NXDomain remapping, DNSSEC, Layer 9, and you.

Mark Andrews marka at isc.org
Tue May 29 00:54:12 UTC 2012


In message <1564718.6360.1338247007903.JavaMail.root at benjamin.baylink.com>, Jay
 Ashworth writes:
> ----- Original Message -----
> > From: "Paul Vixie" <vixie at isc.org>
> 
> > > *Now*, you see, we no longer have a canonical Good Engineering
> > > Example to
> > > which we can point when yelling at people (and software vendors)
> > > which
> > > *do* permit that, to say "see? You shouldn't be doing that; it's
> > > bad."
> > >
> > > "The Web Is Not The Internet."
> > 
> > i see what you mean, and i'm sad that this arrow is no longer in your
> > quiver. perhaps you can still refer to nlnetlabs unbound for this
> > purpose.
> > 
> > if i thought there was even one isp anywhere who wanted to use nxdomain
> > remapping but didn't because bind didn't have that feature, i'd be ready to
> > argue the point. but all isc did by not supporting this feature was force
> > some isp's to not use bind, and: isc is not in the "sour grapes"
> > business.
> 
> Well, I disagree on that, but I am not widely travelled, and perhaps
> the obvious argument I see wasn't ever actually used.
> 
> This is the "do I put cigarette burn preventers on the toilet paper 
> dispensers in my 'no smoking' restroom" problem, pretty much exactly.
> 
> > meanwhile isc continues to push for ubiquitous dnssec, through to the stub,
> > to take this issue off the table for all people and all time. (that's "the
> > real fix" for nxdomain remapping.)
> 
> You really believe that the outcome of that will be "we can't make some
> extra revenue off NXDOMAIN remapping because of DNSSEC?  Well, the hell
> with DNSSEC, then"?

People will route around ISP that do stupid things.  They do so
today.  When your browers supports DANE there will be more incentive
to ensure that DNSSEC does not break and more incentive to route
around ISP's that do break DNSSEC.

Even a ISP that is redirecting on NXDOMAIN wants to be sure that
it is a real NXDOMAIN not one that is spoofed do the path to the
ISP's resolver will be DNSSEC clean and they will be validating.

Until stub resolvers set DO=1 pretty much ubiquitously this won't
be a problem for ISP's that want to do nxdomain redirection.  There
still plenty of crappy DNS proxies in CPE routers to be replaced
before you can just set DO=1 as a default without worrying about
breaking DNS lookups.  Even setting EDNS as a default is a issue.

That said we are starting down the long path to making it EDNS a
default.  DiG in BIND 9 defaults to using EDNS and "dig +trace"
turns set DO=1 as well.  You don't get things fixed if the breakage
is not visible.

Mark

> Cheers,
> -- jra
> -- 
> Jay R. Ashworth                  Baylink                       jra at baylink.co
> m
> Designer                     The Things I Think                       RFC 210
> 0
> Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DI
> I
> St Petersburg FL USA      http://photo.imageinc.us             +1 727 647 127
> 4
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org




More information about the NANOG mailing list