Re: [DNSOP] [EXT] Re: [Technical Errata Reported] RFC7686 (6761)

2021-12-01 Thread Bob Bownes -Seiri
I’m all for addressing our past mistakes if we have consensus. > On Dec 1, 2021, at 19:56, Paul Hoffman wrote: > > On Dec 1, 2021, at 4:02 PM, Warren Kumari wrote: >> I think that enough time has now passed that we might be strong enough to >> address this whole topic again and start

Re: [DNSOP] [EXT] Re: [Technical Errata Reported] RFC7686 (6761)

2021-12-01 Thread George Michaelson
Two instances of 'if' there. Only one appears to me to be certain. (Now we can disagree about which one) G On Thu, 2 Dec 2021, 10:56 am Paul Hoffman, wrote: > On Dec 1, 2021, at 4:02 PM, Warren Kumari wrote: > > I think that enough time has now passed that we might be strong enough > to

Re: [DNSOP] [EXT] Re: [Technical Errata Reported] RFC7686 (6761)

2021-12-01 Thread Paul Hoffman
On Dec 1, 2021, at 4:02 PM, Warren Kumari wrote: > I think that enough time has now passed that we might be strong enough to > address this whole topic again and start fixing the identified issues as well > as tackling the larger "what is a namespace, and how do multiple resolution > systems

Re: [DNSOP] [EXT] Re: [Technical Errata Reported] RFC7686 (6761)

2021-12-01 Thread Warren Kumari
draft-ietf-dnsop-onion-tld On Tue, Nov 30, 2021 at 8:40 PM Mark Andrews wrote: > Authoritative servers should take NO SPECIAL BEHAVIOUR for .onion. > > The default behaviour of an authoritative server is fine be it REFUSED,

Re: [DNSOP] [EXT] Re: [Technical Errata Reported] RFC7686 (6761)

2021-12-01 Thread Paul Vixie
Ted Lemon wrote on 2021-12-01 13:06: On Tue, Nov 30, 2021 at 8:10 PM Paul Vixie > wrote: i only use REFUSED if the same question from some other query source (by IP) or signed differently (with TSIG or SIG(0)) could possibly work. for

Re: [DNSOP] [EXT] Re: [Technical Errata Reported] RFC7686 (6761)

2021-12-01 Thread Ted Lemon
On Tue, Nov 30, 2021 at 8:10 PM Paul Vixie wrote: > i only use REFUSED if the same question from some other query source (by > IP) or signed differently (with TSIG or SIG(0)) could possibly work. for > out-of-authority requests, the server must fail to answer. I have to confess that that

Re: [DNSOP] [EXT] Re: [Technical Errata Reported] RFC7686 (6761)

2021-11-30 Thread Mark Andrews
Authoritative servers should take NO SPECIAL BEHAVIOUR for .onion. The default behaviour of an authoritative server is fine be it REFUSED, NOTAUTH, NXDOMAIN (when they have a copy of the root zone) or a referral to the root. Recursive servers are a different kettle of fish. Mark > On 1 Dec

Re: [DNSOP] [EXT] Re: [Technical Errata Reported] RFC7686 (6761)

2021-11-30 Thread Paul Vixie
Ted Lemon wrote on 2021-11-30 17:04: I don’t see how any answer from an authoritative server other than REFUSED really makes sense for a domain for which that server is not authoritative. It hasn’t failed. It’s been asked a bogus question. It doesn’t make sense for it to theorize that it

Re: [DNSOP] [EXT] Re: [Technical Errata Reported] RFC7686 (6761)

2021-11-30 Thread Ted Lemon
I don’t see how any answer from an authoritative server other than REFUSED really makes sense for a domain for which that server is not authoritative. It hasn’t failed. It’s been asked a bogus question. It doesn’t make sense for it to theorize that it might be misconfigured. On Tue, Nov 30, 2021

Re: [DNSOP] [EXT] Re: [Technical Errata Reported] RFC7686 (6761)

