Hi Peter,
On 29 Nov 2021, at 14:25, Peter van Dijk <peter.van.d...@powerdns.com> wrote:
> On Mon, 2021-11-29 at 14:16 -0500, Paul Wouters wrote:
>> On Mon, 29 Nov 2021, RFC Errata System wrote:
>>
>>> Original Text
>>> -------------
>>> 5. Authoritative DNS Servers: Authoritative servers MUST respond to
>>> queries for .onion with NXDOMAIN.
>>> Corrected Text
>>> --------------
>>> 5. Authoritative DNS Servers: Authoritative servers MUST respond
>>> non-authoritatively to
>>> queries for names in .onion.
>>> The original text for 5 and 6 is conflicting. A name server cannot respond
>>> with NXDOMAIN (which is an authoritative answer) without having a zone
>>> configured to serve that NXDOMAIN from. Clearly the intent of the text is
>>> that clients will not find authoritative answers to .onion queries anywhere
>>> in the DNS.
>>
>> The corrected text does not describe what to return though. I guess the
>> text implies REFUSED, but perhaps the WG reasoned this was not good as
>> it would lead to more queries to other servers or instances of the
>> authoritative server set?
>
> Yes, it implies REFUSED. I was unsure REFUSED was standardised, or
> whether it is still a convention that almost all auths happen to
> follow. REFUSED would indeed lead to resolvers trying other auths
> (although that seems a bit theoretical - where did the resolver even
> come up with the idea to ask a bunch of auths about .onion names?).
>
> I also now realise that the root servers do not honour my new text, and
> their behaviour -is- correct, so perhaps:
>
> 5. Authoritative DNS Servers: Authoritative servers (other than the
> root servers) MUST respond non-authoritatively to queries for names in
> .onion.
Yes, the root servers respond with an authoritative name error for QNAMEs under
.ONION. For them to do otherwise would arguably break the commitment they have
made many times to serve precisely the root zone provided to them by the IANA.
I do see the problem that the proposed erratum is trying to address. However, I
don't see much difference between clients of a resolver receiving a
non-authoritative name error (e.g. a negative response from a root server that
has been cached) vs. an authoritative name error (e.g. a negative response from
a resolver that has been configured to answer in such a fashion). And I don't
really see the point in any RFC suggesting that they can MUST operators into
acting in any particular way, regardless of whether the servers they administer
are acting as recursive or authoritative.
The idea of modifying the protocol to accommodate namespaces outside the DNS is
causing me to throw up in my mouth a bit, to be honest. Perhaps the DNS could
just concentrate on being the DNS and other namespaces can fight their own
battles?
Joe
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
