On Feb 22, 2013, at 8:49 AM, Joe Abley <[email protected]> wrote:
>
> On 2013-02-22, at 09:39, Mark Andrews <[email protected]> wrote:
>
>> I can well imagine a machine doing a reverse lookup on a proposed
>> address and not proceeding with that address if it doesn't get a
>> NXDOMAIN.
>>
>> NODATA -> unsafe
>> NXDOMAIN -> may be safe
>
> So, out of interest, do you think it's legitimate for an omniscient server to
> return something like this? (note the RCODE and the SOA RRSet returned in the
> authority section)
>
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41208
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
>
> ;; QUESTION SECTION:
> ;1.1.1.10.in-addr.arpa. IN PTR
>
> ;; AUTHORITY SECTION:
> 1.1.1.10.in-addr.arpa. 604800 IN SOA prisoner.iana.org.
> hostmaster.root-servers.org. 1 1800 900 604800 604800
>
> ;; Query time: 3 msec
> ;; SERVER: 192.175.48.6#53(192.175.48.6)
> ;; WHEN: Fri Feb 22 13:45:36 2013
> ;; MSG SIZE rcvd: 116
>
> That would be a simple change to the spec. We chose NOERROR/ANSWER:0 because
> we thought it didn't make sense to say NXDOMAIN whilst at the same time
> synthesising an authority-section SOA with the same owner name as the QNAME
> when the RCODE we're returning indicates that that owner name doesn't exist.
Yup, the change to the spec and the change to the code are both simple.
I also changed the TTLs to match what I got when querying AS112 (not because I
necessarily think that they are the right numbers, just as an example)
----------------------------
wkumari@dns-test:~/tmp/evldns$ diff -Naur oas112d.c oas112d.c.orig
--- oas112d.c 2013-02-22 19:02:36.875829849 +0000
+++ oas112d.c.orig 2013-02-22 18:35:52.546628018 +0000
@@ -33,7 +33,7 @@
#include <ctype.h>
#include <evldns.h>
-static char *t_soa = "@ SOA a.as112.net. hostmaster.as112.net. 1 1800 900
0604800 604800";
+static char *t_soa = "@ SOA a.as112.net. hostmaster.as112.net. 1 604800
2592000 0604800 604800";
static char *t_ns1 = "@ NS b.as112.net.";
static char *t_ns2 = "@ NS c.as112.net.";
@@ -57,7 +57,7 @@
ldns_pkt *req = srq->request;
/* the default response packet */
- ldns_pkt *resp = srq->response = evldns_response(req,
LDNS_RCODE_NXDOMAIN);
+ ldns_pkt *resp = srq->response = evldns_response(req,
LDNS_RCODE_NOERROR);
/* copy the question and determine qtype and qname */
ldns_rr *question = ldns_rr_list_rr(ldns_pkt_question(req), 0);
-------------------------
The NOERROR version can be seen by querying scratch-monkey.kumari.net, the
NXDOMAIN by querying dns-test.snozzages.com
> As someone familiar with implementing the receiver side of this hack,
> would/should this negative answer be cached?
Folk are welcome to test against these and see how their particualr resolvers
cache….
W
>
>
> Joe
> _______________________________________________
> DNSOP mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/dnsop
>
--
No man is an island, But if you take a bunch of dead guys and tie them
together, they make a pretty good raft.
--Anon.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
