IETF Logo Mail Archive

Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free

George Michaelson <ggm@algebras.org> Wed, 23 March 2016 22:33 UTC

Return-Path: <ggm@algebras.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2054512D9FA for <dnsop@ietfa.amsl.com>; Wed, 23 Mar 2016 15:33:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=algebras-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C36LqRcKgObD for <dnsop@ietfa.amsl.com>; Wed, 23 Mar 2016 15:33:29 -0700 (PDT)
Received: from mail-ob0-x236.google.com (mail-ob0-x236.google.com [IPv6:2607:f8b0:4003:c01::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3326A12D9F8 for <dnsop@ietf.org>; Wed, 23 Mar 2016 15:33:28 -0700 (PDT)
Received: by mail-ob0-x236.google.com with SMTP id m7so24275848obh.3 for <dnsop@ietf.org>; Wed, 23 Mar 2016 15:33:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=algebras-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=JVgJgq0eFj8zk96uqXYYidSOg1nA1pX3dfMF2u0Z7vI=; b=Geaym8t621OFna0s6Ye8D/3YA4UTe9q0XIN7kSoC58++33tT3jnyXeUMGEL3afadiy sRQVqNb7zlMUB1xBIR4VcLDrqU3oTCttuyWpRiyRYUPjTdFeGKsgZWt1Vtd5FOTnhRA4 x+u7HhJXWLfyWQIuXtuGyUounhzb+qzk4y6wfqE+tQdFvouE8Vukm5XLmLHGZMNbHGCp 4BsS9ppYr3vhHiHaCeSCtaglzH17B0cabR2O3qls5fFwIUxRjAwE1laODPW+M25R45Pe Txom1JYq97Muj1gQyO71OBQPVaiGiJ/WW97qqP7FK3Ne6xwbaFRBc+7/YajcVwr8xixm WPfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=JVgJgq0eFj8zk96uqXYYidSOg1nA1pX3dfMF2u0Z7vI=; b=RD3Kd/IgbEqTLMRA0dTcB9G/ilJCHUhUtlYO2bpjHTU13F9ibF5ivTJwEofH8T6pjC OVeELqhKQU0nBK33Vev0P054ARC9zajdOl+9ulyXseY+4RB8JVGW/gZe2+N7HZARHfEu Gy15X+ttoPTg+EdYMbn+xWmMTWULj1UtpcTMVATA+xjB3HMLjcFEaegYCm5CR+qz/5z6 by/UAkeJPgqtLHz+b1tGrnVnADmw4VnCcnj/C22cNiflMvCsE8arfDhBBIR8Xr0m2qsc d7iksyRXYbjIW5VmTFg4nJlzgLppLcBCCkkbXPb5O6rdfDCm4751zpxOPygSG2sA9OT3 PEmA==
X-Gm-Message-State: AD7BkJJCmeqMnk9vQ6DApbYfLSrsgvLrD9QwlINoqqzZ63ctk/Tj389Nak3IxfHM6o0AU7Xm6jFY8YAWMoB3LA==
MIME-Version: 1.0
X-Received: by 10.182.153.10 with SMTP id vc10mr2877880obb.10.1458772408418; Wed, 23 Mar 2016 15:33:28 -0700 (PDT)
Received: by 10.182.187.97 with HTTP; Wed, 23 Mar 2016 15:33:28 -0700 (PDT)
X-Originating-IP: [2001:dc0:a000:4:4c5c:4ce6:b1ce:618e]
In-Reply-To: <56F3064C.90506@redhat.com>
References: <CAC=TB13r_7TPEcUeZqH6sxqKXHRn7TgFwLwdqjBxa57aqS1MZg@mail.gmail.com> <20160323130755.GA798@mx2.yitter.info> <CAC=TB10whpfc15pW-USiy3=4AC1rM-EWg72M4bzHN3CyDhWDTw@mail.gmail.com> <20160323200310.GI1450@mx2.yitter.info> <56F3064C.90506@redhat.com>
Date: Thu, 24 Mar 2016 08:33:28 +1000
Message-ID: <CAKr6gn25trZSVc9b1mUPOwJiqfThJmQM75CpMh8ORy_sOXAgsw@mail.gmail.com>
From: George Michaelson <ggm@algebras.org>
To: Florian Weimer <fweimer@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/KgqCGH5KX7QdMrm2uynPNL30f6E>
Cc: dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] Introducing draft-vavrusa-dnsop-aaaa-for-free
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2016 22:33:34 -0000

On Thu, Mar 24, 2016 at 7:10 AM, Florian Weimer <fweimer@redhat.com> wrote:
> DO was used initially for SIG and kept for RRSIG.  For an early DNSSEC
> implementation, RRSIG was just another unsolicited RR type because it
> could only know about SIG.  This suggests (to me at least) that
> practically speaking, DO isn't strongly tied to DNSSEC.
>
> Florian


Very strong +1. The % of incoming query with DO set is far, far higher
than the % of incoming query seen at authority who subsequently ask
for DS/DNSKEY at zone and parent. There is a good, strong indication
that resolvers pass DO as a compile/run flag of capability to handle
additional records in response, not as an indication of intent to
perform any function using them.

(this is with fresh unseen domains, where there is no opportunistic
cache of the DNSKEY or DS, so the absence of a fetch of them is a very
good indicator there was no intent to try and use the RRSIG sent back
as a result of DO being sent in query)

-G

v2.23.0 | Report a Bug | By Email