From nobody Thu Apr 2 15:30:35 2015 Return-Path: X-Original-To: dnsext@ietfa.amsl.com Delivered-To: dnsext@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A3191A8742 for ; Thu, 2 Apr 2015 15:30:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OPp1WNWX00aR for ; Thu, 2 Apr 2015 15:30:31 -0700 (PDT) Received: from odbmap08.extra.chrysler.com (odbmap08.out.extra.chrysler.com [129.9.107.38]) by ietfa.amsl.com (Postfix) with ESMTP id AEA371A6F11 for ; Thu, 2 Apr 2015 15:30:31 -0700 (PDT) Received: from odbmap09.oddc.chrysler.com (Unknown_Domain [151.171.137.34]) by odbmap08.extra.chrysler.com (Symantec Messaging Gateway) with SMTP id F0.89.05098.603CD155; Thu, 2 Apr 2015 18:30:31 -0400 (EDT) X-AuditID: 81096b24-f79016d0000013ea-17-551dc306a6ec Received: from MXPA3CHRW.fgremc.it (Unknown_Domain [151.171.20.19]) by odbmap09.oddc.chrysler.com (Symantec Messaging Gateway) with SMTP id E4.3F.03913.603CD155; Thu, 2 Apr 2015 18:30:30 -0400 (EDT) Received: from mxph2chrw.fgremc.it (2002:97ab:152a::97ab:152a) by MXPA3CHRW.fgremc.it (2002:97ab:150f::97ab:150f) with Microsoft SMTP Server (TLS) id 15.0.847.32; Thu, 2 Apr 2015 17:30:30 -0500 Received: from mxph1chrw.fgremc.it (151.171.20.45) by mxph2chrw.fgremc.it (151.171.20.46) with Microsoft SMTP Server (TLS) id 15.0.847.32; Thu, 2 Apr 2015 17:30:01 -0500 Received: from mxph1chrw.fgremc.it ([fe80::fdc5:c8cf:dca3:ac4]) by mxph1chrw.fgremc.it ([fe80::fdc5:c8cf:dca3:ac4%19]) with mapi id 15.00.0847.030; Thu, 2 Apr 2015 17:29:55 -0500 From: "Darcy Kevin (FCA)" To: Kumar Ashutosh , Brian Dickson Thread-Topic: [dnsext] RFC 6604 Clarification Thread-Index: AdBqx4LlMcsNNOFbQA+DDcOOf8n56gBZdqCAAAVUMwAAU8VA4A== Date: Thu, 2 Apr 2015 22:29:55 +0000 Message-ID: References: <0bea6bc18cb34b1681a1bd0484ec91a9@HKXPR30MB021.064d.mgd.msft.net> In-Reply-To: <0bea6bc18cb34b1681a1bd0484ec91a9@HKXPR30MB021.064d.mgd.msft.net> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [151.171.20.202] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrHIsWRmVeSWpSXmKPExsUyfXWnki77YdlQg5lNTBa7mx6xWpzcsoDV gcljyZKfTB6tO/6yBzBFcdmkpOZklqUW6dslcGU8alrIWHBRrmLn7y62BsYpEl2MnBwSAiYS h7rvMEHYYhIX7q1n62Lk4hASuMQo8XLLCRaYoumbP7NCJE4ySuzbc4oRwjnKKDFj5yoghwPI WcsoMTMPIr6NUWLq37WMIN1sQN0Lr9xlBrFFBJIkbjUcArOZBbQkfpy8yA5iCwvoSHybsZ4J okZXYsOXl2wQtpPE4h+vwepZBFQkVpxewAayixco/vlQPMSuG4wSJ/dNBNvFKeAnMWfDK7A5 jEDvfD+1hglil7jErSfzod4UkFiy5zwzhC0q8fLxP1YIW0mi4+YyNoh6HYkFuz9B2doSyxZC 3MArIChxcuYTcKgICahK9K99yQ5yhITAV3aJjwcnsk5glJmFZN8sJLNmIZk1C8msBYwsqxil 81OSchMLDCz0UitKihL1kjOKKotzUov0kvNzNzECI7yRM1tlB+OaeZaHGAU4GJV4eNNWyoYK sSaWFVfmHmKU5mBREud9kgcUEkhPLEnNTk0tSC2KLyrNSS0+xMjEwSnVwHi4a+X51vzAnjTr DfKMO0qZRThsDWayVxfdmryV9czhORc+FmQ+U6o4637m8/EdXOGJeQZ/slZtuRfF/nIq+/wG wayPX1RcN/XXPf69q36t0d5wPqFUZv5nb3U//VrRVepu3xjx9OgpjuBPahkLjbjeNcjMzJO7 NPHVXLNXz/dleaiv+hPEnaPEUpyRaKjFXFScCAAndrmr0QIAAA== X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrLKsWRmVeSWpSXmKPExsUyfbWIsC7bYdlQgz2fjS12Nz1itTi5ZQGr