Report information
The Basics
Id:
41298
Status:
open
Priority:
Medium/Medium
Queue:
bind9-public
People
Owner:
Nobody in particular
Requestors:
Timothe Litt <litt@acm.org>
Cc:
AdminCc:
BugTracker
Version Fixed:
(no value)
Version Found:
(no value)
Versions Affected:
(no value)
Versions Planned:
(no value)
Priority:
P2 Normal
Severity:
S2 Normal
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
BIND Server
Area:
feature
Attachments
smime.p7s
Dates
Created:Tue, 15 Dec 2015 09:31:56 -0500
Updated:Fri, 07 Jul 2017 01:12:53 -0400
Closed:Not set

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Tue, 15 Dec 2015 09:31:56 -0500 Timothe Litt <litt@acm.org> - Ticket created
Subject: Special use zone handling
Date: Tue, 15 Dec 2015 09:31:44 -0500
To: bind9-bugs@isc.org
From: "Timothe Litt" <litt@acm.org>

Currently bind supports automatic empty zones (only) for reverse address zones in private IPv4 and reserved IPv6 spaces. It doesn't do other special-use zone handling specified in several RFCs. http://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml The other "special-use" zones (as of today) are: example. example.com. example.net. example.org. invalid. local. localhost. onion. test. It seems to me that most of the missing special handling can be implemented by adding automatic empty zones. While the query volumes are probably nothing like the RFC1918 in-addr.arpa mess, RFC 6761 encourages similar special handling for most of these zones. full .localhost compliance would require some special case code. Quick analysis: 6761 6.5: indicates that the *example* names should be resolved normally -- IANA does provide stub web pages (but not stubs for other well-known services such as ftp or smtp). No change for them. 6761 6.2: .test is similar to 1918 zones; should return NXDOMAIN unless locally configured. auto-empty would do this. 6761 6.4.4, .5, .6: .invalid should unconditionally return NXDOMAIN; one isn't supposed to be able to locally configure. Auto-empty would return NXDOMAIN, but would allow local configuration. Quick NXDOMAIN is an improvement. I don't think it's worth a special case to prohibit local config. NB: Resolvers are allowed to filter .invalid names, so illegal use of the domain is already unpredictable. 6762 22.4, .5: .local is used by mdns named should not get queries from compliant resolvers. NXDOMAIN should be generated for .local, as a resolver that is unaware of mDNS might query named. .5 says that an authoritative server MAY respond "for testing or other specialized uses." So an automatic .local zone in named would meet the requirements. 6761 6.3.4, .5, .6: .localhost - is supposed to return a loopback address for a/aaaa queries (127.0.0.1/::1), and a negative response for all other query types. That's not done by named today. Some people create zone files for localhost (which also answer - at least - SOA and NS). It is not allowed to modify .localhost by local configuration. Some violate the RFC, e.g. for VPN or RDP with foo.localhost mapping to 127.0.0.<n>. Some resolvers rely on hosts.txt to intercept localhost before it gets to named. An automatic empty zone wouldn't make things worse, but would get a quicker NXDOMAIN. With no localhost zone configured, the root servers return NXDOMAIN. However, adding the localhost special case logic to return loopback addresses would be a good idea. Rather than code, this could be an automatic "non-empty" zone. This would make it easy to add corresponding PTR entries for localhost in the auto zones for 127.in-addr.arpa and 1.0...0.ip6.arpa. The PTRs aren't specified in an RFC, but would be consistent with resolver behaviors. 7686 2.4, .5: .onion "MUST" return NDXOMAIN (since named doesn't support TOR); automatic empty zone would do that. Since new "special use" names pop up once in a while, perhaps an 'enable empty-zone "arbitrary-zone-name"' directive would be useful. This would allow rapid reaction by operator when they show up, and might be useful in local circumstances. (e.g. example.<my-tld> -- note that automatic zones are identified in the stats channel, and management software can treat them differently.) -- Timothe Litt ACM Distinguished Engineer -------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed.
smime.p7s

Message body not shown because it is not plain text.

  Tue, 15 Dec 2015 17:48:35 -0500 Mark Andrews <marka@isc.org> - Correspondence added
Subject: Re: [ISC-Bugs #41298] Special use zone handling
Date: Wed, 16 Dec 2015 09:48:29 +1100
To: bind9-bugs@isc.org
From: "Mark Andrews" <marka@isc.org>

