[DNSOP] finding the closest delegation

2012-11-23 Thread Jim Reid 
On 23 Nov 2012, at 11:17, Tony Finch d...@dotat.at wrote:

 Just query for the SOA at the full RDNS name, and the name server will
 return the zone apex name and SOA record in the authority section of its
 reply (or possibly in the answer section though that's unlikely).
 
 http://tools.ietf.org/html/draft-andrews-dnsext-soa-discovery

We have been here before.

The ENUM name space has comparable properties to ip6.arpa: lots of labels, 
irregular delegation points and sparse population. Some ENUM applications and 
use cases had a need to find the closest encloser too. So a long time ago, I 
helped write up something similar for the ENUM WG -- 
http://tools.ietf.org/html/draft-ietf-enum-void-02 -- and was told I was a 
naughty boy. It was apparently a Very Bad Thing to treat data from the 
Authority Section as an answer from the DNS: resolving servers could do this, 
but nothing else apparently. I suspect Mark's draft may have been killed 
because of that too.

FWIW there were other religious issues which meant that ENUM draft ended up 
going nowhere.

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] finding the closest delegation

2012-11-23 Thread Olafur Gudmundsson 

Just use DNSSEC, the RRSIG records tell you the apex of the zone :-)

Olafur


On 23/11/2012 06:42, Jim Reid wrote:

On 23 Nov 2012, at 11:17, Tony Finch d...@dotat.at wrote:


Just query for the SOA at the full RDNS name, and the name server will
return the zone apex name and SOA record in the authority section of its
reply (or possibly in the answer section though that's unlikely).

http://tools.ietf.org/html/draft-andrews-dnsext-soa-discovery


We have been here before.

The ENUM name space has comparable properties to ip6.arpa: lots of labels, 
irregular delegation points and sparse population. Some ENUM applications and 
use cases had a need to find the closest encloser too. So a long time ago, I helped write 
up something similar for the ENUM WG -- 
http://tools.ietf.org/html/draft-ietf-enum-void-02 -- and was told I was a naughty boy. 
It was apparently a Very Bad Thing to treat data from the Authority Section as an answer 
from the DNS: resolving servers could do this, but nothing else apparently. I suspect 
Mark's draft may have been killed because of that too.

FWIW there were other religious issues which meant that ENUM draft ended up 
going nowhere.

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop



___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] finding the closest delegation

2012-11-23 Thread Paul Vixie 
On 2012-11-23 2:34 PM, Mark Andrews wrote:
 ...
 There is nothing wrong with using the SOA record from the -ve
 response.  Named has been doing it for about 15 years in nslookup.
 If it is not there it falls back to stripping a label at a time
 until it gets the SOA record.

indeed not. i think mark means nsupdate here. the history of this is, i
wrote for late model bind8 a function called res_findzonecut(), which
was part of integrating a contributed implementation of RFC 2136, which
i'd been the editor and main author of. the comments at the top of
lib/res/res_findzonecut.c are shown below. there's nothing untoward, or
spec-violating, or even spec-bending going on here.

/*
 * int
 * res_findzonecut(res, dname, class, zname, zsize, addrs, naddrs)
 *  find enclosing zone for a dname,class, and some server addresses
 * parameters:
 *  res - resolver context to work within (is modified)
 *  dname - domain name whose enclosing zone is desired
 *  class - class of dname (and its enclosing zone)
 *  zname - found zone name
 *  zsize - allocated size of zname
 *  addrs - found server addresses
 *  naddrs - max number of addrs
 * return values:
 *   0 - an error occurred (check errno)
 *  = 0 - zname is now valid, but addrs[] wasn't changed
 *   0 - zname is now valid, and return value is number of addrs[]
found
 * notes:
 *  this function calls res_nsend() which means it depends on correctly
 *  functioning recursive nameservers (usually defined in
/etc/resolv.conf
 *  or its local equivilent).
 *
 *  we start by asking for an SOAdname,class.  if we get one as an
 *  answer, that just means dname,class is a zone top, which is fine.
 *  more than likely we'll be told to go pound sand, in the form of a
 *  negative answer.
 *
 *  note that we are not prepared to deal with referrals since that
would
 *  only come from authority servers and our correctly functioning local
 *  recursive server would have followed the referral and got us
something
 *  more definite.
 *
 *  if the authority section contains an SOA, this SOA should also
be the
 *  closest enclosing zone, since any intermediary zone cuts
would've been
 *  returned as referrals and dealt with by our correctly
functioning local
 *  recursive name server.  but an SOA in the authority section
should NOT
 *  match our dname (since that would have been returned in the answer
 *  section).  an authority section SOA has to be above our dname.
 *
 *  however, since authority section SOA's were once optional, it's
 *  possible that we'll have to go hunting for the enclosing SOA by
 *  ripping labels off the front of our dname -- this is known as doing
 *  it the hard way.
 *
 *  ultimately we want some server addresses, which are ideally the ones
 *  pertaining to the SOA.MNAME, but only if there is a matching NS RR.
 *  so the second phase (after we find an SOA) is to go looking for the
 *  NS RRset for that SOA's zone.
 *
 *  no answer section processed by this code is allowed to contain CNAME
 *  or DNAME RR's.  for the SOA query this means we strip a label and
 *  keep going.  for the NS and A queries this means we just give up.
 */

paul
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop