Re: [dnsext] afasterinternet.com trial and draft-vandergaast-edns-client-subnet-00
Tony Finch <dot@dotat.at> Tue, 06 September 2011 13:27 UTC
Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E83D21F8742 for <dnsext@ietfa.amsl.com>; Tue, 6 Sep 2011 06:27:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.583
X-Spam-Level:
X-Spam-Status: No, score=-6.583 tagged_above=-999 required=5 tests=[AWL=0.016, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y+OYF4tZUCF6 for <dnsext@ietfa.amsl.com>; Tue, 6 Sep 2011 06:27:24 -0700 (PDT)
Received: from ppsw-51.csi.cam.ac.uk (ppsw-51.csi.cam.ac.uk [131.111.8.151]) by ietfa.amsl.com (Postfix) with ESMTP id DE26D21F8640 for <dnsext@ietf.org>; Tue, 6 Sep 2011 06:27:23 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-SpamDetails: not scanned
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-2.csi.cam.ac.uk ([131.111.8.54]:34599) by ppsw-51.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.158]:25) with esmtpa (EXTERNAL:fanf2) id 1R0vi7-0007Ty-ZI (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Tue, 06 Sep 2011 14:29:07 +0100
Received: from fanf2 (helo=localhost) by hermes-2.csi.cam.ac.uk (hermes.cam.ac.uk) with local-esmtp id 1R0vi7-0006sp-U1 (Exim 4.67) (return-path <fanf2@hermes.cam.ac.uk>); Tue, 06 Sep 2011 14:29:07 +0100
Date: Tue, 06 Sep 2011 14:29:07 +0100
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-2.csi.cam.ac.uk
To: Marc Lampo <marc.lampo@eurid.eu>
In-Reply-To: <002e01cc6c72$6e28c920$4a7a5b60$@lampo@eurid.eu>
Message-ID: <alpine.LSU.2.00.1109061414320.30178@hermes-2.csi.cam.ac.uk>
References: <20110830162134.GB84494@shinkuro.com> <4e5f3343.cd06e70a.2596.ffffb1e7SMTPIN_ADDED@mx.google.com> <CAMbvoaKZbFHJr--CcuH5Ue1ndMS2WxVdOxWP6EnXfcPQ4x4evw@mail.gmail.com> <002e01cc6c72$6e28c920$4a7a5b60$@lampo@eurid.eu>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] afasterinternet.com trial and draft-vandergaast-edns-client-subnet-00
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Sep 2011 13:27:25 -0000
Marc Lampo <marc.lampo@eurid.eu> wrote: > > - how can caching name service know which RRSIG, applying to RRset with > eg one A-record, goes with which A-record ? An RRSIG covers an entire RRset. Different caches may see different RRsets, and the same cache may see different RRsets at different times, so caches need to ensure each RRSIG is transmitted, cached, and expired alongside its RRset. The EDNS client subnet option allows caches to store multiple RRsets for the same name, type, and class at the same time, distinguishing them according to the client IP address. > - this is not "standard" for the authoritative name services, > to provide these multiple RRSIG's. Correct. Geo IP requires stunt name servers for all authoritative servers. The servers hand out different versions of the same RRset according to some internal logic. Each version of the RRset needs an appropriate RRSIG. There only need to be RRSIGs for the RRsets that are actually served. > The EDNS0 OPT record is mandatory, for DNSSEC. Records from client to > server cannot be signed anyway; I see no requirement/recommendation of > signing the OPT record from server to client. SIG(0) / TSIG. > What I really meant to express, is that, for public caching name services, > I'd recommend they implement DNSSEC themselves > (first - before implementing this/your draft RFC) Yes, but the only people who need to implement this draft are those running open resolvers with a very widely dispersed client population, and content delivery networks who want accurate geo IP for users of large open resolver services. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Portland, Plymouth: Southwest veering west 6 to gale 8, occasionally severe gale 9 at first in Portland, decreasing 5 at times later. Rough, occasionally very rough at first. Rain then showers. Moderate or good.