A5PHkiU/mTxad/xlD2CK4rJJSc3JLEst0rdL4Mp41LSQseCiXMXO311sDYxTJLoYOTkkBEwk pm/+zAphi0lcuLeerYuRi0NI4CSjxL49pxghnKOMEjN2rgJyOICctYwSM/Mg4tsYJab+XcsI 0s0GNGnhlbvMILaIQJLErYZDYDazgJbEj5MX2UFsYQEdiW8z1jNB1OhKbPjykg3CdpJY/OM1 WD2LgIrEitML2EB28QLFPx+Kh9h1g1Hi5L6JYLs4Bfwk5mx4BTaHEejq76fWMEHsEpe49WQ+ E8Q3AhJL9pxnhrBFJV4+/gf1pZJEx81lbBD1OhILdn+CsrUlli2EuIFXQFDi5MwnLCC2kICq RP/al+wTGCVnIVkxC0n7LCTts5C0L2BkWcUolZ+SlJtYYGCpl5+SkqyXnFFUWZyTWqSXnJ+7 iREck52KOxgbF1keYhTgYFTi4a1fKRsqxJpYVlyZe4hRkoNJSZT3+16gEF9SfkplRmJxRnxR aU5q8SFGCQ5mJRHeFbuBcrwpiZVVqUX5MClpDhYlcV6VAodAIYH0xJLU7NTUgtQimKwMB4eS BK/RQaBGwaLU9NSKtMycEoQ0EwcnyHAeoOEVIDW8xQWJucWZ6RD5V4ziQGcK82aBpHiAaRJJ RgLoWhFeh3nSIE0liQgpqQZGp/3RRWyCer8f1u6TT30z+d/PpJ+njNkSbt16+vDT2R2rPwlO nX/wWFam/sFFddfYDv7bOkUmY5HhKr5nJT4MyXGTsws/yyvyzZ77RPunwscLC3de4VyVkrnp QaFV6lV9t6BNZffZDJ/GiO3ysGm7teSW/Ooz+e8yDZj3mPUaNaaWK4ZNbLkSrsRSnJFoqMVc VJwIAMFPG8RQAwAA Archived-At: Cc: DNSEXT Group Working Subject: Re: [dnsext] RFC 6604 Clarification X-BeenThere: dnsext@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DNS Extensions working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Apr 2015 22:30:34 -0000 Closest-enclosing-zone logic. If the non-recursive server, in the hypotheti= cal mentioned below, happens to be authoritative for the *root* zone, then = since "root" logically encloses all other zones, the nameserver wouldn't re= turn a SERVFAIL in that case, right? - Kevin -----Original Message----- From: dnsext [mailto:dnsext-bounces@ietf.org] On Behalf Of Kumar Ashutosh Sent: Tuesday, March 31, 2015 9:11 PM To: Brian Dickson Cc: DNSEXT Group Working Subject: Re: [dnsext] RFC 6604 Clarification Hi=20 " Sending the query to the previous auth server would be the wrong thing to= do. Even if such a query were received, the correct behavior is NOERRROR, = NODATA, with AA unset (set to zero). If you are not sure you understand this, please ask any clarifying question= s you may have. Please tell us that MS DNS does NOT do SERV_FAIL, or if it does, that you a= re going to fix it. :-)" For CNAME partial chains, MS DNS servers respond with NOERROR in all the ca= ses till now. We were evaluating to see what RFC 6604 compliance would mean= in terms of changes. For your question above. If a query for A of x.example.com is received on a= n authoritative server, which does not have any idea of example.com or .com= , then it will simply respond with serv_fail. NODATA will be returned only = when there is a x.example.com of some other type.