Re: [DNSOP] Priming query transport selection

Edward Lewis <> Wed, 13 January 2010 21:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 855F33A683C for <>; Wed, 13 Jan 2010 13:36:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.67
X-Spam-Status: No, score=-3.67 tagged_above=-999 required=5 tests=[AWL=-2.929, BAYES_20=-0.74]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id S7f4+ghdpnVV for <>; Wed, 13 Jan 2010 13:36:24 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 77C793A679C for <>; Wed, 13 Jan 2010 13:36:24 -0800 (PST)
Received: from [] ( []) by (8.14.3/8.14.3) with ESMTP id o0DLem9E070187; Wed, 13 Jan 2010 16:40:49 -0500 (EST) (envelope-from
Mime-Version: 1.0
Message-Id: <a06240801c773e8e88485@[]>
In-Reply-To: <>
References: <>
Date: Wed, 13 Jan 2010 16:33:50 -0500
From: Edward Lewis <>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.67 on
Subject: Re: [DNSOP] Priming query transport selection
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 13 Jan 2010 21:36:25 -0000

At 13:19 -0500 1/13/10, Olafur Gudmundsson wrote:

>The benefit is that a single query can retrieve the signed root NS set
>and all the signed glue records.

I am not certain that the cost of doing TCP for this is worth the 
benefit of getting a signed priming response.  I agree with section 
2.4 - no DO bit.

What does a DNSSEC-protected priming query gain you?

Accepting any old priming query and having a root SEP configured, if 
the query is right all things work.  If the query is wrong/forged you 
won't get anywhere any how.  (Without going into the weeds here - 
what if one IP address were forged, what if it were 6, 16, or all of 

(13 name servers => 13 A records + 7 AAAA records last check)

Besides the warm and fuzzy feeling, what do you gain? (Keep in mind 
all of the TCP traffic it would take to get warm and fuzzy.)

At 16:05 -0500 1/13/10, Olafur Gudmundsson wrote:

>Why not ask for signatures ?

Same reason it is no longer fashionable to include keys in signed 
responses - signatures are a big load.  Yes, you'll know sooner if a 
server's IP address is a problem, but you'd figure it out before it 
mattered anyway (if you ever use that server).
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

As with IPv6, the problem with the deployment of frictionless surfaces is
that they're not getting traction.