Re: [DNSOP] Priming query transport selection

Jim Reid <jim@rfc1035.com> Fri, 15 January 2010 14:05 UTC

Message-Id: <8B0DBD24-B956-4689-92B9-A388D0618059@rfc1035.com>
From: Jim Reid <jim@rfc1035.com>
To: Florian Weimer <fweimer@bfk.de>
In-Reply-To: <82ockvfqsi.fsf@mid.bfk.de>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Fri, 15 Jan 2010 14:05:02 +0000
References: <201001131823.o0DINxYv068180@stora.ogud.com> <555CFB98-BB21-4AD4-9D4A-3AF3BD98E4B2@rfc1035.com> <D9CCEA0D18D9D5B457A90853@Ximines.local> <631E7931-47D4-4AAF-B2C6-62DA6DA5A4CA@rfc1035.com> <CDE7E0414BC50C42E4FCC54F@Ximines.local> <E87EE584-97B5-4FE8-B47D-21048A702B51@rfc1035.com> <82ockvfqsi.fsf@mid.bfk.de>
Cc: dnsop@ietf.org, Alex Bligh <alex@alex.org.uk>
Subject: Re: [DNSOP] Priming query transport selection
Precedence: list

On 15 Jan 2010, at 13:20, Florian Weimer wrote:

> DO is rather pointless because the priming response cannot be
> validated anyway (even if ROOT-SERVERS.NET were secure, which is
> currently not planned).

It's not pointless. Validating the priming response requires two  
operations. The first of these is checking the signature over the root  
zone's NS RRset. Which won't be returned unless the DO bit is set.  
[Let's avoid the rat-hole of a DNSSEC-aware resolver iteratively  
querying for DNSKEYs, RRSIGs and so on.] The second operation involves  
validating the address records in root-servers.net. Which will also be  
most efficiently done by setting the DO bit on those queries.

[DNSOP] Priming query transport selection Olafur Gudmundsson
Re: [DNSOP] Priming query transport selection Jim Reid
Re: [DNSOP] Priming query transport selection Alex Bligh
Re: [DNSOP] Priming query transport selection Alex Bligh
Re: [DNSOP] Priming query transport selection Jim Reid
Re: [DNSOP] Priming query transport selection Alex Bligh
Re: [DNSOP] Priming query transport selection Alfred Hönes
Re: [DNSOP] Priming query transport selection Jim Reid
Re: [DNSOP] Priming query transport selection Olafur Gudmundsson
Re: [DNSOP] Priming query transport selection Alex Bligh
Re: [DNSOP] Priming query transport selection Edward Lewis
Re: [DNSOP] Priming query transport selection Alex Bligh
Re: [DNSOP] Priming query transport selection Jim Reid
Re: [DNSOP] Priming query transport selection Olafur Gudmundsson
Re: [DNSOP] Priming query transport selection Jaap Akkerhuis
Re: [DNSOP] Priming query transport selection Olafur Gudmundsson
Re: [DNSOP] Priming query transport selection Jaap Akkerhuis
Re: [DNSOP] Priming query transport selection Nicholas Weaver
Re: [DNSOP] Priming query transport selection Ray.Bellis
[DNSOP] RSA cracking Jim Reid
Re: [DNSOP] Priming query transport selection Patrik Fältström
Re: [DNSOP] Priming query transport selection bmanning
Re: [DNSOP] Priming query transport selection Nicholas Weaver
Re: [DNSOP] Priming query transport selection Patrik Fältström
Re: [DNSOP] Priming query transport selection Sebastian Castro
Re: [DNSOP] Priming query transport selection Ray.Bellis
Re: [DNSOP] Priming query transport selection Simon Leinen
Re: [DNSOP] Priming query transport selection Florian Weimer
Re: [DNSOP] Priming query transport selection Jim Reid
Re: [DNSOP] Priming query transport selection Florian Weimer
Re: [DNSOP] Priming query transport selection George Barwood
Re: [DNSOP] Priming query transport selection George Barwood
[DNSOP] signing glue and additional data Jim Reid
Re: [DNSOP] signing glue and additional data George Barwood
Re: [DNSOP] Priming query transport selection Sebastian Castro
[DNSOP] on what glue is (was: signing glue and ad… Andrew Sullivan
Re: [DNSOP] on what glue is (was: signing glue an… Roy Arends
Re: [DNSOP] [dnsext] Re: Priming query transport … Danny Mayer
Re: [DNSOP] [dnsext] Re: Priming query transport … Alfred Hönes
Re: [DNSOP] [dnsext] Re: Priming query transport … Olafur Gudmundsson