Yes, I would consider it to be lame delegation in all three scenarios below of EXAMPLE.NET. There is a delegation (from NET) but there is no possible path the the contents of the EXAMPLE.NET zone.
Mats --- Mats Dufberg mats.dufb...@internetstiftelsen.se<mailto:mats.dufb...@internetstiftelsen.se> Technical Expert Internetstiftelsen (The Swedish Internet Foundation) Mobile: +46 73 065 3899 https://internetstiftelsen.se/ From: DNSOP <dnsop-boun...@ietf.org> on behalf of Wessels, Duane <dwessels=40verisign....@dmarc.ietf.org> Date: Monday, 3 April 2023 at 22:03 To: dnsop@ietf.org <dnsop@ietf.org> Subject: [DNSOP] Meaning of lame delegation Dear DNSOP, I am participating in an SSAC work party where we are writing about DNS delegations where a delegated name server might be available for registration, allowing an attacker to participate in the resolution for the domain. During report drafting we considered using the term "lame delegation" to describe this and a broader class of delegation problems. Naturally, we turned to RFC 8499, DNS Terminology, but found the entry not particularly helpful since it simply quotes previous, imprecise uses of the term: Lame delegation: "A lame delegations exists [sic] when a nameserver is delegated responsibility for providing nameservice for a zone (via NS records) but is not performing nameservice for that zone (usually because it is not set up as a primary or secondary for the zone)." (Quoted from [RFC1912], Section 2.8) Another definition is that a lame delegation "...happens when a name server is listed in the NS records for some domain and in fact it is not a server for that domain. Queries are thus sent to the wrong servers, who don't know nothing [sic] (at least not as expected) about the queried domain. Furthermore, sometimes these hosts (if they exist!) don't even run name servers." (Quoted from [RFC1713], Section 2.3) The first appears to assume that the name server exists, while the latter parenthetically notes the name server might not exist, but without any specific meaning of existence. We are wondering if the idea of a lame delegation should be interpreted broadly, or more narrowly to include only cases where a response is proof of lameness. Consider a delegation of the domain EXAMPLE.NET to name server NS.EXAMPLE.ORG. There are three possible situations in which this might be considered a lame delegation: (1) NS.EXAMPLE.ORG resolves to an IP address. Queries to the IP address result in a REFUSED, SERVFAIL, upward referral, or some other indication the name server is not configured to serve the zone. (2) NS.EXAMPLE.ORG resolves to an IP address. Queries to the IP address do not elicit a response (e.g., timeout). (3) NS.EXAMPLE.ORG does not resolve to an IP address, so there is nowhere to send a query. We welcome the working group's thoughts whether "lame delegation" encompasses these three possibilities. DW _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://eur04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fdnsop&data=05%7C01%7Cmats.dufberg%40internetstiftelsen.se%7Cb254e86788054440bc4708db347e6b48%7Cc2aa68f818f348ae81ba02301d121d9a%7C0%7C0%7C638161489807442090%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=F7qevkR7HoiItfCi7pDyFQfl4agaDOkQ%2F%2FBnRtt4vPU%3D&reserved=0
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
