IETF Logo Mail Archive

the DO bit Re: [dnsext] Reminder: two WGLC closing in one week

Edward Lewis <Ed.Lewis@neustar.biz> Mon, 06 October 2008 16:30 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AD35C3A6ACE; Mon, 6 Oct 2008 09:30:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.605
X-Spam-Level:
X-Spam-Status: No, score=-0.605 tagged_above=-999 required=5 tests=[AWL=-0.110, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vxXYDhRj0eL7; Mon, 6 Oct 2008 09:30:07 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id C918A3A67DD; Mon, 6 Oct 2008 09:30:06 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KmsvI-000PU4-7x for namedroppers-data@psg.com; Mon, 06 Oct 2008 16:27:04 +0000
Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <Ed.Lewis@neustar.biz>) id 1Kmsv5-000PS1-UE for namedroppers@ops.ietf.org; Mon, 06 Oct 2008 16:26:54 +0000
Received: from [192.168.1.101] (mail.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.2/8.14.2) with ESMTP id m96GQRms027200; Mon, 6 Oct 2008 12:26:28 -0400 (EDT) (envelope-from Ed.Lewis@neustar.biz)
Mime-Version: 1.0
Message-Id: <a06240802c50feb2040bc@[192.168.1.101]>
In-Reply-To: <8263ob2xyy.fsf@mid.bfk.de>
References: <200809262103.m8QL3USA067104@drugs.dv.isc.org> <8263ob2xyy.fsf@mid.bfk.de>
Date: Mon, 06 Oct 2008 12:25:06 -0400
To: Florian Weimer <fweimer@bfk.de>
From: Edward Lewis <Ed.Lewis@neustar.biz>
Subject: the DO bit Re: [dnsext] Reminder: two WGLC closing in one week
Cc: Mark Andrews <Mark_Andrews@isc.org>, Andrew Sullivan <ajs@commandprompt.com>, namedroppers@ops.ietf.org
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.64 on 10.20.30.4
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

At 10:38 +0200 10/2/08, Florian Weimer wrote:
>* Mark Andrews:
>
>>>  DO necessarily implies UD because the synthesized CNAME is not signed
>>>  and thus not visible to a DNSSEC client (section 3.1).
>>
>>  	DO indicates that you want the DNSSEC records.
>
>DO was originally conceived as "intent to validate".  It's not used
>this way, though.

No, "DO indicates that you want the DNSSEC records" is accurate.

We (= the group that cobbled DNSSEC into BIND 8) stood up a name 
server before the DO bit was invented.  After not hearing from the 
government agency that was funding the work on DNSSEC for a few days 
we realized that something was amiss.  It turned out that we were 
responding to A record requests with responses enlarged by the DNSSEC 
records and the funding agency's firewalls were rejecting all traffic 
to port 53 over a certain size.  This "eating our own dogfood" 
experience led to the DO bit.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Never confuse activity with progress.  Activity pays more.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email