=20 -----Original Message----- From: Brian Dickson [mailto:brian.peter.dickson@gmail.com] Sent: Wednesday, April 1, 2015 04:09 To: Kumar Ashutosh Cc: DNSEXT Group Working Subject: Re: [dnsext] RFC 6604 Clarification On Mon, Mar 30, 2015 at 2:04 AM, Kumar Ashutosh wrote: > Hi > > As per RFC 6604, section 3 > > When an xNAME chain is followed, all but the last query cycle > > necessarily had no error. The RCODE in the ultimate DNS=20 > response > > MUST BE set based on the final query cycle leading to that > > response. If the xNAME chain was terminated by an error, it=20 > will > > be that error code. If the xNAME chain terminated without=20 > error, > > it will be zero. > 2. If the CNAME chain points to a Qname for which the auth server is=20 > non-authoritative (and recursion is disabled on the auth server.) The=20 > server in this case cannot get the response. A direct query for this=20 > Qname will result in SERV_FAIL. Should the auth server return SERV_FAIL i= n this case? > Will resolvers respect answers with SERV_FAIL in RCODE and cache the=20 > partial response? Just to clarify your question further: A CNAME chain is normally processed ENTIRELY by the iterative (recursive) resolver. In the case of a given authority server being authoritative for the domain = name found on the right-hand-side of a CNAME, as an optimization, it MAY pr= ovide the results of a re-started query using that RHS value. It can ONLY do that so long as it is authoritative. If it is not, it simply= returns the data it is authoritative for, with a NOERROR RCODE. Pointing to a domain name that it is not authoritative for, is not an error= condition. The iterative resolver would need to continue processing the rewritten QNAM= E, by sending the rewritten query to whatever authority server is authorita= tive for that new QNAME. Sending the query to the previous auth server would be the wrong thing to d= o. Even if such a query were received, the correct behavior is NOERRROR, NO= DATA, with AA unset (set to zero). If you are not sure you understand this, please ask any clarifying question= s you may have. Please tell us that MS DNS does NOT do SERV_FAIL, or if it does, that you a= re going to fix it. :-) Brian _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext From nobody Fri Apr 3 01:48:12 2015 Return-Path: X-Original-To: dnsext@ietfa.amsl.com Delivered-To: dnsext@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B797C1A1AA9 for ; Fri, 3 Apr 2015 01:48:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.902 X-Spam-Level: X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gh9O0bjsN-cT for ; Fri, 3 Apr 2015 01:48:09 -0700 (PDT) Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0148.outbound.protection.outlook.com [207.46.100.148]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36D171A1A7C for ; Fri, 3 Apr 2015 01:48:09 -0700 (PDT) Received: from BY2PR03CA055.namprd03.prod.outlook.com (10.141.249.28) by CY1PR0301MB0649.namprd03.prod.outlook.com (25.160.158.143) with Microsoft SMTP Server (TLS) id 15.1.118.21; Fri, 3 Apr 2015 08:48:07 +0000 Received: from BN1BFFO11FD008.protection.gbl (2a01:111:f400:7c10::1:174) by BY2PR03CA055.outlook.office365.com (2a01:111:e400:2c5d::28) with Microsoft SMTP Server (TLS) id 15.1.130.23 via Frontend Transport; Fri, 3 Apr 2015 08:48:07 +0000 Authentication-Results: spf=pass (sender IP is 