how should we deal with DNS 0x20 failures?
There's quite a few most popular names that fail because of failure to preserve question section letter case. For example:
$ curl 131m1.in.cfops.it:3102/trace/eicp.net
[64526] [iter] 'eicp.net.' type 'A' created outbound query, parent id 0
[60843] [iter] 'eicp.net.' type 'A' created outbound query, parent id 0
[60843] [resl] => querying: '2001:503:d414::30' score: 22 zone cut: 'net.' m12n: 'eIcp.neT.' type: 'A' proto: 'udp'
[60843] [iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 60843
;; Flags: qr cd QUERY: 1; ANSWER: 0; AUTHORITY: 6; ADDITIONAL: 5
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: Unused
;; QUESTION SECTION
eicp.net. A
;; AUTHORITY SECTION
eicp.net. 172800 NS ns1.exhera.com.
eicp.net. 172800 NS ns2.exhera.com.
a1rt98bs5qgc9nfi51s9hci47uljg6jh.net. 86400 NSEC3 1 1 0 - A1RUUFFJKCT2Q54P78F8EJGJ8JBK7I8B NS SOA RRSIG DNSKEY NSEC3PARAM
a1rt98bs5qgc9nfi51s9hci47uljg6jh.net. 86400 RRSIG NSEC3 8 2 86400 20171227062609 20171220051609 18737 net. nEhicHLkvsZVirHCoNYYNJKGcJOj9XtL57/ltvpBXqP6a4gnYeui3QOI2ru7WBgjx7B2Q/rlJN5CYa/5JIrLn1G13uOIU97rsoE93gpyicbxhEb0sz6NxpTrLlpK7I18Avdvc4u3wsqyMgN/G+fph/fNmk6ZMiIDvSFo5ouxlRI=
p2cngqrm82dqo3hk9aa6gobsrp72g5q7.net. 86400 NSEC3 1 1 0 - P2DRF6N042LFDI2S4AS6OSU2JESNJ0IL NS DS RRSIG
p2cngqrm82dqo3hk9aa6gobsrp72g5q7.net. 86400 RRSIG NSEC3 8 2 86400 20171227062037 20171220051037 18737 net. cWJS8lOxKCHz0SH2fJzuH6hPLoaXODhHsaiwTx89LKceWjRzOF+7Ka4QyNnJJ2xYJL44YaTE7L5aLZ7/PBCmyJIdjrTqwzni+5hVnAU0AkaSxaG92I0Nw5GQFYa/blorKT3icJnhypntnZgBMqzi78/YjtMAht7lxCREogcFlYM=
;; ADDITIONAL SECTION
ns1.exhera.com. 172800 A 103.44.145.248
ns1.exhera.com. 172800 A 175.6.228.196
ns2.exhera.com. 172800 A 120.26.12.130
ns2.exhera.com. 172800 A 121.40.91.126
[60843] [iter] <= referral response, follow
[60843] [vldr] >< failed to validate but skipping: eicp.net. NS
[60843] [vldr] <= DS doesn't exist, going insecure
[60843] [vldr] <= answer valid, OK
[60843] [ rc ] => orig. rank: 002
[60843] [resl] <= server: '2001:503:d414::30' rtt: 21 ms
[41955] [iter] 'eicp.net.' type 'A' created outbound query, parent id 0
[41955] [plan] plan 'ns2.exhera.com.' type 'AAAA'
[ 5860] [iter] 'ns2.exhera.com.' type 'AAAA' created outbound query, parent id 41955
[ 5860] [ pc ] => rank: 030, lowest 030 -> satisfied=1
[ 5860] [iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 5860
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 1
;; QUESTION SECTION
ns2.exhera.com. AAAA
;; AUTHORITY SECTION
exhera.com. 2687 SOA peanutmail.newpeanut.idc. domain_admin.oray.cn. 1817 900 600 86400 3600
;; ADDITIONAL SECTION
ns2.exhera.com. 60 RP dnscache.oray.com. .
[ 5860] [iter] <= rcode: NOERROR
[ 5860] [vldr] <= cached insecure response, going insecure
[28878] [iter] 'eicp.net.' type 'A' created outbound query, parent id 0
[28878] [plan] plan 'ns2.exhera.com.' type 'A'
[48460] [iter] 'ns2.exhera.com.' type 'A' created outbound query, parent id 28878
[48460] [ rc ] => rank: 001, lowest 000, ns2.exhera.com. A
[48460] [ rc ] => satisfied from cache
[48460] [iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 48460
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
ns2.exhera.com. A
;; ANSWER SECTION
ns2.exhera.com. 172481 A 120.26.12.130
ns2.exhera.com. 172481 A 121.40.91.126
[48460] [iter] <= rcode: NOERROR
[28878] [iter] <= using glue for 'ns2.exhera.com.': '120.26.12.130'
[58636] [iter] 'eicp.net.' type 'A' created outbound query, parent id 0
[58636] [resl] => querying: '120.26.12.130' score: 148 zone cut: 'eicp.net.' m12n: 'EICP.NET.' type: 'A' proto: 'udp'
[58636] [resl] => querying: '120.26.12.130' score: 148 zone cut: 'eicp.net.' m12n: 'EICP.NET.' type: 'A' proto: 'udp'
[58636] [resl] => querying: '120.26.12.130' score: 148 zone cut: 'eicp.net.' m12n: 'EICP.NET.' type: 'A' proto: 'udp'
[58636] [resl] => querying: '120.26.12.130' score: 148 zone cut: 'eicp.net.' m12n: 'EICP.NET.' type: 'A' proto: 'udp'
[58636] [iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 58636
;; Flags: qr aa QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; QUESTION SECTION
EICP.NET. A
;; ANSWER SECTION
eicp.net. 300 A 61.152.96.115
;; ADDITIONAL SECTION
eicp.net. 60 RP dnsproxy.oray.com. .
[58636] [iter] <= ignoring mismatching response
[58636] [resl] <= server: '120.26.12.130' rtt: 806 ms
[59380] [iter] 'eicp.net.' type 'A' created outbound query, parent id 0
[30302] [iter] 'eicp.net.' type 'A' created outbound query, parent id 0
[30302] [plan] plan 'ns1.exhera.com.' type 'AAAA'
[39584] [iter] 'ns1.exhera.com.' type 'AAAA' created outbound query, parent id 30302
[39584] [ pc ] => rank: 030, lowest 030 -> satisfied=1
[39584] [iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 39584
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 1
;; QUESTION SECTION
ns1.exhera.com. AAAA
;; AUTHORITY SECTION
exhera.com. 2571 SOA peanutmail.newpeanut.idc. domain_admin.oray.cn. 1817 900 600 86400 3600
;; ADDITIONAL SECTION
ns1.exhera.com. 60 RP dnscache.oray.com. .
[39584] [iter] <= rcode: NOERROR
[39584] [vldr] <= cached insecure response, going insecure
[56616] [iter] 'eicp.net.' type 'A' created outbound query, parent id 0
[56616] [plan] plan 'ns1.exhera.com.' type 'A'
[ 1371] [iter] 'ns1.exhera.com.' type 'A' created outbound query, parent id 56616
[ 1371] [ rc ] => rank: 001, lowest 000, ns1.exhera.com. A
[ 1371] [ rc ] => satisfied from cache
[ 1371] [iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 1371
;; Flags: qr aa QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION
ns1.exhera.com. A
;; ANSWER SECTION
ns1.exhera.com. 172477 A 103.44.145.248
ns1.exhera.com. 172477 A 175.6.228.196
[ 1371] [iter] <= rcode: NOERROR
[56616] [iter] <= using glue for 'ns1.exhera.com.': '103.44.145.248'
[52161] [iter] 'eicp.net.' type 'A' created outbound query, parent id 0
[52161] [resl] => querying: '103.44.145.248' score: 222 zone cut: 'eicp.net.' m12n: 'eICp.neT.' type: 'A' proto: 'udp'
[52161] [iter] <= answer received:
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 52161
;; Flags: qr aa QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; QUESTION SECTION
eICp.neT. A
;; ANSWER SECTION
eicp.net. 144 A 61.152.96.115
;; ADDITIONAL SECTION
eicp.net. 60 RP dnscache.oray.com. .
[52161] [iter] <= ignoring mismatching response
[32654] [iter] 'eicp.net.' type 'A' created outbound query, parent id 0
[45954] [iter] 'eicp.net.' type 'A' created outbound query, parent id 0
[45954] [resl] => no valid NS left
[45954] [resl] finished: 0, queries: 5, mempool: 147552 B
Used records from answer:
-------------------------
cached: false, rank: omit, record: ns2.exhera.com. 172481 A 120.26.12.130
cached: false, rank: omit, record: ns2.exhera.com. 172481 A 121.40.91.126
cached: false, rank: omit, record: ns1.exhera.com. 172477 A 103.44.145.248
cached: false, rank: omit, record: ns1.exhera.com. 172477 A 175.6.228.196
Used records from authority:
----------------------------
cached: true, rank: try, record: eicp.net. 172800 NS ns1.exhera.com.
cached: true, rank: try, record: eicp.net. 172800 NS ns2.exhera.com.
cached: false, rank: secure, record: a1rt98bs5qgc9nfi51s9hci47uljg6jh.net. 86400 NSEC3 1 1 0 - A1RUUFFJKCT2Q54P78F8EJGJ8JBK7I8B NS SOA RRSIG DNSKEY NSEC3PARAM
cached: false, rank: omit, record: a1rt98bs5qgc9nfi51s9hci47uljg6jh.net. 86400 RRSIG NSEC3 8 2 86400 20171227062609 20171220051609 18737 net. nEhicHLkvsZVirHCoNYYNJKGcJOj9XtL57/ltvpBXqP6a4gnYeui3QOI2ru7WBgjx7B2Q/rlJN5CYa/5JIrLn1G13uOIU97rsoE93gpyicbxhEb0sz6NxpTrLlpK7I18Avdvc4u3wsqyMgN/G+fph/fNmk6ZMiIDvSFo5ouxlRI=
cached: false, rank: secure, record: p2cngqrm82dqo3hk9aa6gobsrp72g5q7.net. 86400 NSEC3 1 1 0 - P2DRF6N042LFDI2S4AS6OSU2JESNJ0IL NS DS RRSIG
cached: false, rank: omit, record: p2cngqrm82dqo3hk9aa6gobsrp72g5q7.net. 86400 RRSIG NSEC3 8 2 86400 20171227062037 20171220051037 18737 net. cWJS8lOxKCHz0SH2fJzuH6hPLoaXODhHsaiwTx89LKceWjRzOF+7Ka4QyNnJJ2xYJL44YaTE7L5aLZ7/PBCmyJIdjrTqwzni+5hVnAU0AkaSxaG92I0Nw5GQFYa/blorKT3icJnhypntnZgBMqzi78/YjtMAht7lxCREogcFlYM=
(It's Alexa global rank 164,642, 22,465 in China)
Should the resolver accept such answer if the current delegation is secure (and therefore DNSSEC signatures can be checked) ?