<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jun 3, 2022 at 11:57 AM Thomas, Matthew via dns-operations <<a href="mailto:dns-operations@dns-oarc.net">dns-operations@dns-oarc.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br><br><br>---------- Forwarded message ----------<br>From: "Thomas, Matthew" <<a href="mailto:mthomas@verisign.com" target="_blank">mthomas@verisign.com</a>><br>To: "<a href="mailto:drc@virtualized.org" target="_blank">drc@virtualized.org</a>" <<a href="mailto:drc@virtualized.org" target="_blank">drc@virtualized.org</a>>, "<a href="mailto:pspacek@isc.org" target="_blank">pspacek@isc.org</a>" <<a href="mailto:pspacek@isc.org" target="_blank">pspacek@isc.org</a>><br>Cc: "<a href="mailto:vladimir.cunat%2Bietf@nic.cz" target="_blank">vladimir.cunat+ietf@nic.cz</a>" <<a href="mailto:vladimir.cunat%2Bietf@nic.cz" target="_blank">vladimir.cunat+ietf@nic.cz</a>>, "<a href="mailto:dns-operations@dns-oarc.net" target="_blank">dns-operations@dns-oarc.net</a>" <<a href="mailto:dns-operations@dns-oarc.net" target="_blank">dns-operations@dns-oarc.net</a>><br>Bcc: <br>Date: Fri, 3 Jun 2022 18:48:57 +0000<br>Subject: Re: Re: [dns-operations] Input from dns-operations on NCAP proposal<br>Thank you David. That change from NXDOMAIN to NOERROR/NODATA and things going "boom" is exactly what we are looking for community input towards. Do folks know of applications, or things like suffix search list processing, that will change their behavior. <br>
<br></blockquote><div><br></div><div>There is one particular non-default configuration that definitely would make things go "boom". (This is not a comprehensive list of behaviors, just one example that is known.)</div><div><br></div><div>If the options value of "ndots:N" is set in /etc/resolv.conf (or whatever analogous configuration elements exist in non-Unix/linux systems) to a value of N==0, then a lookup for a single label name (e.g. "foo") would be made as an absolute query first, before doing search list additions.</div><div><br></div><div>"ndots" can generally be any number between 0 and X, for implementation-specific X. Some implementations cap X at 15, some at 255, there may be other implementations.</div><div><br></div><div>In such a configuration, if the host name "foo" matches the candidate TLD "foo", and the latter is changed from NXDOMAIN (non-existing in the root) to anything else (e.g. a delegation is made for "foo"), this will break search list processing for "foo". I.e. earth-shattering kaboom.</div><div>BEFORE: "foo" => NXDOMAIN, resolver then tries various "<a href="http://foo.bar.example.com">foo.bar.example.com</a>", "<a href="http://foo.example.com">foo.example.com</a>" etc.<br>AFTER: "foo" => not NXDOMAIN, resolver stops after the answer it gets (especially if there is a matching QTYPE and RRTYPE in the Answer, such as QTYPE == A, answer is 127.0.53.53)</div><div><br></div><div>Brian</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Matt<br>
<br>
On 6/2/22, 5:22 PM, "David Conrad" <<a href="mailto:drc@virtualized.org" target="_blank">drc@virtualized.org</a>> wrote:<br>
<br>
Hi,<br>
<br>
On Jun 1, 2022, at 12:39 AM, Petr Špaček <<a href="mailto:pspacek@isc.org" target="_blank">pspacek@isc.org</a>> wrote:<br>
> On 24. 05. 22 17:54, Vladimír Čunát via dns-operations wrote:<br>
>>> Configuration 1: Generate a synthetic NXDOMAIN response to all queries with no SOA provided in the authority section.<br>
>>> Configuration 2: Generate a synthetic NXDOMAIN response to all queries with a SOA record. Some example queries for the TLD .foo are below:<br>
>>> Configuration 3: Use a properly configured empty zone with correct NS and SOA records. Queries for the single label TLD would return a NOERROR and NODATA response.<br>
>> I expect that's OK, especially if it's a TLD that's seriously considered. I'd hope that "bad" usage is mainly sensitive to existence of records of other types like A.<br>
> <br>
> Generally I agree with Vladimir, Configuration 3 is the way to go.<br>
> <br>
> Non-compliant responses are riskier than protocol-compliant responses, and option 3 is the only compliant variant in your proposal.<br>
<br>
Just to be clear, the elsewhere-expressed concern with configuration 3 is that it exposes applications to new and unexpected behavior. That is, if applications have been “tuned” to anticipate an NXDOMAIN and they get something else, even a NOERROR/NODATA response, the argument goes those applications _could_ explode in an earth shattering kaboom, cause mass hysteria, cats and dogs living together, etc.<br>
<br>
While I’ve always considered this concern "a bit" unreasonable, I figure its existence is worth pointing out.<br>
<br>
Regards,<br>
-drc<br>
<br>
<br>
<br>
<br><br><br>---------- Forwarded message ----------<br>From: "Thomas, Matthew via dns-operations" <<a href="mailto:dns-operations@dns-oarc.net" target="_blank">dns-operations@dns-oarc.net</a>><br>To: "<a href="mailto:drc@virtualized.org" target="_blank">drc@virtualized.org</a>" <<a href="mailto:drc@virtualized.org" target="_blank">drc@virtualized.org</a>>, "<a href="mailto:pspacek@isc.org" target="_blank">pspacek@isc.org</a>" <<a href="mailto:pspacek@isc.org" target="_blank">pspacek@isc.org</a>><br>Cc: "<a href="mailto:dns-operations@dns-oarc.net" target="_blank">dns-operations@dns-oarc.net</a>" <<a href="mailto:dns-operations@dns-oarc.net" target="_blank">dns-operations@dns-oarc.net</a>><br>Bcc: <br>Date: Fri, 3 Jun 2022 18:48:57 +0000<br>Subject: Re: [dns-operations] Input from dns-operations on NCAP proposal<br>_______________________________________________<br>
dns-operations mailing list<br>
<a href="mailto:dns-operations@lists.dns-oarc.net" target="_blank">dns-operations@lists.dns-oarc.net</a><br>
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br>
</blockquote></div></div>