IETF Logo Mail Archive

Re: [DNSOP] Call for Adoption draft-wkumari-dnsop-root-loopback

Bob Harold <rharolde@umich.edu> Thu, 20 November 2014 18:52 UTC

Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BB211A1B83 for <dnsop@ietfa.amsl.com>; Thu, 20 Nov 2014 10:52:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CAwhYeYqkQ0B for <dnsop@ietfa.amsl.com>; Thu, 20 Nov 2014 10:52:48 -0800 (PST)
Received: from mail-ob0-f177.google.com (mail-ob0-f177.google.com [209.85.214.177]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2BD5E1A1B8A for <dnsop@ietf.org>; Thu, 20 Nov 2014 10:52:47 -0800 (PST)
Received: by mail-ob0-f177.google.com with SMTP id va2so2601526obc.8 for <dnsop@ietf.org>; Thu, 20 Nov 2014 10:52:47 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=k9GBQmV3ILsxi2qf7tYYdXquQuOfKVaxM9ty3IhYLOE=; b=Tdx+f6StRc/cn7I+ZrfGY5mYaFVngjzrUgB/cwggl3ohYnFV4JBTSJwTT2oWBqhRJ4 Jz75YOEuwd6nvol+BmH4dT7TZ7EbGHjNuKOs7kdPSgAb5TwSFrNNEgSq4i+wy4b5tI59 9DxHSCH7++eUNBzVp9f0sdo55kYbKiolh3CO1+8YhFKCqFetQBpGgPXiJ846kS8xLRix JlTjal8ou6MqFEkQBni5WTW+eVbKjygEVYOuLy5rBzFX+HkA82pxqfvoN7GW8Ka5qf4a cgDb0aM5N1gAT8fAClRDK0d/wzNu/w7ZCbhxcCTX07FL+rml85XCEDW8S2VdiECN+4WC 8m9g==
X-Gm-Message-State: ALoCoQk2z/9gjwI3KWOkVjQ70z7W89VatmfczOCZ9x/x2HdGzRTrWKr+u+M8mAKN+qpC0Rdj4MzG
MIME-Version: 1.0
X-Received: by 10.202.178.133 with SMTP id b127mr40888992oif.45.1416509567374; Thu, 20 Nov 2014 10:52:47 -0800 (PST)
Received: by 10.76.133.130 with HTTP; Thu, 20 Nov 2014 10:52:47 -0800 (PST)
In-Reply-To: <CF7CA3A5-6C2A-459C-8DFB-32DC3807DADE@vpnc.org>
References: <54691B0A.6060508@gmail.com> <54692F7A.6030803@dougbarton.us> <20141117071250.GA55492@isc.org> <546A73B6.2060005@dougbarton.us> <20141117225045.GA35924@isc.org> <546A873F.8060402@dougbarton.us> <546E2287.7080909@dougbarton.us> <DCE8D121-A9D7-40A6-9567-39DF6811A50F@vpnc.org> <CA+nkc8A2nnMWfOt=8w0waG0BDpR=qRBjB098fzDaU31Cv4fJ5Q@mail.gmail.com> <CF7CA3A5-6C2A-459C-8DFB-32DC3807DADE@vpnc.org>
Date: Thu, 20 Nov 2014 13:52:47 -0500
Message-ID: <CA+nkc8CpPvtvFqnnoTun5qds7H_nxTft2umFwznaZ2C7_-QQkg@mail.gmail.com>
From: Bob Harold <rharolde@umich.edu>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: multipart/alternative; boundary="001a113b5e3295af2005084ed5b6"
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/3DYY7UkH0EjDmVcvHp7eBj0LJcY
Cc: IETF DNSOP WG <dnsop@ietf.org>
Subject: Re: [DNSOP] Call for Adoption draft-wkumari-dnsop-root-loopback
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2014 18:52:50 -0000

Thanks Paul,
   I use BIND, but am not an expert.  Based on the discussion I will
suggest some words and the experts can correct me:

Note:  By using a separate view, the "recursive" view will do DNSSEC
validation on the responses it receives from the "root" view, which is
necessary for security.  It will cache the answers, including the
validation.

Alternatively, if the root zone was loaded directly in the "recursive"
view, then DNSSEC validation would not be done, as BIND would trust the
zone.  Then you would want to do separate validation on the zone during
zone transfers.  This might result in less caching and less time spent
validating, but requires a more complex configuration.




-- 
Bob Harold
hostmaster, UMnet, ITcom
Information and Technology Services (ITS)
rharolde@umich.edu
734-647-6524 desk

On Thu, Nov 20, 2014 at 1:25 PM, Paul Hoffman <paul.hoffman@vpnc.org> wrote:

> On Nov 20, 2014, at 10:20 AM, Bob Harold <rharolde@umich.edu> wrote:
> > I can see where "validate on zone transfer" would be a feature request.
> And "validate everything" similarly.
> >
> > For the draft, could a small paragraph be added explaining the
> difference between using a separate view for the root zone and just loading
> it in the same view, so that people like me realize the tradeoffs before we
> decide to implement the draft with what we might think is a minor
> simplification, not realizing the impact?
>
> Yes, we can add this to the BIND example in the appendices. Given that I
> kinda suck at BIND, proposed wording would cause less grief in the next
> draft...
>
> --Paul Hoffman

v2.23.0 | Report a Bug | By Email