IETF Logo Mail Archive

Re: [dnsext] caches, validating resolvers, CD and DO

Michael Richardson <mcr@sandelman.ca> Wed, 30 March 2011 07:32 UTC

Return-Path: <ietf-namedroppers@m.gmane.org>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BD2733A6B23 for <dnsext@core3.amsl.com>; Wed, 30 Mar 2011 00:32:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.57
X-Spam-Level:
X-Spam-Status: No, score=-1.57 tagged_above=-999 required=5 tests=[AWL=1.029, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AeGNROIUTmAN for <dnsext@core3.amsl.com>; Wed, 30 Mar 2011 00:32:53 -0700 (PDT)
Received: from lo.gmane.org (lo.gmane.org [80.91.229.12]) by core3.amsl.com (Postfix) with ESMTP id 7040A3A6B15 for <dnsext@ietf.org>; Wed, 30 Mar 2011 00:32:53 -0700 (PDT)
Received: from list by lo.gmane.org with local (Exim 4.69) (envelope-from <ietf-namedroppers@m.gmane.org>) id 1Q4pvC-0006YZ-Qu for dnsext@ietf.org; Wed, 30 Mar 2011 09:34:31 +0200
Received: from dhcp-164d.meeting.ietf.org ([130.129.22.77]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <dnsext@ietf.org>; Wed, 30 Mar 2011 09:34:30 +0200
Received: from mcr by dhcp-164d.meeting.ietf.org with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <dnsext@ietf.org>; Wed, 30 Mar 2011 09:34:30 +0200
X-Injected-Via-Gmane: http://gmane.org/
To: dnsext@ietf.org
From: Michael Richardson <mcr@sandelman.ca>
Date: Wed, 30 Mar 2011 07:34:20 +0000
Lines: 21
Message-ID: <loom.20110330T093131-460@post.gmane.org>
References: <20110330062335.BA8C9DAC3C4@drugs.dv.isc.org> <46219.1301468571@nsa.vix.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Complaints-To: usenet@dough.gmane.org
X-Gmane-NNTP-Posting-Host: sea.gmane.org
User-Agent: Loom/3.14 (http://gmane.org/)
X-Loom-IP: 130.129.22.77 (Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10)
Subject: Re: [dnsext] caches, validating resolvers, CD and DO
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2011 07:32:54 -0000

Paul Vixie <vixie <at> isc.org> writes:
> the wire change i would like is wholly different.  since clients should
> not need to add caches when they add validation, i'd like the chain of
> rrsig and dnskey to be sent from the recursive server to the stub,
> everything it takes to validate the answer.  to do this, a new EDNS
> option would allow the client to express its closest trust point.  so if
> the client already knows (in a current-transaction cache that is not
> shared with other applications or transactions on the client host) it
> has a valid dnskey for google.com and it's asking for www.google.com
> then the only RRSIGs or DS/DNSKEY's it needs are for www.google.com
> and www.l.google.com.

I'd like to see this too.
A place where I think this is super useful with is lldns/bonjour, for the 
adhoc disconnected case.  I claim to be bob.exaqmple.com on the wire, and 
when I do that I include the chain of rrsig/dnskey from . (or whatever anchor 
point you say you already have).

v2.23.0 | Report a Bug | By Email