206.191.230.212) smtp.mailfrom=microsoft.com; gmail.com; dkim=none (message not signed) header.d=none; Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 206.191.230.212 as permitted sender) receiver=protection.outlook.com; client-ip=206.191.230.212; helo=064-smtp-out.microsoft.com; Received: from 064-smtp-out.microsoft.com (206.191.230.212) by BN1BFFO11FD008.mail.protection.outlook.com (10.58.144.71) with Microsoft SMTP Server (TLS) id 15.1.136.16 via Frontend Transport; Fri, 3 Apr 2015 08:48:06 +0000 Received: from HKXPR30MB021.064d.mgd.msft.net (141.251.57.209) by HKXPR30MB022.064d.mgd.msft.net (141.251.57.210) with Microsoft SMTP Server (TLS) id 15.1.125.19; Fri, 3 Apr 2015 08:48:03 +0000 Received: from HKXPR30MB021.064d.mgd.msft.net ([141.251.57.209]) by HKXPR30MB021.064d.mgd.msft.net ([141.251.57.209]) with mapi id 15.01.0125.002; Fri, 3 Apr 2015 08:48:03 +0000 From: Kumar Ashutosh To: Brian Dickson Thread-Topic: [dnsext] RFC 6604 Clarification Thread-Index: AdBqx4LlMcsNNOFbQA+DDcOOf8n56gBO/GqAAHnIXWA= Date: Fri, 3 Apr 2015 08:48:03 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [141.251.58.4] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:206.191.230.212; CTRY:US; IPV:NLI; EFV:NLI; BMV:1; SFV:NSPM; SFS:(10019020)(6009001)(438002)(13464003)(377454003)(24454002)(51704005)(199003)(189002)(24736003)(86362001)(62966003)(19580405001)(2656002)(19580395003)(6806004)(86146001)(106466001)(77156002)(102836002)(110136001)(23676002)(92566002)(47776003)(66066001)(50986999)(33646002)(86612001)(2900100001)(76176999)(46102003)(50466002)(16796002)(108616004)(2950100001)(87936001)(54356999); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0301MB0649; H:064-smtp-out.microsoft.com; FPR:; SPF:Pass; MLV:sfv; A:1; MX:1; LANG:en; X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0301MB0649; X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(5002010)(5005006); SRVR:CY1PR0301MB0649; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0301MB0649; X-Forefront-PRVS: 05352A48BE X-OriginatorOrg: microsoft.onmicrosoft.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 03 Apr 2015 08:48:06.6006 (UTC) X-MS-Exchange-CrossTenant-Id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=72f988bf-86f1-41af-91ab-2d7cd011db47; Ip=[206.191.230.212]; Helo=[064-smtp-out.microsoft.com] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0301MB0649 Archived-At: Cc: DNSEXT Group Working Subject: Re: [dnsext] RFC 6604 Clarification X-BeenThere: dnsext@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DNS Extensions working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Apr 2015 08:48:10 -0000 QEJyaWFuDQoNCj4+Pj5QbGVhc2UgdGVsbCB1cyB0aGF0IE1TIEROUyBkb2VzIE5PVCBkbyBTRVJW X0ZBSUwsIG9yIGlmIGl0IGRvZXMsIHRoYXQgeW91IGFyZSBnb2luZyB0byBmaXggaXQuIDotKQ0K QXQgcHJlc2VudCBNUyBETlMgc2VydmVycyByZXNwb25kIGJhY2sgd2l0aCBSQ09ERT0wIGluIGNh c2Ugb2YgcGFydGlhbCBDQU5NRSBjaGFpbiByZXNwb25zZSAoZXZlbiB3aGVuIGxhc3QgcXVlcnkg