[dns-operations] Input from dns-operations on NCAP proposal

Thomas, Matthew mthomas at verisign.com
Fri Jun 3 18:48:57 UTC 2022

Thank you David.  That change from NXDOMAIN to NOERROR/NODATA and things going "boom" is exactly what we are looking for community input towards.  Do folks know of applications, or things like suffix search list processing, that will change their behavior. 


On 6/2/22, 5:22 PM, "David Conrad" <drc at virtualized.org> wrote:


    On Jun 1, 2022, at 12:39 AM, Petr Špaček <pspacek at isc.org> wrote:
    > On 24. 05. 22 17:54, Vladimír Čunát via dns-operations wrote:
    >>> Configuration 1: Generate a synthetic NXDOMAIN response to all queries with no SOA provided in the authority section.
    >>> Configuration 2: Generate a synthetic NXDOMAIN response to all queries with a SOA record.  Some example queries for the TLD .foo are below:
    >>> Configuration 3: Use a properly configured empty zone with correct NS and SOA records. Queries for the single label TLD would return a NOERROR and NODATA response.
    >> I expect that's OK, especially if it's a TLD that's seriously considered.  I'd hope that "bad" usage is mainly sensitive to existence of records of other types like A.
    > Generally I agree with Vladimir, Configuration 3 is the way to go.
    > Non-compliant responses are riskier than protocol-compliant responses, and option 3 is the only compliant variant in your proposal.

    Just to be clear, the elsewhere-expressed concern with configuration 3 is that it exposes applications to new and unexpected behavior.  That is, if applications have been “tuned” to anticipate an NXDOMAIN and they get something else, even a NOERROR/NODATA response, the argument goes those applications _could_ explode in an earth shattering kaboom, cause mass hysteria, cats and dogs living together, etc.

    While I’ve always considered this concern "a bit" unreasonable, I figure its existence is worth pointing out.


More information about the dns-operations mailing list