IETF Logo Mail Archive

Re: [DNSOP] rrserial as a path to fame and fortune (was: Adoption of new EDNS opcode "rrserial")

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 30 January 2020 09:24 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76FAE120116 for <dnsop@ietfa.amsl.com>; Thu, 30 Jan 2020 01:24:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7cgrigGgjdp3 for <dnsop@ietfa.amsl.com>; Thu, 30 Jan 2020 01:24:16 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA40D120098 for <dnsop@ietf.org>; Thu, 30 Jan 2020 01:24:15 -0800 (PST)
Received: from [10.200.0.108] (sdzac10-108-1-nat.nje.twosigma.com [8.2.105.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 8D1D075E3A for <dnsop@ietf.org>; Thu, 30 Jan 2020 04:24:14 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.40.2.2.4\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <alpine.DEB.2.20.2001291409540.24409@grey.csi.cam.ac.uk>
Date: Thu, 30 Jan 2020 04:24:12 -0500
Content-Transfer-Encoding: 7bit
Reply-To: dnsop@ietf.org
Message-Id: <476AD089-DB85-4DB9-A3AB-879DD85C2BF6@dukhovni.org>
References: <20200127150847.taxhqeipwq6jg2rr@nic.cl> <7d95a7ee-58d9-5438-3a52-23a7c0ddbba6@time-travellers.org> <alpine.DEB.2.20.2001291409540.24409@grey.csi.cam.ac.uk>
To: dnsop@ietf.org
X-Mailer: Apple Mail (2.3608.40.2.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Oy6DeGp9xiGenV8IsYy3faQbn1A>
Subject: Re: [DNSOP] rrserial as a path to fame and fortune (was: Adoption of new EDNS opcode "rrserial")
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jan 2020 09:24:18 -0000

> On Jan 29, 2020, at 9:11 AM, Tony Finch <dot@dotat.at> wrote:
> 
> Shane Kerr <shane@time-travellers.org> wrote:
>> 
>> * Returning the entire signed SOA in the additional section, rather than
>> just the serial in an EDNS record (for DNSSEC validation purposes).
> 
> I think it would be more traditional to put it in the AUTHORITY section :-)

I see the ":-)", I take it you're not actually suggesting this...

If the reply is an authoritative negative reply, it will already have
an SOA in the authority section and EDE option repeating the same is
then clearly redundant.  Which argues in favour of doing this, ...

BUT, a gratuitous SOA in the authority section will likely also require
a corresponding RRSIG, which noticeably raises the packet size of the
response making the debugging option too costly, possibly leading to
truncation (defeating the intent to debug the response as-is).

Since this is for debugging only, no RRSIG is needed, and using an
EDE option for the response seems to make sense.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email