aW4gdGhlIGNoYWluIHJlc3VsdHMgaW4gTlhET01BSU4uIFRoYXQgaXMgdGhlIHJlYXNvbiB3aHkg d2UgYXJlIGV2YWx1YXRpbmcgdGhlIFJGQyA2NjA0IHdoZXJlIHRoZSBjbGFyaWZpY2F0aW9uIGhh cyBiZWVuIGFkZGVkIGluIHNlY3Rpb24gMykNCg0KVGhhbmtzDQpBc2h1DQpQcm9ncmFtIE1hbmFn ZXIgfCBXaW5kb3dzIE5ldHdvcmtpbmd8IEROUyAmIFNETg0KDQotLS0tLU9yaWdpbmFsIE1lc3Nh Z2UtLS0tLQ0KRnJvbTogQnJpYW4gRGlja3NvbiBbbWFpbHRvOmJyaWFuLnBldGVyLmRpY2tzb25A Z21haWwuY29tXSANClNlbnQ6IFdlZG5lc2RheSwgQXByaWwgMSwgMjAxNSAwNDowOQ0KVG86IEt1 bWFyIEFzaHV0b3NoDQpDYzogRE5TRVhUIEdyb3VwIFdvcmtpbmcNClN1YmplY3Q6IFJlOiBbZG5z ZXh0XSBSRkMgNjYwNCBDbGFyaWZpY2F0aW9uDQoNCk9uIE1vbiwgTWFyIDMwLCAyMDE1IGF0IDI6 MDQgQU0sIEt1bWFyIEFzaHV0b3NoIDxLdW1hci5Bc2h1dG9zaEBtaWNyb3NvZnQuY29tPiB3cm90 ZToNCj4gSGkNCj4NCj4gQXMgcGVyIFJGQyA2NjA0LCBzZWN0aW9uIDMNCj4NCj4gICAgICAgV2hl biBhbiB4TkFNRSBjaGFpbiBpcyBmb2xsb3dlZCwgYWxsIGJ1dCB0aGUgbGFzdCBxdWVyeSBjeWNs ZQ0KPg0KPiAgICAgICBuZWNlc3NhcmlseSBoYWQgbm8gZXJyb3IuICBUaGUgUkNPREUgaW4gdGhl IHVsdGltYXRlIEROUyANCj4gcmVzcG9uc2UNCj4NCj4gICAgICAgTVVTVCBCRSBzZXQgYmFzZWQg b24gdGhlIGZpbmFsIHF1ZXJ5IGN5Y2xlIGxlYWRpbmcgdG8gdGhhdA0KPg0KPiAgICAgICByZXNw b25zZS4gIElmIHRoZSB4TkFNRSBjaGFpbiB3YXMgdGVybWluYXRlZCBieSBhbiBlcnJvciwgaXQg DQo+IHdpbGwNCj4NCj4gICAgICAgYmUgdGhhdCBlcnJvciBjb2RlLiAgSWYgdGhlIHhOQU1FIGNo YWluIHRlcm1pbmF0ZWQgd2l0aG91dCANCj4gZXJyb3IsDQo+DQo+ICAgICAgICAgICAgICAgaXQg d2lsbCBiZSB6ZXJvLg0KDQo+IDIuIElmIHRoZSBDTkFNRSBjaGFpbiBwb2ludHMgdG8gYSBRbmFt ZSBmb3Igd2hpY2ggdGhlIGF1dGggc2VydmVyIGlzIA0KPiBub24tYXV0aG9yaXRhdGl2ZSAoYW5k IHJlY3Vyc2lvbiBpcyBkaXNhYmxlZCBvbiB0aGUgYXV0aCBzZXJ2ZXIuKSBUaGUgDQo+IHNlcnZl ciBpbiB0aGlzIGNhc2UgY2Fubm90IGdldCB0aGUgcmVzcG9uc2UuIEEgZGlyZWN0IHF1ZXJ5IGZv ciB0aGlzIA0KPiBRbmFtZSB3aWxsIHJlc3VsdCBpbiBTRVJWX0ZBSUwuIFNob3VsZCB0aGUgYXV0 aCBzZXJ2ZXIgcmV0dXJuIFNFUlZfRkFJTCBpbiB0aGlzIGNhc2U/DQo+IFdpbGwgcmVzb2x2ZXJz IHJlc3BlY3QgYW5zd2VycyB3aXRoIFNFUlZfRkFJTCBpbiBSQ09ERSBhbmQgY2FjaGUgdGhlIA0K PiBwYXJ0aWFsIHJlc3BvbnNlPw0KDQpKdXN0IHRvIGNsYXJpZnkgeW91ciBxdWVzdGlvbiBmdXJ0 aGVyOg0KDQpBIENOQU1FIGNoYWluIGlzIG5vcm1hbGx5IHByb2Nlc3NlZCBFTlRJUkVMWSBieSB0 aGUgaXRlcmF0aXZlDQoocmVjdXJzaXZlKSByZXNvbHZlci4NCkluIHRoZSBjYXNlIG9mIGEgZ2l2 ZW4gYXV0aG9yaXR5IHNlcnZlciBiZWluZyBhdXRob3JpdGF0aXZlIGZvciB0aGUgZG9tYWluIG5h bWUgZm91bmQgb24gdGhlIHJpZ2h0LWhhbmQtc2lkZSBvZiBhIENOQU1FLCBhcyBhbiBvcHRpbWl6 YXRpb24sIGl0IE1BWSBwcm92aWRlIHRoZSByZXN1bHRzIG9mIGEgcmUtc3RhcnRlZCBxdWVyeSB1 c2luZyB0aGF0IFJIUyB2YWx1ZS4NCg0KSXQgY2FuIE9OTFkgZG8gdGhhdCBzbyBsb25nIGFzIGl0 IGlzIGF1dGhvcml0YXRpdmUuIElmIGl0IGlzIG5vdCwgaXQgc2ltcGx5IHJldHVybnMgdGhlIGRh dGEgaXQgaXMgYXV0aG9yaXRhdGl2ZSBmb3IsIHdpdGggYSBOT0VSUk9SIFJDT0RFLg0KDQpQb2lu dGluZyB0byBhIGRvbWFpbiBuYW1lIHRoYXQgaXQgaXMgbm90IGF1dGhvcml0YXRpdmUgZm9yLCBp cyBub3QgYW4gZXJyb3IgY29uZGl0aW9uLg0KDQpUaGUgaXRlcmF0aXZlIHJlc29sdmVyIHdvdWxk IG5lZWQgdG8gY29udGludWUgcHJvY2Vzc2luZyB0aGUgcmV3cml0dGVuIFFOQU1FLCBieSBzZW5k aW5nIHRoZSByZXdyaXR0ZW4gcXVlcnkgdG8gd2hhdGV2ZXIgYXV0aG9yaXR5IHNlcnZlciBpcyBh dXRob3JpdGF0aXZlIGZvciB0aGF0IG5ldyBRTkFNRS4NCg0KU2VuZGluZyB0aGUgcXVlcnkgdG8g