2021-11-30 Thread libor.peltan
Hi Paul, for any non-root server, an RD=0 question for example.onion should be answered with SERVFAIL. this is a condition signal, and the condition is "since i'm hearing this query, someone thinks i'm holding a delegation, and i'm not, so i might be lame for some zone, so the server (me,

Re: [DNSOP] [EXT] Re: [Technical Errata Reported] RFC7686 (6761)

2021-11-30 Thread Robert Edmonds
Peter van Dijk wrote: > I don't think we should be prescribing extra code paths in > authoritative servers in this document, and I think non-authoritative > NXDOMAINs would be very confusing. In particular, resolvers would not > believe them anyway. > > That all said, I can certainly see that

Re: [DNSOP] [EXT] Re: [Technical Errata Reported] RFC7686 (6761)

2021-11-30 Thread Paul Vixie
libor.peltan wrote on 2021-11-30 01:11: ... I suggest to remove any specific errcode (NXDOMAIN, REFUSED) mentions from such requirement. In the future, those errcodes and their names may be altered. I quite like the Peter's original proposal, though any wording can always be slightly

Re: [DNSOP] [EXT] Re: [Technical Errata Reported] RFC7686 (6761)

2021-11-30 Thread libor.peltan
Hi John, If a query for a special use name, whether it's foo.onion or 7.8.9.10.in-addr.arpa, leaks to an authoritative server, NXDOMAIN is the right answer. not really. First of all, in-addr.arpa. zone is normal part of DNS tree and various authoritative (depends for which zone) servers

Re: [DNSOP] [EXT] Re: [Technical Errata Reported] RFC7686 (6761)

2021-11-29 Thread John R. Levine
5. Authoritative DNS Servers: Authoritative servers MUST respond to queries for .onion with NXDOMAIN. I think this text is correct. The whole point of .onion and other special use domain names is that they are resolved outside of the DNS. RFC 6761 says they should be caught at a

Re: [DNSOP] [EXT] Re: [Technical Errata Reported] RFC7686 (6761)

2021-11-29 Thread Joe Abley
On 29 Nov 2021, at 14:56, Paul Hoffman wrote: > On Nov 29, 2021, at 11:48 AM, Joe Abley wrote: >> The idea of modifying the protocol to accommodate namespaces outside the DNS >> is causing me to throw up in my mouth a bit, to be honest. Perhaps the DNS >> could just concentrate on being the

Re: [DNSOP] [EXT] Re: [Technical Errata Reported] RFC7686 (6761)

2021-11-29 Thread Paul Hoffman
On Nov 29, 2021, at 11:48 AM, Joe Abley wrote: > The idea of modifying the protocol to accommodate namespaces outside the DNS > is causing me to throw up in my mouth a bit, to be honest. Perhaps the DNS > could just concentrate on being the DNS and other namespaces can fight their > own

Re: [DNSOP] [EXT] Re: [Technical Errata Reported] RFC7686 (6761)

2021-11-29 Thread Paul Wouters
On Mon, 29 Nov 2021, Peter van Dijk wrote: The corrected text does not describe what to return though. I guess the text implies REFUSED, but perhaps the WG reasoned this was not good as it would lead to more queries to other servers or instances of the authoritative server set? Yes, it

Re: [DNSOP] [EXT] Re: [Technical Errata Reported] RFC7686 (6761)

2021-11-29 Thread Joe Abley
Hi Peter, On 29 Nov 2021, at 14:25, Peter van Dijk wrote: > On Mon, 2021-11-29 at 14:16 -0500, Paul Wouters wrote: >> On Mon, 29 Nov 2021, RFC Errata System wrote: >> >>> Original Text >>> - >>> 5. Authoritative DNS Servers: Authoritative servers MUST respond to >>> queries

Re: [DNSOP] [EXT] Re: [Technical Errata Reported] RFC7686 (6761)

2021-11-29 Thread Peter van Dijk
On Mon, 2021-11-29 at 14:16 -0500, Paul Wouters wrote: > On Mon, 29 Nov 2021, RFC Errata System wrote: > > > Original Text > > - > > 5. Authoritative DNS Servers: Authoritative servers MUST respond to > > queries for .onion with NXDOMAIN. > > Corrected Text > > --