Re: [DNSOP] [Technical Errata Reported] RFC7686 (6761)
It appears that Peter van Dijk said: >> Corrected Text >> -- >> 5. Authoritative DNS Servers: Authoritative servers SHOULD NOT >> recognize .onion names as special and MUST NOT treat queries for >> .onion names differently from other queries. By default, >> authoritative servers MUST NOT respond authoritatively to >> queries for .onion names. > >I like this even more. > >> The "By default" qualifier covers the case of a non-default >> configuration (such as being configured to serve the root zone) where an >> authoritative server would need to respond authoritatively for .onion >> names. It also allows wiggle room for kludges that special case .onion names and set up proxies that respond on localhost addresses and synthesize an A record to point to the proxy address. (Did I say kludge?) R's, John ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] [Technical Errata Reported] RFC7686 (6761)
Hello Robert, On Tue, 2021-11-30 at 11:51 -0500, Robert Edmonds wrote: > If the goal is to avoid mandating extra code paths in typical > authoritative servers To me, this indeed is the goal. > , I would suggest something like the following > which narrowly answers only the questions asked in 6761 ("Are developers > of authoritative domain name servers expected to make their > implementations recognize these names as special and treat them > differently? If so, how?"): > > Original Text > - > 5. Authoritative DNS Servers: Authoritative servers MUST respond to > queries for .onion with NXDOMAIN. > > Corrected Text > -- > 5. Authoritative DNS Servers: Authoritative servers SHOULD NOT > recognize .onion names as special and MUST NOT treat queries for > .onion names differently from other queries. I like this. > Splitting the "recognize ... treat" conjunction between "SHOULD NOT" > and "MUST NOT" would, for instance, allow an authoritative server to > log a warning message if an operator intentionally configured an > "onion." zone in the server. > > A slight expansion of the text might read: > > Corrected Text > -- > 5. Authoritative DNS Servers: Authoritative servers SHOULD NOT > recognize .onion names as special and MUST NOT treat queries for > .onion names differently from other queries. By default, > authoritative servers MUST NOT respond authoritatively to > queries for .onion names. I like this even more. > The "By default" qualifier covers the case of a non-default > configuration (such as being configured to serve the root zone) where an > authoritative server would need to respond authoritatively for .onion > names. Perfect. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] [Technical Errata Reported] RFC7686 (6761)
On Mon, 29 Nov 2021, RFC Errata System wrote: Original Text - 5. Authoritative DNS Servers: Authoritative servers MUST respond to queries for .onion with NXDOMAIN. Corrected Text -- 5. Authoritative DNS Servers: Authoritative servers MUST respond non-authoritatively to queries for names in .onion. The original text for 5 and 6 is conflicting. A name server cannot respond with NXDOMAIN (which is an authoritative answer) without having a zone configured to serve that NXDOMAIN from. Clearly the intent of the text is that clients will not find authoritative answers to .onion queries anywhere in the DNS. The corrected text does not describe what to return though. I guess the text implies REFUSED, but perhaps the WG reasoned this was not good as it would lead to more queries to other servers or instances of the authoritative server set? So I agree the Original text has an issue. I haven't been convinced yet the suggested solution is the right one. After all, we are talking about "special domains", so perhaps it does warrant an NXDOMAIN despite that normally being used only within an authoritative context. Paul ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] [Technical Errata Reported] RFC7686 (6761)
The following errata report has been submitted for RFC7686, "The ".onion" Special-Use Domain Name". -- You may review the report below and at: https://www.rfc-editor.org/errata/eid6761 -- Type: Technical Reported by: Peter van Dijk Section: 2 Original Text - 5. Authoritative DNS Servers: Authoritative servers MUST respond to queries for .onion with NXDOMAIN. 6. DNS Server Operators: Operators MUST NOT configure an authoritative DNS server to answer queries for .onion. If they do so, client software is likely to ignore any results (see above). Corrected Text -- 5. Authoritative DNS Servers: Authoritative servers MUST respond non-authoritatively to queries for names in .onion. 6. DNS Server Operators: Operators MUST NOT configure an authoritative DNS server to answer authoritatively to queries for names in .onion. If they do so, client software is likely to ignore any results (see above). Notes - The original text for 5 and 6 is conflicting. A name server cannot respond with NXDOMAIN (which is an authoritative answer) without having a zone configured to serve that NXDOMAIN from. Clearly the intent of the text is that clients will not find authoritative answers to .onion queries anywhere in the DNS. Instructions: - This erratum is currently posted as "Reported". If necessary, please use "Reply All" to discuss whether it should be verified or rejected. When a decision is reached, the verifying party can log in to change the status and edit the report, if necessary. -- RFC7686 (draft-ietf-dnsop-onion-tld-01) -- Title : The ".onion" Special-Use Domain Name Publication Date: October 2015 Author(s) : J. Appelbaum, A. Muffett Category: PROPOSED STANDARD Source : Domain Name System Operations Area: Operations and Management Stream : IETF Verifying Party : IESG ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop