[dns-operations] Akamai now works with ENT (Empty Non-Terminals)?

Reed, Jon jreed at akamai.com
Sat Apr 13 11:38:47 UTC 2019 

Our CDN zones have supported ENTs since July 2018.   I was heavily involved with this, and am happy to answer follow-up questions either on-list or off-list.

There were a number of challenging problems, specifically around empty non-terminals and their interaction with wildcards described in RFC 4592.  The behavior is completely non-intuitive to anyone who isn't a DNS expert.   

I wrote a fairly detailed response about this on the dnsop list during IETF 102, in response to a thread started by Stéphane:

https://mailarchive.ietf.org/arch/msg/dnsop/XIX16DCe2ln3ZnZai723v32ZIjE

At the time, many other large cloud providers also exhibited incorrect behavior around wildcards and empty non-terminals, but I think Akamai was called out specifically at OARC 27 or 28 with this GIF: https://giphy.com/gifs/hero0fwar-caddy-shack-ToMjGpz81S7usvTIM8w

-Jon 

--
Jon Reed <jreed at akamai.com>
Senior Performance Engineer
Akamai Technologies
Nameservers Service Performance 

On 4/13/19, 6:03 AM, "Jared Mauch" <jared at puck.nether.net> wrote:

    Yes. I know Tale spent a long time working on this and I believe all the software went live recently on this. If you are seeing issues let me know and I can pass it on to the team. 
    
    This should mean good things as it makes QNAME minimization feasible where it was not previously. 
    
    (I forget it may have gone live last year)..
    
    If anyone needs an exact timeline I can go find it. 
    
    - Jared
    
    > On Apr 13, 2019, at 5:25 AM, Stephane Bortzmeyer <bortzmeyer at nic.fr> wrote:
    > 
    > It seems so. Instead of the erroneous NXDOMAIN, Akamain's
    > authoritative name servers apparently now reply with the correct
    > NOERROR for ENT (Empty Non-Terminals):
    > 
    > % dig @a9-64.akam.net A net.edgesuite.net
    > 
    > ; <<>> DiG 9.10.3-P4-Debian <<>> @a9-64.akam.net A net.edgesuite.net
    > ; (2 servers found)
    > ;; global options: +cmd
    > ;; Got answer:
    > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52846
    > ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
    > ;; WARNING: recursion requested but not available
    > 
    > ;; OPT PSEUDOSECTION:
    > ; EDNS: version: 0, flags: do; udp: 4096
    > ;; QUESTION SECTION:
    > ;net.edgesuite.net.    IN A
    > 
    > ;; AUTHORITY SECTION:
    > edgesuite.net.        180 IN SOA ns1-2.akamai.com. hostmaster.akamai.com. (
    >                1555143514 ; serial
    >                900        ; refresh (15 minutes)
    >                300        ; retry (5 minutes)
    >                604800     ; expire (1 week)
    >                180        ; minimum (3 minutes)
    >                )
    > 
    > ;; Query time: 28 msec
    > ;; SERVER: 2a02:26f0:117::40#53(2a02:26f0:117::40)
    > ;; WHEN: Sat Apr 13 11:24:56 CEST 2019
    > ;; MSG SIZE  rcvd: 109
    > 
    > So, it is now compatible with RFC 7816 and RFC 8020. 
    > 
    > _______________________________________________
    > dns-operations mailing list
    > dns-operations at lists.dns-oarc.net
    > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
    > dns-operations mailing list
    > https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list