Re: [DNSOP] ENT and NXDOMAIN: the case of RFC 4035

[Stephane Bortzmeyer]

On Mon, Sep 26, 2016 at 09:31:32AM +0100,
 Ray Bellis  wrote 
 a message of 29 lines which said:

> Roy Arend's response was that the intent was that an ENT response
> requires the same NSEC records as an NXDOMAIN response, but not the same
> RCODE.

Sure, but the title of the section is very misleading.

I tried to write an errata to RFC 4035 but it is complicated because
it requires to find new terminology for the two cases named "No data"
and "Name error".

May be just adding in 3.1.3.2:

   This section only deals with NSEC records to return. Its title does
   not imply that the proper RCODE is
   always "Name error" (NXDOMAIN). For instance, in the case of an
   ENT, the correct RCODE is "No error".
   

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] ENT and NXDOMAIN: the case of RFC 4035

[Ray Bellis]

On 26/09/2016 08:49, Matthijs Mekking wrote:

>> My gut feeling is that RFC 4035 is wrong. But I prefer to ask first:
>> how do you read it?
> 
> I think you are right that 4035 is wrong. I think it meant to say
> something like:
> 
>   Name Error: The node  does not exist in the zone either
> exactly or via wildcard name expansion.
> 
> where existence is defined in the at time not yet existing RFC 4592
> Section 2.2.3.

This came up before.  See


Roy Arend's response was that the intent was that an ENT response
requires the same NSEC records as an NXDOMAIN response, but not the same
RCODE.

Ray

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] ENT and NXDOMAIN: the case of RFC 4035

[Matthijs Mekking]

Stephane,

On 25-09-16 10:14, Stephane Bortzmeyer wrote:
> [If you don't enjoy byzantine discussions, with a lot of
> chapter-and-verse mentions of RFCs, please skip the thread.]
> 
> I've been directed recently to RFC 4035 and there is a question I would
> like to ask about its handling of ENTs.
> 
> Section 3.1.3 says:
> 
>No Data: The zone contains RRsets that exactly match 
>   but does not contain any RRsets that exactly match    STYPE>.
> 
>Name Error: The zone does not contain any RRsets that match    SCLASS> either exactly or via wildcard name expansion.
> 
> The second item means that a "name error" (NXDOMAIN) is an appropriate
> response for an ENT. It seems to contradict all recent RFCs.
> 
> Section 3.1.3.2 mentions explicitely the ENT but just says to send
> NSEC records, and does not mandate a specific error code (except in
> its title, which is a bit ambiguous).
> 
> My gut feeling is that RFC 4035 is wrong. But I prefer to ask first:
> how do you read it?

I think you are right that 4035 is wrong. I think it meant to say
something like:

  Name Error: The node  does not exist in the zone either
exactly or via wildcard name expansion.

where existence is defined in the at time not yet existing RFC 4592
Section 2.2.3.

Best regards,
  Matthijs



> 
> ___
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
> 

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] ENT and NXDOMAIN: the case of RFC 4035

[Stephane Bortzmeyer]

[If you don't enjoy byzantine discussions, with a lot of
chapter-and-verse mentions of RFCs, please skip the thread.]

I've been directed recently to RFC 4035 and there is a question I would
like to ask about its handling of ENTs.

Section 3.1.3 says:

   No Data: The zone contains RRsets that exactly match 
  but does not contain any RRsets that exactly match .

   Name Error: The zone does not contain any RRsets that match  either exactly or via wildcard name expansion.

The second item means that a "name error" (NXDOMAIN) is an appropriate
response for an ENT. It seems to contradict all recent RFCs.

Section 3.1.3.2 mentions explicitely the ENT but just says to send
NSEC records, and does not mandate a specific error code (except in
its title, which is a bit ambiguous).

My gut feeling is that RFC 4035 is wrong. But I prefer to ask first:
how do you read it?

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop