Re: [DNSOP] On resolver priming
Mark Andrews <marka@isc.org> Fri, 12 November 2010 09:45 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A10E73A6B14 for <dnsop@core3.amsl.com>; Fri, 12 Nov 2010 01:45:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.033
X-Spam-Level:
X-Spam-Status: No, score=-2.033 tagged_above=-999 required=5 tests=[AWL=0.566, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w3dKEL5wxcK0 for <dnsop@core3.amsl.com>; Fri, 12 Nov 2010 01:45:35 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by core3.amsl.com (Postfix) with ESMTP id 973C53A6B15 for <dnsop@ietf.org>; Fri, 12 Nov 2010 01:45:35 -0800 (PST)
Received: from farside.isc.org (farside.isc.org [IPv6:2001:4f8:3:bb::5]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "farside.isc.org", Issuer "ISC CA" (verified OK)) by mx.pao1.isc.org (Postfix) with ESMTPS id 4B273C941A; Fri, 12 Nov 2010 09:45:56 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (dhcp-4852.meeting.ietf.org [130.129.72.82]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by farside.isc.org (Postfix) with ESMTP id AE333E6030; Fri, 12 Nov 2010 09:45:55 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id A6B5A6797EC; Fri, 12 Nov 2010 20:45:54 +1100 (EST)
To: bmanning@vacation.karoshi.com
From: Mark Andrews <marka@isc.org>
References: <20101111100350.GA1997@shinkuro.com><20101111193938.GF16848@vacation.karoshi.com.>
In-reply-to: Your message of "Thu, 11 Nov 2010 19:39:38 -0000." <20101111193938.GF16848@vacation.karoshi.com.>
Date: Fri, 12 Nov 2010 20:45:54 +1100
Message-Id: <20101112094554.A6B5A6797EC@drugs.dv.isc.org>
Cc: Andrew Sullivan <ajs@shinkuro.com>, dnsop@ietf.org
Subject: Re: [DNSOP] On resolver priming
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Nov 2010 09:45:42 -0000
In message <20101111193938.GF16848@vacation.karoshi.com.>, bmanning@vacation.ka roshi.com writes: > On Thu, Nov 11, 2010 at 05:03:51AM -0500, Andrew Sullivan wrote: > > Hi all, > > > > The last discussion of signing ROOT-SERVERS.NET involved the arguments > > that there's no real value in signing the zone and that there is a > > non-zero cost to doing so. > > > > I agree with both of those arguments, but I wonder whether it might > > not be a better sales job if we just accepted it maybe ought to be > > signed anyway. I'm aware that it runs against the grain to do > > something purely for theatrical reasons, but sometimes people like a > > good show. Every time this topic comes up (especially outside IETF > > circles, where one can perhaps be expected to understand the detailed > > arguments), a number of people argue that it's really necessary to > > sign the zone, or that having an exception for this sets some kind of > > precedent, or something. I think these discussions waste a lot of > > time, and so as a purely tactical measure it strikes me that we could > > shut down that line of argument by just signing the data. > > > > Thoughts? > > > > A > > Political coordination issues aside, there are some interesting > technical issues here that have to do with the priming query > and response. In the absence of 100% EDNS0 penetration, making > this change will result in priming failuers. In the interests > of security and stability, is this a reasonable tradeoff? Non-EDNS recursive nameservers won't see anything different. The only one that could fail are those that do EDNS + DO and block large DNS responses and also block outgoing DNS/TCP queries. Mark > --bill > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [DNSOP] On resolver priming Andrew Sullivan
- Re: [DNSOP] On resolver priming Frederico A C Neves
- Re: [DNSOP] On resolver priming Joao Damas
- Re: [DNSOP] On resolver priming Tony Finch
- Re: [DNSOP] On resolver priming Matt Larson
- Re: [DNSOP] On resolver priming bmanning
- Re: [DNSOP] On resolver priming Griffiths, Chris
- Re: [DNSOP] On resolver priming Paul Hoffman
- Re: [DNSOP] On resolver priming Mark Andrews
- Re: [DNSOP] On resolver priming W.C.A. Wijngaards
- Re: [DNSOP] On resolver priming David Conrad
- Re: [DNSOP] On resolver priming Paul Hoffman
- Re: [DNSOP] On resolver priming Joao Damas
- Re: [DNSOP] On resolver priming Paul Hoffman
- Re: [DNSOP] On resolver priming Florian Weimer