dGhlIHByZXZpb3VzIGF1dGggc2VydmVyIHdvdWxkIGJlIHRoZSB3cm9uZyB0aGluZyB0byBkby4g RXZlbiBpZiBzdWNoIGEgcXVlcnkgd2VyZSByZWNlaXZlZCwgdGhlIGNvcnJlY3QgYmVoYXZpb3Ig aXMgTk9FUlJST1IsIE5PREFUQSwgd2l0aCBBQSB1bnNldCAoc2V0IHRvIHplcm8pLg0KDQpJZiB5 b3UgYXJlIG5vdCBzdXJlIHlvdSB1bmRlcnN0YW5kIHRoaXMsIHBsZWFzZSBhc2sgYW55IGNsYXJp ZnlpbmcgcXVlc3Rpb25zIHlvdSBtYXkgaGF2ZS4NCg0KUGxlYXNlIHRlbGwgdXMgdGhhdCBNUyBE TlMgZG9lcyBOT1QgZG8gU0VSVl9GQUlMLCBvciBpZiBpdCBkb2VzLCB0aGF0IHlvdSBhcmUgZ29p bmcgdG8gZml4IGl0LiA6LSkNCg0KQnJpYW4NCg== From nobody Mon Apr 6 22:25:18 2015 Return-Path: X-Original-To: dnsext@ietfa.amsl.com Delivered-To: dnsext@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF4841B2A16 for ; Mon, 6 Apr 2015 22:25:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AJ7sJoN5Fklu for ; Mon, 6 Apr 2015 22:25:15 -0700 (PDT) Received: from mail-ie0-x233.google.com (mail-ie0-x233.google.com [IPv6:2607:f8b0:4001:c03::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FA4C1B2A14 for ; Mon, 6 Apr 2015 22:25:15 -0700 (PDT) Received: by iebmp1 with SMTP id mp1so38054014ieb.0 for ; Mon, 06 Apr 2015 22:25:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=F2pgpoXWM2u1NZVX57i1lF33tzXxMuJ1gUHjjCcw/vs=; b=Y9fiIsGJ7912jGVuA5oBrp1DW8fzrJbn4Bgkpts5BEpEjKxZZp2ZL+uQunEmBn2g5D r8MSpHfbR52yCJwaDmOEyoxf2xj1HCCC2LgCdoBvEWtaVOk+8DRBdwZ9yZa0gYms0w+k A71ycCXCYfyLky1TQJ64zJyaAkBVLBycgCv+hr8OV9eHKBtkLYzCndTNIjE2o7kgMTBo OccWSJG9/M8yryFvZmwDFCgx4kI5phn4suDakK4OBWLXAdk0vbyxmJOmO3+YCyjA/Nuh dTFJp915RrRvj2PP+iC24qATdT1q3WwU0o+hP9Lj6vfGp0psZlnPDgd/y+NzQ6TCJR5F 76VQ== MIME-Version: 1.0 X-Received: by 10.107.16.32 with SMTP id y32mr22966339ioi.53.1428384315059; Mon, 06 Apr 2015 22:25:15 -0700 (PDT) Received: by 10.50.25.231 with HTTP; Mon, 6 Apr 2015 22:25:15 -0700 (PDT) Date: Tue, 7 Apr 2015 05:25:15 +0000 Message-ID: From: Loganaden Velvindron To: dnsext@ietf.org Content-Type: text/plain; charset=UTF-8 Archived-At: Subject: [dnsext] Updating Security Considerations in RFC 6762 X-BeenThere: dnsext@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DNS Extensions working group discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Apr 2015 05:25:17 -0000 Dear All, Following the release of a security vulnerability by CERT: https://www.kb.cert.org/vuls/id/550620 It might be worth considering updating RFC 6762 to advise implementors against amplification attacks by rate-limiting responses or refusing to reply to queries from outside local link. Quote: "Impact An mDNS response to a unicast query originating outside of the local link network may result in information disclosure, such as disclosing the device type/model that responds to the request or the operating system running such software. The mDNS response may also be used to amplify denial of service attacks against other networks." Feedback welcomed. //Logan C-x-C-c -- This message is strictly personal and the opinions expressed do not represent those of my employers, either past or present.