Re: [dns-operations] ag.gov not providing NXDOMAIN responses
On Tue, Apr 09, 2024 at 01:09:20PM -0500, David Zych wrote a message of 121 lines which said: > The problem: when queried for a record underneath ag.gov. which does > not exist, these nameservers do not return a proper NXDOMAIN > response; instead, they don't answer at all. Funny enough, it depends on the QTYPE. % dig @ns2.usda.gov. nonono.ag.gov A ;; communications error to 2600:12f0:0:ac04::206#53: timed out ;; communications error to 2600:12f0:0:ac04::206#53: timed out ;; communications error to 2600:12f0:0:ac04::206#53: timed out ;; communications error to 199.141.126.206#53: timed out ; <<>> DiG 9.18.24-1-Debian <<>> @ns2.usda.gov. nonono.ag.gov A ; (2 servers found) ;; global options: +cmd ;; no servers could be reached % dig @ns2.usda.gov. nonono.ag.gov NS ; <<>> DiG 9.18.24-1-Debian <<>> @ns2.usda.gov. nonono.ag.gov NS ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44750 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1220 ; COOKIE: 108e6a3526539745cbe04caf6617b75afc5cf42f25232e56 (good) ;; QUESTION SECTION: ;nonono.ag.gov. IN NS ;; AUTHORITY SECTION: ag.gov. 900 IN SOA ns1.usda.gov. duty\.officer.usda.gov. ( ... > The practical trouble this causes has to do with an increasingly popular DNS > privacy feature called QNAME Minimization, which depends upon authoritative > DNS servers like yours responding in a standards-compliant way to queries like > > _.ag.gov IN A > _.ars.ag.gov IN A > _.tucson.ars.ag.gov IN A More fun: the previous version of QNAME minimisation used QTYPE=NS. It then changed to QTYPE=A precisely to work around broken middleboxes. (And also to avoid sticking out.) ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Testing of SVCB/HTTPS records
On 10 Apr 2024, at 12:47, Alarig Le Lay via dns-operations wrote: > I don’t know any tool either, Neither do I. I have a related question: does anyone know of plans among resolver developers to implement alias-chasing according to section 4.2 of RFC9460? In my domestic set-up, which includes BIND named, unbound, and kresd, I'm not seeing this available yet. [More about ECH and curl below, in context ...] > but curl plans to implement it: > https://curl.se/dev/roadmap.html > > the next few years - perhaps > > Roadmap of things Daniel Stenberg wants to work on next. It is [...] > HTTPS DNS records > > As a DNS version of alt-svc and also a pre-requisite for ECH > (see below). > > See: https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-02 > > ECH (Encrypted Client Hello - formerly known as ESNI) > > See Daniel's post on Support of Encrypted SNI on the mailing > list. > > Initial work exists in PR 4011 This PR 4011 was a POC for ESNI, (2019) before it became ECH, so it's been overtaken by events. It was part of the DEfO project (defo.ie), which is continuing. By now,Stephen Farrell has developed ECH support in (his fork of) OpenSSL, and has implemented ECH support on a number of server codes. On the client side, he and I have added ECH support to libcurl, and partial HTTPS RR support into its DoH component. Making ECH work, rather than checking all the structure of the HTTPS RDATA, has been our focus. As of yesterday (https://github.com/niallor/curl/tree/ECH-follow-alias-20240410) we have alias-following working, but only for the first AliasMode RR; limited iteration is on the TODO list. I can't say how soon we'll succeed in having some of this work accepted upstream; we're at different stages of engagement with a number of developer teams. /Niall ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations