than EAI_NONAME. But either way the > > effect on the caller is the same: it will obtain a response with a > > non-zero return value and no available addresses. > > that's just not true, no matter how it's worded. > > if i get NODATA i might try other record types (for example, AAAA after > A, A after AAAA, or both AAAA and A after MX). > > if i get NXDOMAIN, i won't. > That's a fair point. It may cause calling applications to issue additional queries, although I guess the final state will be the same. > there's also a huge impact on operational security. > > indistinguishability would a huge problem. > > please outlaw it. > I don't think this mechanism can be outlawed since it is already so widely deployed in the field. What we can do is to make it easier to make the distinction, which is what we are attempting to do with the distinguishability (pseudo) type in the type bitmap. As I mentioned earlier, we have some proposed tweaks to that mechanism which I'll start a new thread about. Shumon.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
