Re: [DNSOP] Fwd: New Version Notification for draft-ogud-dnsop-any-notimp-00.txt
Ralf Weber <dns@fl1ger.de> Fri, 06 March 2015 21:39 UTC
Return-Path: <dns@fl1ger.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 694401A873E for <dnsop@ietfa.amsl.com>; Fri, 6 Mar 2015 13:39:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.847
X-Spam-Level:
X-Spam-Status: No, score=0.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FH_HOST_EQ_D_D_D_D=0.765, HELO_MISMATCH_NET=0.611, HOST_EQ_STATICB=1.372, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9gcLZnA4fF6G for <dnsop@ietfa.amsl.com>; Fri, 6 Mar 2015 13:39:37 -0800 (PST)
Received: from smtp.guxx.net (static.85-10-208-173.clients.your-server.de [85.10.208.173]) by ietfa.amsl.com (Postfix) with ESMTP id 57BD21A8739 for <dnsop@ietf.org>; Fri, 6 Mar 2015 13:39:37 -0800 (PST)
Received: by nyx.guxx.net (Postfix, from userid 107) id 75B9B5F40EA2; Fri, 6 Mar 2015 22:39:35 +0100 (CET)
Received: from PorcupineTree.nominum.com (PorcupineTree.ddns.nominum.com [64.89.225.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by nyx.guxx.net (Postfix) with ESMTPSA id CCCDD5F40E75; Fri, 6 Mar 2015 22:39:32 +0100 (CET)
Date: Fri, 06 Mar 2015 13:38:56 -0800
From: Ralf Weber <dns@fl1ger.de>
To: Paul Vixie <paul@redbarn.org>
Message-ID: <20150306213856.GA51222@PorcupineTree.nominum.com>
References: <20150306172715.24305.58649.idtracker@ietfa.amsl.com> <CAN6NTqw4n_mTqjGDsOc4kT3fvm1PaCWKt+AUPw+4GevQqG3Ymw@mail.gmail.com> <20150306182444.GA50555@PorcupineTree.nominum.com> <54F9FC8D.9050003@redbarn.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <54F9FC8D.9050003@redbarn.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/4XX9xa5BxXQzcKKSYR5jlhXdp2w>
Cc: Olafur Gudmundsson <olafur@cloudflare.com>, dnsop@ietf.org
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-ogud-dnsop-any-notimp-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2015 21:39:38 -0000
Moin! On Fri, Mar 06, 2015 at 11:14:21AM -0800, Paul Vixie wrote: > > Also why have > > you limited the this to authoritative servers? > > this raises the point: ANY deserves its own access control list, or > other non-BIND equivilent. because ANY is useful for diagnostics, local > sysadmins ought to be able to make such queries. That depends. If you have other mechanisms than dig to get data out of your cache you don't need it. I would like to see it deprecated to the level that no one relies on the query being answered with a record. So even the resolver can answer with NOTIMP. > this way lies madness. you can't know that a validator has no reasonable > intent behind an RRSIG query. I can not see how there is a reason for a validator to issue an RRSIG query, and I do not know of an validator that does this (there might be). RRSIG is as complex as the ANY query as you have to look for all resource record types and not just one. We don't need to include that in this draft, but the complexity of the query is higher than a normal query and the use of it is way lower (IMHO it is not needed). Just two quick datapoints I got. On a recursive server farm that of a medium ISP (that doesn't do validation, but has it server DNSSEC enabled) out of a total of 15 billion queries a day there were 6 RRSIG queries and on an authoritative server for a DNSSEC secured domain that has around 2 million queries a day there were 7 RRSIG quries. So maybe we deprecate it before people use it more ;-). So long -Ralf
- [DNSOP] Fwd: New Version Notification for draft-o… Olafur Gudmundsson
- Re: [DNSOP] Fwd: New Version Notification for dra… Ralf Weber
- Re: [DNSOP] Fwd: New Version Notification for dra… Tony Finch
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Ralf Weber
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Ralf Weber
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Ralf Weber
- Re: [DNSOP] Fwd: New Version Notification for dra… Tony Finch
- Re: [DNSOP] Fwd: New Version Notification for dra… Tony Finch
- Re: [DNSOP] Fwd: New Version Notification for dra… Tony Finch
- Re: [DNSOP] Fwd: New Version Notification for dra… Mark Andrews
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Florian Weimer