Re: [DNSOP] I-D Action: draft-ietf-dnsop-no-response-issue-14.txt

Tue, 05 Nov 2019 18:04:14 -0800 

> On Nov 4, 2019, at 3:32 PM, internet-dra...@ietf.org wrote:
> 
> https://www.ietf.org/rfcdiff?url2=draft-ietf-dnsop-no-response-issue-14

Two comments:

-----------

Section 3.1.2 discusses non-response to unexpected qtypes, but there
is a closely related case that I think warrants a mention.  For example,
the nameservers for mail.protection.outlook.com (which don't support
EDNS, returning FORMERR, hence "+noends") mishandle TLSA and other
unexpected queries:

 i. A TLSA (unexpected qtype) query elicits an incorrect "NOTIMP" response:

  $ dig +norecur +noedns -t tlsa _25._tcp.mail.protection.outlook.com 
@ns1-proddns.glbdns.o365filtering.com. 
  ;; ->>HEADER<<- opcode: QUERY, status: NOTIMP, id: 5167
  ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

  ;; QUESTION SECTION:
  ;_25._tcp.mail.protection.outlook.com. IN TLSA

 ii. An "A" query for the same qname correctly returns "NXDOMAIN":

  $ dig +norecur +noedns -t a _25._tcp.mail.protection.outlook.com 
@ns1-proddns.glbdns.o365filtering.com.
  ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23790
  ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

  ;; QUESTION SECTION:
  ;_25._tcp.mail.protection.outlook.com. IN A

This demonstrates misuse of "NOTIMP" to signal an unknown qtype,
where a simple NODATA or NXDOMAIN suffices. The NOTIMP rcode is only
appropriate for unsupported opcodes as explained in section 3.1.4.
While I got a response, it is a "bad" response, not substantively
better than no response at all.

So I'd like to see text that makes it clear that unexpected qtypes
MUST return the same RCODE as would be returned if the qtype were
some expected value, for which no RRset is present in the zone at
the requested qname.  If the zone is signed, and the EDNS "DO" bit
is set in the request, any (untruncated) NODATA or NXDOMAIN response
MUST of course include the requisite denial of existence proof.

-----------

In section 8.2.3, the correction from:

  OLD: Any unassigned EDNS option code could have be choose for this test.

to

  NEW: Any unassigned EDNS option code could have been choose for this test.

was incomplete, it needed to also s/choose/chosen/, to match an identical
sentence in 8.2.6.

-- 
        Viktor.

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to