Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) by bugs.isc.org (Postfix) with ESMTP id B6E2071B589 for <bind9-bugs@bugs.isc.org>; Fri,  4 Sep 2015 18:01:24 +0000 (UTC)
Received: from chase.mycre.ws (chase.mycre.ws [70.89.251.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "chase.mycre.ws", Issuer "mycre.ws" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id B78C11FCB12 for <bind9-bugs@isc.org>; Fri,  4 Sep 2015 18:01:22 +0000 (UTC)
Received: by chase.mycre.ws (Postfix, from userid 1000) id DC2711C4026E; Fri,  4 Sep 2015 14:01:20 -0400 (EDT)
From edmonds@debian.org  Fri Sep  4 18:01:25 2015
Delivered-To: bind9-bugs@bugs.isc.org
MIME-Version: 1.0
Subject: Add "test.", "invalid." to built-in empty zones
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.0
Return-Path: <edmonds@debian.org>
X-Original-To: bind9-bugs@bugs.isc.org
Content-Disposition: inline
Date: Fri, 4 Sep 2015 14:01:20 -0400
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.ams1.isc.org
content-type: text/plain; charset="utf-8"
Message-ID: <20150904180120.GA12001@mycre.ws>
To: bind9-bugs@isc.org
From: "Robert Edmonds" <edmonds@debian.org>
X-RT-Original-Encoding: ascii
X-RT-Interface: Email
Content-Length: 1952

Hi,

According to the BIND 9 ARM, named has a default list of empty zones:

    These are for zones that should normally be answered locally and
    which queries should not be sent to the Internet's root servers.

This list doesn't appear to include the "test." or "invalid." domains
from RFC 6761 "Special-Use Domain Names".  The behavior specified for
these domains appears to match the behavior provided by BIND's empty
zone functionality, so (IMO) these two domains should be added to the
list.

    [...]

    6.2.  Domain Name Reservation Considerations for "test."

    [...]

       4.  Caching DNS servers SHOULD recognize test names as special and
           SHOULD NOT, by default, attempt to look up NS records for them,
           or otherwise query authoritative DNS servers in an attempt to
           resolve test names.  Instead, caching DNS servers SHOULD, by
           default, generate immediate negative responses for all such
           queries.  This is to avoid unnecessary load on the root name
           servers and other name servers.  Caching DNS servers SHOULD offer
           a configuration option (disabled by default) to enable upstream
           resolving of test names, for use in networks where test names are
           known to be handled by an authoritative DNS server in said
           private network.

    [...]

    6.4.  Domain Name Reservation Considerations for "invalid."

    [...]

       4.  Caching DNS servers SHOULD recognize "invalid" names as special
           and SHOULD NOT attempt to look up NS records for them, or
           otherwise query authoritative DNS servers in an attempt to
           resolve "invalid" names.  Instead, caching DNS servers SHOULD
           generate immediate NXDOMAIN responses for all such queries.  This
           is to avoid unnecessary load on the root name servers and other
           name servers.

    [...]

-- 
Robert Edmonds
edmonds@debian.org