On Sun, Dec 27, 2015 at 10:31 PM, Paul Wouters <p...@nohats.ca> wrote:
> On Sun, 28 Dec 2015, John Levine wrote: > > Being listed as nameserver while unconditionally refusing all NS queries >>> leads to a guaranteed failure with DNSSEC as there would not be a signed >>> NS RRset published anywhere. >>> >> >> Yes, we agree it could have bad results. >> >> The NS RR states that the named host should be expected to have a >>> zone >>> starting at owner name of the specified class. >>> >>> I would interpret that to mean that a parental NS glue record signifies >>> that the RDATA target must point to something that has that zone at the >>> owner name. Thus the NS queries at that target should return proper >>> results for NS queries (to itself) >>> >> >> Unless, of course, the target doesn't like you and refuses your >> queries for policy reasons. >> > > Note that I said "unconditionally refusing all NS queries". Conditionally > refusing queries based on query source behaviour is off-topic. > > The section in question of the draft under discussion talks about the > specific case where a load balancer is returning REFUSED because it > did not implement NS queries, and that such behaviour is a violation > of the RFC. Not implementing NS queries on an authoritative nameserver > results in a DNS implementation that indeed violates the RFC. The question > was, which part of which RFC is the best reference to point to. I certainly agree that unconditionally refusing NS queries is a bad idea. Whether or not it is explicitly forbidden by current DNS protocol specs, I'm not so certain about. I'd love to be corrected if anyone can point to explicit text. The statement Paul excerpts from RFC 1035 does not to my mind preclude REFUSED responses to explicit NS queries; it merely states what is expected of the named host in terms of the zone that it serves. Resolvers normally obtain NS records not by explicit queries, but indirectly as part of data included in referral responses. Even with DNSSEC, I think a validating resolver could function properly without ever needing to issue explicit NS queries (with the exception of priming queries which are directed at only the root servers). Query-name minimization (with query type hiding) obviously changes this requirement. -- Shumon Huque
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop