Re: [DNSOP] Using NSEC authoritatively - cutting down on NXD requests...

Bob Harold <rharolde@umich.edu> Mon, 26 October 2015 13:36 UTC

Return-Path: <rharolde@umich.edu>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D29861B2E77 for <dnsop@ietfa.amsl.com>; Mon, 26 Oct 2015 06:36:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y6w-N3oeJPTS for <dnsop@ietfa.amsl.com>; Mon, 26 Oct 2015 06:36:11 -0700 (PDT)
Received: from mail-yk0-x234.google.com (mail-yk0-x234.google.com [IPv6:2607:f8b0:4002:c07::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DC131B2E73 for <dnsop@ietf.org>; Mon, 26 Oct 2015 06:36:11 -0700 (PDT)
Received: by ykek133 with SMTP id k133so1107690yke.2 for <dnsop@ietf.org>; Mon, 26 Oct 2015 06:36:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich_edu.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=RYiGElkQCHijOKrAHzgp/WiYHpM3p1/VgG4w6UPwS7Y=; b=ZRAMiDDW7mVPvUnCpvUGKh1foOM4VvDFf2nUy6WPO2DHkAxDEcShKdeq9XRVRkwYzC DEHnorDledxGa4Yk3ps2NAor7BRKODtIN0SOBRcZXdrG5ahoEgE99byj+wQF28zOU2ZG b9D8mRfC2kbQ8/29Ed5d4yZELO9WgFmoDYHaR2c33wFMcFlU3BnDEZXdM2bBPrjWLKbM vHWq0cpkqMj4OGDSXd6ztx+nxqFtt70iCGz5zyxKUCGES+SeR5ExkrJxs9HCymEuTcrM d0coa9Ghl6liW4U60qi3Bknu3gjjicZvOL1P95zcpeWzVTWgx1gNYSL10Cgri0XWa5GS A/fg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=RYiGElkQCHijOKrAHzgp/WiYHpM3p1/VgG4w6UPwS7Y=; b=dHJLXpSMxFCJ6htO/7cGjU8yRjpx6LfIH8+ThcFMg2HsZEAN1TQyzAIi1xS+mHRV57 bR8qoEJ3tATf1+6P09JYiYE8+I7IGWfdwXtY4xp+XlZaV5eLU9hkaA5BEFsnYLsGufgT nSoBqhrgt4kuILbfvAwlNlXMxVMH/uLI6i1b17R8x0gBC4H4f9hmQeEDGCkmKZvczJRu g7I51/PApdWzRJICAlMyKiMB48N/+g003x5bGffSOBVrpZoHqwfrHsrdgj0eKIYLKUTQ hcz40xBNKEwVghjYMIVwti97u9BFm1h3lqXmNRs/9ugC1tWxzvV47v80msGxtX5TwJMR sTYw==
X-Gm-Message-State: ALoCoQlhNeTzSWrMa1e8hj5Q5ST5CHFAOaA9YPFG8w39joLYN6HleSnBWEX6srv/fsC10QzCYtk8
MIME-Version: 1.0
X-Received: by 10.13.197.131 with SMTP id h125mr29070047ywd.314.1445866570420; Mon, 26 Oct 2015 06:36:10 -0700 (PDT)
Received: by 10.129.43.69 with HTTP; Mon, 26 Oct 2015 06:36:10 -0700 (PDT)
In-Reply-To: <20151024191755.GA3380@sources.org>
References: <CAHw9_i+P13cuUv1UYiFEmdm-Km-j332A6a0MfSdW+0o1or9VaQ@mail.gmail.com> <20151024191755.GA3380@sources.org>
Date: Mon, 26 Oct 2015 09:36:10 -0400
Message-ID: <CA+nkc8By7EtKs6TPR5ETfDh_DjAFojTu9ibi5o2k_SrmdoptRQ@mail.gmail.com>
From: Bob Harold <rharolde@umich.edu>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Content-Type: multipart/alternative; boundary="001a114e594a52c42c0523020b4b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/Ie7LFn1v-8kUT2n06ESUnkU-tjY>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Using NSEC authoritatively - cutting down on NXD requests...
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2015 13:36:14 -0000

On Sat, Oct 24, 2015 at 3:17 PM, Stephane Bortzmeyer <bortzmeyer@nic.fr>
wrote:

> On Thu, Oct 15, 2015 at 01:53:51PM -0400,
>  Warren Kumari <warren@kumari.net> wrote
>  a message of 33 lines which said:
>
> > draft-wkumari-dnsop-cheese-shop-00 - "Believing NSEC records in the
> > DNS root" -
> https://datatracker.ietf.org/doc/draft-wkumari-dnsop-cheese-shop/
> >
> > Basically this is a simplification of Kazunori Fujiwara's
> > I-D.fujiwara-dnsop-nsec-aggressiveuse,
>
> For me, it has the same problem as fujiwara-dnsop-nsec-aggressiveuse:
> it is a DNSSEC-specific solution, while we already have a generic
> solution, described in section 3 of vixie-dnsext-resimprove (mentioned
> by Shumon Huque in
> <http://mailarchive.ietf.org/arch/msg/dnsop/Q3FpcQONPy2SApucDDUYXiXnVJc>)
>
> It looks to me like they address two separate cases:
vixie-dnsext-resimprove  addresses the case where a single name 'b.example'
and everything below it do not exist, found by a query for 'b.example'.
That's as much as we can determine without DNSSEC.  And it breaks if a DNS
server returns NXDOMAIN for ENT's.
fujiwara-dnsop-nsec-aggressiveuse addresses the case where 'a.example'
exists, but the range 'bxxxx.example' thru 'gyyyy.example' do not exist,
found by a single query for anything in the range.  But it only works with
DNSSEC signed zones.

-- 
Bob Harold