DNS/qname-minimisation/possible-issues

1. DNS/qname-minimisation/possible-issues

Contents

DNS/qname-minimisation/possible-issues
REFUSED response
ENT

https://tools.ietf.org/html/rfc7816

lame delegationはどう扱うのがいいか。/sharp_subdomains

2. REFUSED response

broken (REFUSED)

Some broken name servers do not react properly to QTYPE=NS requests.
   For instance, some authoritative name servers embedded in load
   balancers reply properly to A queries but send REFUSED to NS queries.

   This behaviour is a protocol violation, and there is no need to stop
   improving the DNS because of such behaviour.

   However, QNAME minimisation may still work with such domains,
   since they are only leaf domains (no need to send them NS requests).  
   Such a setup breaks more than just QNAME minimisation.  
   It breaks negative answers, since
   the servers don't return the correct SOA, and it also breaks anything
   dependent upon NS and SOA records existing at the top of the zone.

   Another way to deal with such incorrect name servers would be to try
   with QTYPE=A requests (A being chosen because it is the most common
   and hence a QTYPE that will always be accepted, while a QTYPE NS may
   ruffle the feathers of some middleboxes). 

   Instead of querying name servers with a query "NS example.com",
   we could use "A _.example.com" and see if we get a referral.

3. ENT

   A problem can also appear when a name server does not react properly
   to ENTs (Empty Non-Terminals).  If ent.example.com has no resource
   records but foobar.ent.example.com does, then ent.example.com is an ENT. 
   Whatever the QTYPE, a query for ent.example.com must return
   NODATA (NOERROR / ANSWER: 0).  However, some name servers incorrectly
   return NXDOMAIN for ENTs.  If a resolver queries only
   foobar.ent.example.com, everything will be OK, but if it implements
   QNAME minimisation, it may query ent.example.com and get an NXDOMAIN.
   See also Section 3 of [DNS-Res-Improve] for the other bad
   consequences of this bad behaviour.

   A possible solution, currently implemented in Knot, is to retry with
   the full query when you receive an NXDOMAIN.
   It works, but it is not ideal for privacy.

Other practices that do not conform to the DNS protocol standards may pose a problem: there is a common DNS trick used by some web hosters that also do DNS hosting that exploits the fact that the DNS protocol

MoinQ: DNS/qname-minimisation/possible-issues (last edited 2020-12-31 01:28:28 by ToshinoriMaeno)