On 16/12/2015, at 1:31 AM, "Timothe Litt via RT" <bind9-bugs@isc.org> wrote: > > Tue Dec 15 14:31:56 2015: Request 41298 was acted upon. > Transaction: Ticket created by litt@acm.org > Queue: bind9 > Subject: Special use zone handling > Owner: Nobody > Requestors: litt@acm.org > Status: new > Ticket <URL: https://bugs.isc.org/Ticket/Display.html?id=41298 > > ----------------------------------------------------------------------- > > Currently bind supports automatic empty zones (only) for reverse address > zones in private IPv4 and reserved IPv6 spaces. It doesn't do other > special-use zone handling specified in several RFCs. > > http://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml > > The other "special-use" zones (as of today) are: > > example. > example.com. > example.net. > example.org. > invalid. > local. > localhost. > onion. > test. > > It seems to me that most of the missing special handling can be > implemented by adding automatic empty zones. Actually they can't for the names in the root zone. Queries for these names that make it to the DNS still need to have negative responses that can be handed to a validator and not get bogus out the other end. The automatic empty zones do not achieve that. The simplest way to not send traffic to the root servers is to slave the root zone. This doesn't help with example.{com.net,org}. Mark
Tue, 15 Dec 2015 17:48:36 -0500 The RT System itself - Status changed from 'new' to 'open'
  Tue, 15 Dec 2015 22:04:45 -0500 Timothe Litt <litt@acm.org> - Correspondence added
Subject: Re: [ISC-Bugs #41298] Special use zone handling
Date: Tue, 15 Dec 2015 22:04:31 -0500
To: bind9-bugs@isc.org
From: "Timothe Litt" <litt@acm.org>

On 15-Dec-15 17:48, Mark Andrews via RT wrote: > On 16/12/2015, at 1:31 AM, "Timothe Litt via RT" <bind9-bugs@isc.org> wrote: > >> Tue Dec 15 14:31:56 2015: Request 41298 was acted upon. >> Transaction: Ticket created by litt@acm.org >> Queue: bind9 >> Subject: Special use zone handling >> Owner: Nobody >> Requestors: litt@acm.org >> Status: new >> Ticket <URL: https://bugs.isc.org/Ticket/Display.html?id=41298 > >> ----------------------------------------------------------------------- >> >> Currently bind supports automatic empty zones (only) for reverse address >> zones in private IPv4 and reserved IPv6 spaces. It doesn't do other >> special-use zone handling specified in several RFCs. >> >> http://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xhtml >> >> The other "special-use" zones (as of today) are: >> >> example. >> example.com. >> example.net. >> example.org. >> invalid. >> local. >> localhost. >> onion. >> test. >> >> It seems to me that most of the missing special handling can be >> implemented by adding automatic empty zones. > Actually they can't for the names in the root zone. Queries for these names > that make it to the DNS still need to have negative responses that can be > handed to a validator and not get bogus out the other end. The automatic > empty zones do not achieve that. > > The simplest way to not send traffic to the root servers is to slave the > root zone. This doesn't help with example.{com.net,org}. > > Mark Sigh, DNSSEC... It's not explicit in the RFCs, but I interpret them to imply that the validators should be short-circuiting the special-use zones just as the resolvers should. That is: unless configured with a local trust anchor/NTA for a zone, a validator can always reply "validation success, NXDOMAIN" without consulting the root for all the special use zones except *example*. If a zone is locally configured, the validator must have a local trust anchor (or NTA), since the root's signatures are not meaningful. (This is true today.) In this case, there is no root traffic as validation starts with the anchor. *example* is actually signed by the root for the stub webpages provided by ICANN (TXT, A, AAAA, NS, SOA). If overridden for local use (e.g. to test documentation), a local trust anchor (or NTA) must be provided to the validator... Otherwise, validation proceeds normally (does consult root). test and local are provably NXDOMAIN in the root - so for local use, there must be a local trust anchor (or NTA). A validator can short-circuit if neither is provided. invalid and onion can't be used locally. But they are NXDOMAIN in the root. So always short-circuitable by a validator. That leaves localhost. NXDOMAIN in the root. If done per 6761 (e.g. just the a/aaaa records), validator can short-circuit as the data is "defined by protocol". If a real zone file is provided, the validator needs a trust anchor. There is an oddity in that one of the RFCs (7686 2.7 + 1para) says that ICANN may "reserve .onion by entering it into the root zone database", special handling not withstanding. This seems ill-considered as existing resolvers wouldn't ignore it. But even in this case, it's 'virtually NXDOMAIN' in the root by spec. I think these observations are implementable regardless of whether the validator is internal to named or completely independent. Bottom line: validators should be short-circuiting special use zones in the same way as resolvers. They require a local (negative) trust anchor if a private version of a zone is configured. They shouldn't generate root traffic for private zones. (But do for the public *example* zones) Automatic zones can provide the authoritative data (nxdomain) without consulting the root, even for the names in the root. Or am I missing something? Timothe Litt ACM Distinguished Engineer -------------------------- This communication may not represent the ACM or my employer's views, if any, on the matters discussed.
smime.p7s

Message body not shown because it is not plain text.

Wed, 16 Dec 2015 13:33:36 -0500 Mukund Sivaraman <muks@isc.org> - Queue changed from #6 to #3
Wed, 16 Dec 2015 13:33:36 -0500 Mukund Sivaraman <muks@isc.org> - Priority P2 Normal added
Wed, 16 Dec 2015 13:33:36 -0500 Mukund Sivaraman <muks@isc.org> - Severity S2 Normal added
Tue, 12 Jan 2016 11:00:59 -0500 Stephen Morris <stephen@isc.org> - Area feature added
Tue, 12 Jan 2016 11:00:59 -0500 Stephen Morris <stephen@isc.org> - Component BIND Server added
Fri, 07 Jul 2017 01:12:53 -0400 Vicky Risk <vicky@isc.org> - Queue changed from #3 to bind9-public