Re: [DNSOP] comments on DNS terminology draft
In message alpine.lsu.2.00.1504012227030.13...@hermes-1.csi.cam.ac.uk, Tony F inch writes: Paul Vixie p...@redbarn.org wrote: John Levine wrote: A very short survey reveals that unbound and 8.8.8.8 return SOA, bind doesn't. So it's not all the time, but it's pretty common. in BIND it's an option. It is? I can't work out how to make it produce a negative response without a SOA. minimal-responses doesn't do it. I suspect that the tested name had a bad soa record from the authoritative servers. Named is much more picky about soa records it receives than most nameservers. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Portland, Plymouth, North Biscay: Westerly 5 to 7, decreasing 4 later. Moderate or rough. Occasional rain or drizzle. Good becoming moderate or poor . ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] comments on DNS terminology draft
On Apr 1, 2015, at 11:24 AM, Evan Hunt e...@isc.org wrote: Should we also mention that NODATA responses usually include a SOA record in the authority section to indicate to resolvers how long to do negative caching for? That does not seem to be established firmly enough for us to add. It's necessary for negative caching, so I believe it's required for authoritative responses (RFC 2308 section 3), but optional for recursive. Good point, I was only thinking of recursive answers, and I don't think I see SOAs there all the time. We can add that NODATA responses for authoritative responses include the SOA. Might also add that DNSSEC-signed zones will include a signed NSEC/NSEC3 to prove the nonexistence of the qtype. Adding the nonexistence stuff for all the types of responses will make this document harder to read... --Paul Hoffman ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] comments on DNS terminology draft
Sorry for the belated reply. On Mar 24, 2015, at 1:03 PM, Shumon Huque shu...@gmail.com wrote: Some comments on draft-hoffman-dns-terminology NODATA -- This is not an actual response code, but instead is the combination of an RCODE of 0 (NOERROR) and an Answer section that is empty. That is, it indicates that the response is no answer, but that there was not supposed to be one. [72]Section 1 of [RFC2308] defines it as a pseudo RCODE which indicates that the name is valid, for the given class, but are no records of the given type. I don't think this definition is precise enough. Under this stated definition, referral responses from authority servers qualify to be called NODATA responses, because they also have a combination of RCODE 0 and an empty answer section. Referrals can be excluded from this definition by adding the constraint that NODATA responses from authority servers have the AA bit set. I'd also recommend starting the definition with a clear statement of what it means first, followed by how it is represented in terms of packet attributes. The current definition is in the reverse order which is more difficult to read (at least for me). Here's my suggested rewrite: NODATA -- This is not an actual response code, but is a particular type of response from a server that indicates that the queried domain name exists for the given class, but the resource record type being queried for doesn't exist. They are a combination of an RCODE of 0 (NOERROR) and an Answer section that is empty. In addition, NODATA responses from authoritative servers have the authoritative answer (AA bit) set to one. Section 1 of [RFC2308] defines it as a pseudo RCODE which indicates that the name is valid, for the given class, but are no records of the given type. This seems good. Should we also mention that NODATA responses usually include a SOA record in the authority section to indicate to resolvers how long to do negative caching for? That does not seem to be established firmly enough for us to add. [73]5. Resource Records RR -- A short form for resource record. ([74]RFC 1034, section 3.6.) RRset -- A set of resource records with the same label, class and type, but with different data. (Definition from [75]RFC 2181) Also spelled RRSet in some documents. As a clarification, same label in this definition means same owner name. I think the 'same TTL' constraint is important enough to restate specifically as part of this definition. I suggest adding: In addition, RFC 2181 states that the TTLs of all RRs in an RRSet must be the same. Excellent, yes. SOA field names -- DNS documents, including the definitions here, often refer to the fields in the RDATA an SOA resource record by field name. Those fields are defined in [78]Section 3.3.13 of RFC 1035. The names (in the order they appear in the SOA RDATA) are MNAME, RNAME, SERIAL, REFRESH, RETRY, and EXPIRE, MINIMUM. Note that the meaning of MINIMUM field is updated in [79]Section 4 of RFC 2308; the new definition is that the MINIMUM field is only the TTL to be used for negative responses. Negative responses is used here without a clear definition anywhere earlier (or later) in the document. I think that definition needs to be added. Is it only NXDOMAIN and NODATA responses? Or does it also include failure responses (SERVFAIL, NOTIMP, or any of the extended response codes)? RFC 2308 has pages defining negative responses. Instead of trying to reproduce that, we should just point to it. We can add this as a new definition in the preceding section. The Negative Caching definition provided later in the document, quoting RFC 2308 (The storage of knowledge that something does not exist, cannot