- [dnsext] afasterinternet.com trial and draft-vand… Andrew Sullivan
- Re: [dnsext] afasterinternet.com trial and draft-… Wilmer van der Gaast
- Re: [dnsext] afasterinternet.com trial and draft-… Alex Bligh
- Re: [dnsext] afasterinternet.com trial and draft-… Colm MacCárthaigh
- Re: [dnsext] afasterinternet.com trial and draft-… Andrew Sullivan
- Re: [dnsext] afasterinternet.com trial and draft-… Colm MacCárthaigh
- Re: [dnsext] afasterinternet.com trial and draft-… Matthew Dempsky
- Re: [dnsext] afasterinternet.com trial and draft-… Matt McCutchen
- Re: [dnsext] afasterinternet.com trial and draft-… Alex Bligh
- Re: [dnsext] afasterinternet.com trial and draft-… Alex Bligh
- [dnsext] a lightweight process for assigning EDNS… Jim Reid
- Re: [dnsext] afasterinternet.com trial and draft-… SM
- Re: [dnsext] afasterinternet.com trial and draft-… Andrew Sullivan
- Re: [dnsext] a lightweight process for assigning … Livingood, Jason
- Re: [dnsext] afasterinternet.com trial and draft-… Wilmer van der Gaast
- Re: [dnsext] afasterinternet.com trial and draft-… Wilmer van der Gaast
- Re: [dnsext] afasterinternet.com trial and draft-… Andrew Sullivan
- Re: [dnsext] afasterinternet.com trial and draft-… Wilmer van der Gaast
- Re: [dnsext] afasterinternet.com trial and draft-… Ted Hardie
- Re: [dnsext] afasterinternet.com trial and draft-… Ted Hardie
- Re: [dnsext] afasterinternet.com trial and draft-… Andrew Sullivan
- Re: [dnsext] afasterinternet.com trial and draft-… Andrew Sullivan
- Re: [dnsext] afasterinternet.com trial and draft-… Ted Hardie
- Re: [dnsext] afasterinternet.com trial and draft-… Andrew Sullivan
- Re: [dnsext] afasterinternet.com trial and draft-… Masataka Ohta
- Re: [dnsext] afasterinternet.com trial and draft-… Alex Bligh
- Re: [dnsext] afasterinternet.com trial and draft-… Marc Lampo
- Re: [dnsext] afasterinternet.com trial and draft-… Tony Finch
- Re: [dnsext] afasterinternet.com trial and draft-… Jaidev Sridhar
- Re: [dnsext] afasterinternet.com trial and draft-… Phillip Hallam-Baker
- Re: [dnsext] a lightweight process for assigning … Phillip Hallam-Baker
- Re: [dnsext] a lightweight process for assigning … Nicholas Weaver
- Re: [dnsext] a lightweight process for assigning … Phillip Hallam-Baker
- Re: [dnsext] afasterinternet.com trial and draft-… Wilmer van der Gaast
- Re: [dnsext] afasterinternet.com trial and draft-… Wilmer van der Gaast
- Re: [dnsext] afasterinternet.com trial and draft-… SM
- Re: [dnsext] afasterinternet.com trial and draft-… Martin Barry
- [dnsext] Address privacy (was Re: afasterinternet… Masataka Ohta
- Re: [dnsext] afasterinternet.com trial and draft-… Marc Lampo
- Re: [dnsext] afasterinternet.com trial and draft-… Tony Finch
- Re: [dnsext] afasterinternet.com trial and draft-… Florian Weimer
- Re: [dnsext] afasterinternet.com trial and draft-… Edward Lewis
- Re: [dnsext] Address privacy (was Re: afasterinte… SM
- Re: [dnsext] afasterinternet.com trial and draft-… Ted Hardie
- Re: [dnsext] afasterinternet.com trial and draft-… Ted Hardie
- Re: [dnsext] afasterinternet.com trial and draft-… Nicholas Weaver
- Re: [dnsext] afasterinternet.com trial and draft-… Nicholas Weaver
- Re: [dnsext] afasterinternet.com trial and draft-… Ted Hardie
- Re: [dnsext] afasterinternet.com trial and draft-… Nicholas Weaver
- Re: [dnsext] afasterinternet.com trial and draft-… Ted Hardie
- Re: [dnsext] afasterinternet.com trial and draft-… Martin Barry
- Re: [dnsext] afasterinternet.com trial and draft-… bmanning
- Re: [dnsext] afasterinternet.com trial and draft-… Phillip Hallam-Baker
- Re: [dnsext] Address privacy (was Re: afasterinte… Masataka Ohta
- Re: [dnsext] afasterinternet.com trial and draft-… Wilmer van der Gaast
- Re: [dnsext] Address privacy (was Re: afasterinte… SM