Re: [DNSOP] More work for DNSOP :-)

Olafur Gudmundsson <ogud@ogud.com> Mon, 09 March 2015 01:23 UTC

Return-Path: <ogud@ogud.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE9851A0074 for <dnsop@ietfa.amsl.com>; Sun, 8 Mar 2015 18:23:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mP_JvL5jb39Y for <dnsop@ietfa.amsl.com>; Sun, 8 Mar 2015 18:23:29 -0700 (PDT)
Received: from smtp69.ord1c.emailsrvr.com (smtp69.ord1c.emailsrvr.com [108.166.43.69]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 705591A005C for <dnsop@ietf.org>; Sun, 8 Mar 2015 18:23:29 -0700 (PDT)
Received: from smtp1.relay.ord1c.emailsrvr.com (localhost.localdomain [127.0.0.1]) by smtp1.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id C1943380172; Sun, 8 Mar 2015 21:23:28 -0400 (EDT)
Received: by smtp1.relay.ord1c.emailsrvr.com (Authenticated sender: ogud-AT-ogud.com) with ESMTPSA id 4DC57380158; Sun, 8 Mar 2015 21:23:27 -0400 (EDT)
X-Sender-Id: ogud@ogud.com
Received: from [10.20.30.43] (pool-74-96-189-218.washdc.fios.verizon.net [74.96.189.218]) (using TLSv1 with cipher DHE-RSA-AES256-SHA) by 0.0.0.0:465 (trex/5.4.2); Mon, 09 Mar 2015 01:23:28 GMT
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Olafur Gudmundsson <ogud@ogud.com>
In-Reply-To: <2C465FAA-166E-4BF0-97BB-20905AC4BFF4@cam.ac.uk>
Date: Sun, 8 Mar 2015 21:23:34 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <42657AF9-53D5-4CFE-B1EB-F0235E59CFE3@ogud.com>
References: <20150306145217.GA8959@nic.fr> <54F9C29E.9040408@jive.com> <54F9F90D.1020806@redbarn.org> <54F9FCD3.7010204@jive.com> <54F9FDFA.2030405@redbarn.org> <CA+nkc8AyOvMwpoXQYmubxmWjKvkQwXYr1QaLPOoA1E-ahpV7wA@mail.gmail.com> <2C465FAA-166E-4BF0-97BB-20905AC4BFF4@cam.ac.uk>
To: Tony Finch <fanf2@cam.ac.uk>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/B9Svh_5AeCL4FFPGwtGLOma66pk>
Cc: Bob Harold <rharolde@umich.edu>, IETF DNSOP WG <dnsop@ietf.org>, Paul Vixie <paul@redbarn.org>
Subject: Re: [DNSOP] More work for DNSOP :-)
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2015 01:23:33 -0000

There is a new version in the works, expect it late tomorrow (monday) 

It does not outlaw ANY per say, just says limit it  to trusted parties. 
I tries to define that resolver treat NOTIMP as long term signal that resolver should keep track of and not retry. 
It says ignore RD=1 on meta queries. 
It says do not upstream Meta queries 

It applies to all meta types, including RRSIG. 

	Olafur

> On Mar 7, 2015, at 4:36 PM, Tony Finch <fanf2@cam.ac.uk> wrote:
> 
> 
>> On 6 Mar 2015, at 19:37, Bob Harold <rharolde@umich.edu> wrote:
>> 
>> I would be concerned about blocking RD=0 (non-recursive).  That would prevent me from check to be sure an entry was NOT in the cache, in some DNS server my clients are using. 
> 
> I thought cache probing was considered an unfortunate information leak :-)
> 
> You can block rd=0 in BIND using a view with a match-recursive-only directive. So I think the only missing ACL is for ANY (and the similar RRSIG).
> 
> Tony.
> -- 
> f.anthony.n.finch  <dot@dotat.at>  http://dotat.at
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop