NXDOMAIN really means there is nothing underneath
draft-ietf-dnsop-nxdomain-cut-00

The information below is for an old version of the document
Document Type Active Internet-Draft (dnsop WG)
Last updated 2015-12-27
Replaces draft-bortzmeyer-dnsop-nxdomain-cut
Stream IETF
Intended RFC status Proposed Standard
Formats pdf htmlized bibtex
Reviews
Stream WG state WG Document
Document shepherd Tim Wicinski
IESG IESG state I-D Exists
Consensus Boilerplate Unknown
Telechat date
Responsible AD (None)
Send notices to "Tim Wicinski" <tjw.ietf@gmail.com>
Domain Name System Operations (dnsop) Working Group        S. Bortzmeyer
Internet-Draft                                                     AFNIC
Updates: 1034,2308 (if approved)                                S. Huque
Intended status: Standards Track                           Verisign labs
Expires: June 29, 2016                                 December 27, 2015

           NXDOMAIN really means there is nothing underneath
                    draft-ietf-dnsop-nxdomain-cut-00

Abstract

   This document states clearly that when a DNS resolver receives a
   response with response code of NXDOMAIN, it means that the domain
   name which is thus denied AND ALL THE NAMES UNDER IT do not exist.

   REMOVE BEFORE PUBLICATION: this document should be discussed in the
   IETF DNSOP (DNS Operations) group, through its mailing list.  The
   source of the document, as well as a list of open issues, is
   currently kept at Github [1].

   This documents clarifies RFC 1034 and modifies a bit RFC 2308 so it
   updates both of them.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on June 29, 2016.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents

Bortzmeyer & Huque        Expires June 29, 2016                 [Page 1]
Internet-Draft                NXDOMAIN cut                 December 2015

   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction and background . . . . . . . . . . . . . . . . .   2
     1.1.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Benefits  . . . . . . . . . . . . . . . . . . . . . . . . . .   4
   4.  Possible issues . . . . . . . . . . . . . . . . . . . . . . .   5
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   7.  Implementation status - RFC EDITOR: REMOVE BEFORE PUBLICATION   5
   8.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .   6
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .   7
     9.2.  Informative References  . . . . . . . . . . . . . . . . .   7
     9.3.  URIs  . . . . . . . . . . . . . . . . . . . . . . . . . .   8
   Appendix A.  Why can't we just use the owner name of the returned
                SOA? . . . . . . . . . . . . . . . . . . . . . . . .   8
   Appendix B.  Related approaches . . . . . . . . . . . . . . . . .   9
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   9

1.  Introduction and background

   The DNS protocol [RFC1035] defines response code 3 as "Name Error",
   or "NXDOMAIN", i.e. the queried domain name does not exist in the
   DNS.  Since domain names are represented as a tree of labels
   ([RFC1034], Section 3.1), non-existence of a node implies non-
   existence of the entire sub-tree rooted at this node.

   The DNS iterative resolution algorithm precisely interprets the
   NXDOMAIN signal in this manner.  If it encounters an NXDOMAIN
   response code from an authoritative server, it immediately stops
   iteration and returns the NXDOMAIN response to the querier.

   However, in virtually all existing resolvers, a cached NXDOMAIN is
   not considered "proof" that there can be no child domains underneath.
   This is due to an ambiguity in [RFC1034] that failed to distinguish
   Empty Non-Terminal names (ENT) ([RFC7719]) from nonexistent names.
   For DNSSEC, the IETF had to distinguish this case ([RFC4035], section
   3.1.3.2), but the implication on non-DNSSEC resolvers wasn't fully
   realized.

Bortzmeyer & Huque        Expires June 29, 2016                 [Page 2]
Show full document text