On Thu, Feb 01, 2018 at 11:45:26AM -0600, Ted Lemon wrote: > > As a general principle, when what the RFC says to do is not the right thing > to do, the solution is to update the RFC, not to ignore the problem.
I strongly agree with this (as I think or anyway hope you know), and if my response seemed to be an appeal to the mythical authority of the RFC series then I apologise. My intent was to point out, instead, that RFC 6761 has a position about this, and it is quite clear and also contrary to the behaviour of the root servers. Since RFC 6761 has IETF consensus, I am not convinced that the response from the roots is right. Since an NXDOMAIN response causes the _very problem_ that the draft this thread is about is attempting to fix -- literally by making the effect in question more ubiquitous -- it seems to me that the burden of proof lies upon others. > Your and Paul's responses to this seem to take the position that what matters > is consistency. We should not return NXDOMAIN, because localhost has > meaning, and NXDOMAIN doesn't. But this misunderstands what NXDOMAIN means. > What NXDOMAIN means is "there is no such name in the DNS." It doesn't > mean "there is no such name." > But of course, there _is_ a name "localhost" in the DNS. It's already defined, in the RFCs, to this effect. RFC 6761 defines special-purpose domain names, not domain names that are outside the DNS. It so happens that this domain name _is_ in the DNS, precisely because RFC 6761 recommends that it be so (unlike, for example, what it says for .invalid or what RFC 6762 says for .local). The point is rather that localhost is a universal reference to the loopback address. Since it is a universal truth, it is true in the IN class, and that means that any server on the Internet ought to know this. > Returning REFUSED makes things worse. Returning NXDOMAIN does not. The goal in the draft is to make things break for the host making the request, even though it should not have made that request. Returning REFUSED and returning NXDOMAIN both have that effect. But returning NXDOMAIN also breaks the semantics of DNS, which I think it worse. > Second, there's no trust model for such a response. The trust model for > NXDOMAIN is clear, and we know how to do it. The trust model for e.g. > REFUSED is nonexistent. > Nonsense. The trust model for refused is, "You asked and were denied." Signable denial of service strikes me as possibly the most abusable service on the Internet :) > Whether we should place special requirements on recursive resolvers is > certainly something that is up for debate. RFC 6761 _already_ places such requirements, it seems to me. > If you believe that the right response is not NXDOMAIN, your reason needs to > be something more than "that's what the RFC says to do." > I believe I offered such reasons in rather more detail in a different message (one to which you did not respond) where I reviewed the draft at greater length. Best regards, A -- Andrew Sullivan a...@anvilwalrusden.com _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
