Re: [dnsext] caches, validating resolvers, CD and DO

bmanning@vacation.karoshi.com Thu, 21 April 2011 21:49 UTC

Return-Path: <bmanning@karoshi.com>
X-Original-To: dnsext@ietfc.amsl.com
Delivered-To: dnsext@ietfc.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfc.amsl.com (Postfix) with ESMTP id 5ABFFE076C for <dnsext@ietfc.amsl.com>; Thu, 21 Apr 2011 14:49:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.524
X-Spam-Level:
X-Spam-Status: No, score=-6.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([208.66.40.236]) by localhost (ietfc.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ir6AYGyvzpbA for <dnsext@ietfc.amsl.com>; Thu, 21 Apr 2011 14:49:58 -0700 (PDT)
Received: from vacation.karoshi.com (vacation.karoshi.com [198.32.6.68]) by ietfc.amsl.com (Postfix) with ESMTP id C3BC1E0766 for <dnsext@ietf.org>; Thu, 21 Apr 2011 14:49:56 -0700 (PDT)
Received: from karoshi.com (localhost.localdomain [127.0.0.1]) by vacation.karoshi.com (8.12.8/8.12.8) with ESMTP id p3LJ4Baw002611; Thu, 21 Apr 2011 19:04:11 GMT
Received: (from bmanning@localhost) by karoshi.com (8.12.8/8.12.8/Submit) id p3LJ47Ck002610; Thu, 21 Apr 2011 19:04:07 GMT
Date: Thu, 21 Apr 2011 19:04:07 +0000
From: bmanning@vacation.karoshi.com
To: Nicholas Weaver <nweaver@ICSI.Berkeley.EDU>
Message-ID: <20110421190407.GB2211@vacation.karoshi.com.>
References: <20110330062335.BA8C9DAC3C4@drugs.dv.isc.org> <0CAE569785C163CFE87B957E@nimrod.local> <46410.1301468733@nsa.vix.com> <20110330081029.867FDDAD484@drugs.dv.isc.org> <alpine.LSU.2.00.1103301218140.5244@hermes-1.csi.cam.ac.uk> <B433F924-C6B8-497C-9D59-79CD5307C84D@icsi.berkeley.edu> <20110330152241.CAA97DB0215@drugs.dv.isc.org> <F50154E3-1D42-4791-B8F1-E04B3B7F85C5@ICSI.Berkeley.EDU> <sjmvcyz1jhg.fsf@pgpdev.ihtfp.org> <AC2624E2-F035-4B58-9082-CFEEC91B7F2C@ICSI.Berkeley.EDU>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <AC2624E2-F035-4B58-9082-CFEEC91B7F2C@ICSI.Berkeley.EDU>
User-Agent: Mutt/1.4.1i
Cc: Marc Lampo <marc.lampo@eurid.eu>, dnsext@ietf.org
Subject: Re: [dnsext] caches, validating resolvers, CD and DO
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Apr 2011 21:49:59 -0000

On Thu, Mar 31, 2011 at 07:27:42AM -0700, Nicholas Weaver wrote:
> 
> > I agree in principle, however that policy can also be "trust the caching
> > recursive resolver."  Saying that the client MUST validate does not
> > allow for this trusting policy.
> > 
> > -derek
> 
> Good point, however, the default policy should still be a must, since your configuration is rather unusual:  DNSSEC enables DNS to not trust the recursive resolver, and the default policy should take advantage of this.
> 
> Defaults should provide maximum safety and maximum interoperability for the majority of the clients.
> 

	so your saying the default should be MUST - but the default MUST be over-ridable?

/bill