give an answer, or does not give an answer) seems to imply that negative responses include SERVFAIL, NOTIMP, etc. [80]6. DNS Servers DNS Servers and Clients - immediately below we state that the section talks about both. This section defines the terms used for the systems that act as DNS clients, DNS servers, or both. Some terms about servers describe servers that do and do not use DNSSEC; see [81]Section 8 for those definitions. [[ There is a request to first describe the iterative and recursive resolution processes, and mention the expected values of the RD,RA,AA bits. Then you can describe the distinctions between recursive and iterative clients, and between recursive and authoritative servers, in terms of the roles they play in the different resolution processes. This would require the section to be quite different than the other sections in the document. ]] That is one approach. I agree this section probably needs a significant rewrite for clarity and precision. I find the current definitions of the family
Re: [DNSOP] comments on DNS terminology draft
Should we also mention that NODATA responses usually include a SOA record in the authority section to indicate to resolvers how long to do negative caching for? That does not seem to be established firmly enough for us to add. It's necessary for negative caching, so I believe it's required for authoritative responses (RFC 2308 section 3), but optional for recursive. Might also add that DNSSEC-signed zones will include a signed NSEC/NSEC3 to prove the nonexistence of the qtype. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] comments on DNS terminology draft
Evan Hunt wrote: Should we also mention that NODATA responses usually include a SOA record in the authority section to indicate to resolvers how long to do negative caching for? That does not seem to be established firmly enough for us to add. It's necessary for negative caching, so I believe it's required for authoritative responses (RFC 2308 section 3), but optional for recursive. Might also add that DNSSEC-signed zones will include a signed NSEC/NSEC3 to prove the nonexistence of the qtype. those sound like protocol clarifications rather than terminology clarifications. -- Paul Vixie ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] comments on DNS terminology draft
Paul Vixie p...@redbarn.org wrote: John Levine wrote: A very short survey reveals that unbound and 8.8.8.8 return SOA, bind doesn't. So it's not all the time, but it's pretty common. in BIND it's an option. It is? I can't work out how to make it produce a negative response without a SOA. minimal-responses doesn't do it. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Portland, Plymouth, North Biscay: Westerly 5 to 7, decreasing 4 later. Moderate or rough. Occasional rain or drizzle. Good becoming moderate or poor. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] comments on DNS terminology draft
Good point, I was only thinking of recursive answers, and I don't think I see SOAs there all the time. We can add that NODATA responses for authoritative responses include the SOA. A very short survey reveals that unbound and 8.8.8.8 return SOA, bind doesn't. So it's not all the time, but it's pretty common. R's, John ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] comments on DNS terminology draft
On Wed, Apr 1, 2015 at 4:37 PM, John Levine jo...@taugh.com wrote: Good point, I was only thinking of recursive answers, and I don't think I see SOAs there all the time. We can add that NODATA responses for authoritative responses include the SOA. A very short survey reveals that unbound and 8.8.8.8 return SOA, bind doesn't. So it's not all the time, but it's pretty common. R's, John Hmm, my quick test indicates that BIND (at least BIND 9.10.x) does return SOA (acting as a resolver). Not only common, but also helpful - additonal downstream resolvers and caching stubs can use this info to cache non-existence. Shumon. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] comments on DNS terminology draft
John Levine wrote: Good point, I was only thinking of recursive answers, and I don't think I see SOAs there all the time. We can add that NODATA responses for authoritative responses include the SOA. A very short survey reveals that unbound and 8.8.8.8 return SOA, bind doesn't. So it's not all the time, but it's pretty common. in BIND it's an option. but, this document should not be used to clarify the protocol, only the terminology. -- Paul Vixie ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] comments on DNS terminology draft
Shumon Huque shu...@gmail.com wrote: Apex -- The SOA and NS RRsets at the origin of a zone. This is also called the zone apex. Why is it only the SOA and NS RRsets? I would suggest defining it in terms of the domain name. Yes. Paul likes to quote existing RFCs, so, the definition in RFC 4033 section 2 is: Zone Apex: Term used to describe the name at the child's side of a zone cut. See also delegation point. RFC 4034 section 4.1.1 says: ... name of the zone apex (the owner name of the zone's SOA RR). Isn't this what the original RFCs defined as the 'top node' (and not specific types of data sets that exist at the top node)? Yes. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Trafalgar: North 6 to gale 8, occasionally severe gale 9 at first near portugal. Rough or very rough becoming moderate or rough. Showers then fair. Moderate or good. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop