5. Authoritative DNS Servers: Authoritative servers MUST respond to
queries for .onion with NXDOMAIN.
I think this text is correct.
The whole point of .onion and other special use domain names is that they
are resolved outside of the DNS. RFC 6761 says they should be caught at
a recursive server if not earlier.
If a query for a special use name, whether it's foo.onion or
7.8.9.10.in-addr.arpa, leaks to an authoritative server, NXDOMAIN is the
right answer.
R's,
John
Corrected Text
--------------
5. Authoritative DNS Servers: Authoritative servers MUST respond
non-authoritatively to
queries for names in .onion.
The original text for 5 and 6 is conflicting. A name server cannot respond with
NXDOMAIN (which is an authoritative answer) without having a zone configured to
serve that NXDOMAIN from. Clearly the intent of the text is that clients will
not find authoritative answers to .onion queries anywhere in the DNS.
The corrected text does not describe what to return though. I guess the
text implies REFUSED, but perhaps the WG reasoned this was not good as
it would lead to more queries to other servers or instances of the
authoritative server set?
Yes, it implies REFUSED. I was unsure REFUSED was standardised, or
whether it is still a convention that almost all auths happen to
follow. REFUSED would indeed lead to resolvers trying other auths
(although that seems a bit theoretical - where did the resolver even
come up with the idea to ask a bunch of auths about .onion names?).
I also now realise that the root servers do not honour my new text, and
their behaviour -is- correct, so perhaps:
5. Authoritative DNS Servers: Authoritative servers (other than the
root servers) MUST respond non-authoritatively to queries for names in
.onion.
Yes, the root servers respond with an authoritative name error for QNAMEs under
.ONION. For them to do otherwise would arguably break the commitment they have
made many times to serve precisely the root zone provided to them by the IANA.
I do see the problem that the proposed erratum is trying to address. However, I
don't see much difference between clients of a resolver receiving a
non-authoritative name error (e.g. a negative response from a root server that
has been cached) vs. an authoritative name error (e.g. a negative response from
a resolver that has been configured to answer in such a fashion). And I don't
really see the point in any RFC suggesting that they can MUST operators into
acting in any particular way, regardless of whether the servers they administer
are acting as recursive or authoritative.
The idea of modifying the protocol to accommodate namespaces outside the DNS is
causing me to throw up in my mouth a bit, to be honest. Perhaps the DNS could
just concentrate on being the DNS and other namespaces can fight their own
battles?
Joe
Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
