[NCAP-Discuss] Root Cause Analysis Reports - Final Call for Comments

Warren Kumari warren at kumari.net
Mon Aug 8 22:31:57 UTC 2022 

On Wed, Aug 03, 2022 at 12:11 PM, Casey Deccio <casey at deccio.net> wrote:

> Dear NCAP DG members,
>
> As you know, I have written two reports associated with root cause
> analysis for name collisions reports received by ICANN. Some time ago I
> distributed earlier versions of these documents to this mailing list, which
> resulted in feedback that I have addressed in the latest versions. Most of
> the changes are relatively minor. The one significant addition is the
> inclusion of a section on "Qname minimization considerations", which is now
> section 7.3 of the "Root Cause Analysis - new gTLD" report. The final
> version of these reports will be included as appendices in the Study 2
> document, along with other reports that have been written in conjunction
> with Study 2.
>
> I invite you to read the documents, with particular attention to the new
> section. I will consider this a final call for comments from the NCAP DG.
>


Erm, insert my disclaimer about having missed some calls here.

Apologies if I missed this in the document, but I read it, and then also
searched for terms like 'aggressive' and 'nsec' and RFC8198 similar, with
no luck.

As far as I can see, the document doesn't discuss / consider
aggressive-nsec (RFC8198 - "Aggressive Use of DNSSEC-Validated Cache"
<https://datatracker.ietf.org/doc/RFC8198/>) at all, and this seems like it
is a significant oversight.

As an example, I configured a name-server to perform aggressive-nsec (
synth-from-dnssec yes;  — Note: From
https://bind9.readthedocs.io/en/latest/reference.html , this is the default
behavior), and restarted it to ensure that the cache was clean.

I then did:
$ ping -c 1 foo.corona
ping: foo.corona: Name or service not known
$  ping -c 1 foo.corp
ping: foo.corp: Name or service not known
$ ping -c 1 foo.corpulent
ping: foo.corpulent: Name or service not known
$  ping -c 1 foo.corral
ping: foo.corral: Name or service not known
$ ping -c 1 foo.correct
ping: foo.correct: Name or service not known
$ ping -c 1 foo.correlate
ping: foo.correlate: Name or service not known
$  ping -c 1 foo.correspond
ping: foo.correspond: Name or service not known
$ ping -c 1 foo.corridor
ping: foo.corridor: Name or service not known


and here is the result:
----
18:18:06.327971 IP 204.194.23.4.57539 > 192.36.148.17.53: 6424 [1au] NS?
corona. (63)
18:18:06.328429 IP 192.36.148.17.53 > 204.194.23.4.57539: 6424 NXDomain*-
0/6/1 (1055)
^C
40 packets captured
40 packets received by filter
0 packets dropped by kernel
....

As expected, there is a lookup for .corona but there is no query sent to
the root (or anywhere else) for anything in .corp (or corona or corpulent
or corral or correct or …) — the NSEC record (coop. 10800 IN NSEC corsica.
NS DS RRSIG NSEC) already proved that there is nothing alphabetically
between .coop and .corsica, and that space covers all of the above names.
This means that there could be names with significant use, but that are not
being exposed (or, if they are, that the magnitude is hidden).

 I still believe that this is a significant issue, and, unless I missed
something, is not accounted for or discussed in the document….

W


> Root Cause Analysis - wpad.domain.name
>
> https://docs.google.com/document/d/1y5jcWeH3gOKzxtF7_BnqNdwbbvlyqvshNVIZvJ19wDg/edit?usp=sharing
>
> Root Cause Analysis - New gTLD Collisions
> https://docs.google.com/document/d/
> 1YSvdH9Slws0iW3e6yoS04s5zANBnyMMFn9DUNE19fkg/edit?usp=sharing
>
> Please request access if you don't have it.
>
> Cheers,
> Casey
> _______________________________________________
> NCAP-Discuss mailing list
> NCAP-Discuss at icann.org
> https://mm.icann.org/mailman/listinfo/ncap-discuss
>
> _______________________________________________
> By submitting your personal data, you consent to the processing of your
> personal data for purposes of subscribing to this mailing list accordance
> with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and
> the website Terms of Service (https://www.icann.org/privacy/tos). You can
> visit the Mailman link above to change your membership status or
> configuration, including unsubscribing, setting digest-style delivery or
> disabling delivery altogether (e.g., for a vacation), and so on.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/ncap-discuss/attachments/20220808/db5c397f/attachment-0001.html>

More information about the NCAP-Discuss mailing list