Re: the DO bit Re: [dnsext] Reminder: two WGLC closing in one week

David Conrad <drc@virtualized.org> Mon, 06 October 2008 18:56 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 609043A6A48; Mon, 6 Oct 2008 11:56:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.437
X-Spam-Level:
X-Spam-Status: No, score=-4.437 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Is4LM7G9ad+G; Mon, 6 Oct 2008 11:56:22 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 3E4533A6A28; Mon, 6 Oct 2008 11:56:21 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KmvCS-000EA3-K1 for namedroppers-data@psg.com; Mon, 06 Oct 2008 18:52:56 +0000
Received: from [204.152.189.190] (helo=virtualized.org) by psg.com with esmtp (Exim 4.69 (FreeBSD)) (envelope-from <drc@virtualized.org>) id 1KmvCL-000E97-AU for namedroppers@ops.ietf.org; Mon, 06 Oct 2008 18:52:53 +0000
Received: from [10.0.1.199] (c-71-198-3-247.hsd1.ca.comcast.net [71.198.3.247]) by virtualized.org (Postfix) with ESMTP id D3BBB34AA79; Mon, 6 Oct 2008 11:52:48 -0700 (PDT)
Cc: Namedroppers WG <namedroppers@ops.ietf.org>
Message-Id: <2E662103-4B2F-40BD-8AF7-BA16F2E5CB35@virtualized.org>
From: David Conrad <drc@virtualized.org>
To: Edward Lewis <Ed.Lewis@neustar.biz>
In-Reply-To: <a06240802c50feb2040bc@[192.168.1.101]>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v929.2)
Subject: Re: the DO bit Re: [dnsext] Reminder: two WGLC closing in one week
Date: Mon, 06 Oct 2008 11:52:40 -0700
References: <200809262103.m8QL3USA067104@drugs.dv.isc.org> <8263ob2xyy.fsf@mid.bfk.de> <a06240802c50feb2040bc@[192.168.1.101]>
X-Mailer: Apple Mail (2.929.2)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

Hi,

On Oct 6, 2008, at 9:25 AM, Edward Lewis wrote:
>>> DO indicates that you want the DNSSEC records.
>> DO was originally conceived as "intent to validate".  It's not used
>> this way, though.
> No, "DO indicates that you want the DNSSEC records" is accurate.

As someone with some minor involvement in the definition of DO, I can  
say that I actually _intended_ it to signal "intent to validate".  It  
honestly never occurred to me that people would request DNSSEC-related  
RRs with no intent to validate them.  The fact that BINDv9 hardcodes  
DO on, even if trust anchors aren't configured and regardless of the  
state of the multiple variables you have to set to turn on DNSSEC in  
BIND, came as something of a surprise.

"Oops.  My bad."

> After not hearing from the government agency that was funding the  
> work on DNSSEC for a few days we realized that something was amiss.   
> It turned out that we were responding to A record requests with  
> responses enlarged by the DNSSEC records and the funding agency's  
> firewalls were rejecting all traffic to port 53 over a certain  
> size.  This "eating our own dogfood" experience led to the DO bit.

That was part of it.  There were also resolvers out there at the time  
that did ... questionable things if you supplied them with RRs they  
didn't understand (some version of Windows NT DNS server, IIRC).  And  
there was some concern that the root servers might be adversely  
impacted by having _all_ of their responses increase by 3 to 6 times.

Regards,
-drc


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>