Re: [DNSOP] Wildcard junk vs NXDOMAIN junk
Paul Vixie <paul@redbarn.org> Thu, 07 April 2022 23:12 UTC
Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FB843A0E84 for <dnsop@ietfa.amsl.com>; Thu, 7 Apr 2022 16:12:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redbarn.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nLDq6Uv-sGJh for <dnsop@ietfa.amsl.com>; Thu, 7 Apr 2022 16:12:29 -0700 (PDT)
Received: from util.redbarn.org (util.redbarn.org [IPv6:2001:559:8000:cd::222]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A3EB3A1908 for <dnsop@ietf.org>; Thu, 7 Apr 2022 16:12:25 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [24.104.150.213]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by util.redbarn.org (Postfix) with ESMTPS id C0B1E1A2423 for <dnsop@ietf.org>; Thu, 7 Apr 2022 23:12:21 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=redbarn.org; s=util; t=1649373141; bh=gAvdm1ScbHneUPC+5C3wQsAjhZDE2DEyE7emppLGvYs=; h=Subject:To:References:From:Date:In-Reply-To; b=R+RuPuOHnL3stAf+HV/LFTwFAVkS3rBkS65H+x+NowzG9fu54VpqEvkMp8BezhgwG PU9MmTL3tP2I6sks17S7SCNWoOgF1NkYxNXCFO3KE82UOnhIdBzRDjLvcy2AxZ+Asb /o4GxlI6qEO0qod1TsFBzINZKovJYVUi77113NgY=
Received: from [24.104.150.147] (dhcp-147.access.rits.tisf.net [24.104.150.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 7A3747597E for <dnsop@ietf.org>; Thu, 7 Apr 2022 23:12:21 +0000 (UTC)
To: "dnsop@ietf.org WG" <dnsop@ietf.org>
References: <9355318d-a779-400f-9e3b-27b53fa3e9bf@iecc.com> <CAH1iCioHeP93Txqk=fO0z5UdPX5XmDsFs5GzggySTmEAJDRrcg@mail.gmail.com>
From: Paul Vixie <paul@redbarn.org>
Message-ID: <0a5f3ac5-1901-28f5-c977-806d684710de@redbarn.org>
Date: Thu, 07 Apr 2022 16:12:20 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 PostboxApp/7.0.54
MIME-Version: 1.0
In-Reply-To: <CAH1iCioHeP93Txqk=fO0z5UdPX5XmDsFs5GzggySTmEAJDRrcg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/1gX9RJSuqUnIRmStnZM9MAQBHJo>
Subject: Re: [DNSOP] Wildcard junk vs NXDOMAIN junk
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2022 23:12:35 -0000
Brian Dickson wrote on 2022-04-07 14:26: > ... > > However, that does provide motivation for (a) signing zones, and (b) > resolvers doing validation with synthesis. > > Together, those reduce (a) load on auth servers, and (b) cache > pollution. Win/win. if those pigs had wings, they could indeed fly. (the motivation is assymetric to the benefit, so this is like all other things dnssec related, and most things ipv6 related, and so on.) wildcard synthesis should always have been resolver-side. now we live like this. a zero-length EDNS option with a name like REALWILD that asked the authority server to include *.example.com as an answer's owner name (rather than www.example.com by synthesis) is probably the way out of this hell. -- P Vixie
- [DNSOP] Wildcard junk vs NXDOMAIN junk John R. Levine
- Re: [DNSOP] Wildcard junk vs NXDOMAIN junk Patrik Fältström
- Re: [DNSOP] Wildcard junk vs NXDOMAIN junk Brian Dickson
- Re: [DNSOP] Wildcard junk vs NXDOMAIN junk Paul Vixie
- Re: [DNSOP] Wildcard junk vs NXDOMAIN junk Mark Andrews
- Re: [DNSOP] Wildcard junk vs NXDOMAIN junk Paul Vixie