IETF Logo Mail Archive

Re: [dnsext] Reminder: two WGLC closing in one week

Olafur Gudmundsson <ogud@ogud.com> Thu, 02 October 2008 15:07 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6A9583A67E4; Thu, 2 Oct 2008 08:07:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.495
X-Spam-Level:
X-Spam-Status: No, score=-0.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QgiHfl41yJFk; Thu, 2 Oct 2008 08:07:17 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 8B3E53A69CD; Thu, 2 Oct 2008 08:07:17 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KlPgM-000I4t-Pk for namedroppers-data@psg.com; Thu, 02 Oct 2008 15:01:34 +0000
Received: from [66.92.146.20] (helo=stora.ogud.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <ogud@ogud.com>) id 1KlPgE-000I3h-GS for namedroppers@ops.ietf.org; Thu, 02 Oct 2008 15:01:32 +0000
Received: from Puki.ogud.com (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.2/8.14.2) with ESMTP id m92F1JLB072566; Thu, 2 Oct 2008 11:01:20 -0400 (EDT) (envelope-from ogud@ogud.com)
Message-Id: <200810021501.m92F1JLB072566@stora.ogud.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Thu, 02 Oct 2008 11:01:12 -0400
To: Florian Weimer <fweimer@bfk.de>
From: Olafur Gudmundsson <ogud@ogud.com>
Subject: Re: [dnsext] Reminder: two WGLC closing in one week
Cc: namedroppers@ops.ietf.org
In-Reply-To: <8263ob2xyy.fsf@mid.bfk.de>
References: <200809262103.m8QL3USA067104@drugs.dv.isc.org> <8263ob2xyy.fsf@mid.bfk.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.64 on 10.20.30.4
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

<DNSSEC-historian-hat=on>
At 04:38 02/10/2008, Florian Weimer wrote:
>* Mark Andrews:
>
> >> DO necessarily implies UD because the synthesized CNAME is not signed
> >> and thus not visible to a DNSSEC client (section 3.1).
> >
> >       DO indicates that you want the DNSSEC records.
>
>DO was originally conceived as "intent to validate".  It's not used
>this way, though.

DO was designed to address two issues:
- Protect DNSSEC-ignorant resolvers that failed when they saw 
"unknown" RR types.
- Keep answers smaller for DNSSEC ignorant queriers.

When DO was proposed, someone observed  "DNSSEC is only for consenting adults"


> >       UD indicates that you don't want the synthesised CNAME.
> >
> >       There are cases where you don't want DO to imply UD.
> >       Think humans reading the output.
>
>If UD is debugging-only, I don't think it's worth the effort.

UD is an exit plan from "synthesize CNAME forever" as the old exit plan
"new version of EDNS" is not on the horizon.
There are actively maintained non-DNSSEC DNAME-aware resolvers
out there and these resolvers can send queries with DO=0 and UD=1.
One of the objections from for placing DNAME records
in the root zone was the "CNAME synthesis overhead".

         Olafur 


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email