[dns-operations] Input from dns-operations on NCAP proposal

Petr Špaček pspacek at isc.org
Wed Jun 1 07:39:07 UTC 2022


On 24. 05. 22 17:54, Vladimír Čunát via dns-operations wrote:
> 
> On 23/05/2022 15.48, Thomas, Matthew via dns-operations wrote:
>>
>> Configuration 1: Generate a synthetic NXDOMAIN response to all queries 
>> with no SOA provided in the authority section.
>>
> I believe the protocol says not to cache such answers at all. Some 
> implementations chose to cache at least a few seconds, but I don't think 
> all of them.  Breaking caching seems risky to me, as traffic could 
> increase very much (if the TLD was queried a lot).
> 
> 
>> Configuration 2: Generate a synthetic NXDOMAIN response to all queries 
>> with a SOA record.  Some example queries for the TLD .foo are below:
>>
> It still feels a bit risky to answer in this non-conforming way, and I 
> can't really see why attempt that.  At apex the NXDOMAIN would deny the 
> SOA included in the very same answer...
> 
> 
>> Configuration 3: Use a properly configured empty zone with correct NS 
>> and SOA records. Queries for the single label TLD would return a 
>> NOERROR and NODATA response.
>>
> I expect that's OK, especially if it's a TLD that's seriously 
> considered.  I'd hope that "bad" usage is mainly sensitive to existence 
> of records of other types like A.

Generally I agree with Vladimir, Configuration 3 is the way to go.

Non-compliant responses are riskier than protocol-compliant responses, 
and option 3 is the only compliant variant in your proposal.

Reasoning: Behavior for non-compliant answer is basically undefined 
because most RFCs do not describe what to do when a MUST condition is 
violated. It's hard to see how further evaluation of undefined behavior 
would help with determining further course of action.

-- 
Petr Špaček  @  Internet Systems Consortium



More information about the dns-operations mailing list