[dns-operations] Input from dns-operations on NCAP proposal

David Conrad drc at virtualized.org
Thu Jun 2 22:22:46 UTC 2022


Hi,

On Jun 1, 2022, at 12:39 AM, Petr Špaček <pspacek at isc.org> wrote:
> On 24. 05. 22 17:54, Vladimír Čunát via dns-operations wrote:
>>> Configuration 1: Generate a synthetic NXDOMAIN response to all queries with no SOA provided in the authority section.
>>> Configuration 2: Generate a synthetic NXDOMAIN response to all queries with a SOA record.  Some example queries for the TLD .foo are below:
>>> Configuration 3: Use a properly configured empty zone with correct NS and SOA records. Queries for the single label TLD would return a NOERROR and NODATA response.
>> I expect that's OK, especially if it's a TLD that's seriously considered.  I'd hope that "bad" usage is mainly sensitive to existence of records of other types like A.
> 
> Generally I agree with Vladimir, Configuration 3 is the way to go.
> 
> Non-compliant responses are riskier than protocol-compliant responses, and option 3 is the only compliant variant in your proposal.

Just to be clear, the elsewhere-expressed concern with configuration 3 is that it exposes applications to new and unexpected behavior.  That is, if applications have been “tuned” to anticipate an NXDOMAIN and they get something else, even a NOERROR/NODATA response, the argument goes those applications _could_ explode in an earth shattering kaboom, cause mass hysteria, cats and dogs living together, etc.

While I’ve always considered this concern "a bit" unreasonable, I figure its existence is worth pointing out.

Regards,
-drc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20220602/ecbe23e2/attachment.sig>


More information about the dns-operations mailing list