Re: [DNSOP] DNS privacy : now at least two drafts

Florian Weimer <fw@deneb.enyo.de> Mon, 17 March 2014 16:20 UTC

Return-Path: <fw@deneb.enyo.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AA721A0447 for <dnsop@ietfa.amsl.com>; Mon, 17 Mar 2014 09:20:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D86MaZN8UO_g for <dnsop@ietfa.amsl.com>; Mon, 17 Mar 2014 09:20:05 -0700 (PDT)
Received: from ka.mail.enyo.de (ka.mail.enyo.de [87.106.162.201]) by ietfa.amsl.com (Postfix) with ESMTP id 66E891A0446 for <dnsop@ietf.org>; Mon, 17 Mar 2014 09:20:05 -0700 (PDT)
Received: from [172.17.135.4] (helo=deneb.enyo.de) by ka.mail.enyo.de with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) id 1WPaGa-0008Pl-5g; Mon, 17 Mar 2014 17:19:56 +0100
Received: from fw by deneb.enyo.de with local (Exim 4.80) (envelope-from <fw@deneb.enyo.de>) id 1WPaGZ-0001Yt-VA; Mon, 17 Mar 2014 17:19:55 +0100
From: Florian Weimer <fw@deneb.enyo.de>
To: Mark Andrews <marka@isc.org>
References: <20131217112527.GA18176@nic.fr> <87ob1geis0.fsf@mid.deneb.enyo.de> <20140308165741.GA15121@laperouse.bortzmeyer.org> <8761noehzv.fsf@mid.deneb.enyo.de> <20140308173456.GB17348@laperouse.bortzmeyer.org> <87fvmsd0nk.fsf@mid.deneb.enyo.de> <20140311080053.5FCF910E2D41@rock.dv.isc.org> <87y50auqqf.fsf@mid.deneb.enyo.de> <20140317154143.30B51118C508@rock.dv.isc.org>
Date: Mon, 17 Mar 2014 17:19:55 +0100
In-Reply-To: <20140317154143.30B51118C508@rock.dv.isc.org> (Mark Andrews's message of "Tue, 18 Mar 2014 02:41:43 +1100")
Message-ID: <87a9coiyqc.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/CpUtG7FRLRl6HX-PEeSXiKQTlOw
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] DNS privacy : now at least two drafts
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Mar 2014 16:20:08 -0000

* Mark Andrews:

> In message <87y50auqqf.fsf@mid.deneb.enyo.de>, Florian Weimer writes:
>> * Mark Andrews:
>> 
>> >>>    Another note is that the answer to the NS query, unlike the referral
>> >>>    sent when the question is a full qname, is in the Answer section, not
>> >>>    in the Authoritative section.  It has probably no practical
>> >>>    consequences.
>> >> 
>> >> Most resolvers do not make NS queries, and some authoritative servers
>> >> do not return useful data (or any data at all).  So using NS queries
>> >> for zone cut discovery does not work reliably.
>> >
>> > Any resolver that is DNSSEC aware will make NS queries (whether
>> > validating or not).
>> 
>> Really?  Where is this mentioned in the protocol RFCs?
>
> RFC 3658
> 2.2.1.2.  Special processing when child and an ancestor share
>           nameserver

I think this section is about DS queries, not NS queries.