Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt
Lanlan Pan <abbypan@gmail.com> Tue, 15 August 2017 08:16 UTC
Return-Path: <abbypan@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACE321323F7 for <dnsop@ietfa.amsl.com>; Tue, 15 Aug 2017 01:16:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oCQBz7IkLH90 for <dnsop@ietfa.amsl.com>; Tue, 15 Aug 2017 01:16:44 -0700 (PDT)
Received: from mail-wm0-x236.google.com (mail-wm0-x236.google.com [IPv6:2a00:1450:400c:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F29FF1200B9 for <dnsop@ietf.org>; Tue, 15 Aug 2017 01:16:43 -0700 (PDT)
Received: by mail-wm0-x236.google.com with SMTP id i66so4541927wmg.0 for <dnsop@ietf.org>; Tue, 15 Aug 2017 01:16:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=AJUYqyvn18KuIDCzd6x2V6wf1BGdm0Ib2jLXXK/9I7E=; b=iSTZ9Wi3l6Ky5PLUrbpbTplAkMxV4npxXIYYs76CO20/Z7H2K1bhsWY2H3odixCJn7 wlMEIP0e+1pRiUUnS1tVl+n8Z3O9nCm7TZEm5a4/lnfFLha02RgGhaLUPysA/3csQCNG zjEIhN5gst02+HSarbXmNVzuCjFDLJdgq4bl02Iqpq+MD3IwVGbeGYrwKSGZZ+ICAzAm rR1t0a4Qu6C8cw+20p/w6q0NNVUw4hKJ5TI6I7yqTHAM4MreEVbbfSHCyg1tIBtZsU29 Gv22g47+oal6iUOkiEpP4B7wyk9u+uHngir8pvT6ou0ghar4Dw4V3e70ScGW8TYZs1fb 8mng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=AJUYqyvn18KuIDCzd6x2V6wf1BGdm0Ib2jLXXK/9I7E=; b=rHKJGXOqTVltp0Y9rL6/oBdzDqVgF+lApVgdO+BFRG2raZT/wnlB7zcomZ2E8WSDuc 1ZslN1wP1gphFnAguN0zDK6U04qkh+q8UA7VJPSue3yZA5tbhneDBVJsjWr9E4aRcMmG NuJ3FEnBAPrI1BYOtXl1C08v+ZBm7K8MIGzJ26hiIdrzn6S2ju8RlXVOwMqc8ct9PyqS teGh+zcNZiJeZDrS359DiCGuYmmSergnazhr2kqfdXjN1ElBHbQM4J2UJEiXFMwX+Y4/ 9ruI9KLE3l5ilIbRvU6rYHBkASf17b+a5CoPXf00GlKXrHIQgF4KYfTYqHTuCZdgZj2w Nkxw==
X-Gm-Message-State: AHYfb5gHksz1q+0EX6HLjEpKC0iGtRNK4pyxaUXU1FeDftVeISsNQy4K 6CVG9E6hHdk1eMe1UZxgvi/Dt1m7bQ==
X-Received: by 10.80.138.6 with SMTP id i6mr26540414edi.247.1502785002473; Tue, 15 Aug 2017 01:16:42 -0700 (PDT)
MIME-Version: 1.0
References: <CANLjSvWyO0nbiSJGSqhRH33evbCUFLNzCjceAHJ-L89FA+En8g@mail.gmail.com> <201708150651.v7F6ptN7005525@calcite.rhyolite.com>
In-Reply-To: <201708150651.v7F6ptN7005525@calcite.rhyolite.com>
From: Lanlan Pan <abbypan@gmail.com>
Date: Tue, 15 Aug 2017 08:16:31 +0000
Message-ID: <CANLjSvWFh0ER47=SFJB-3rkTJKT_OxcjKwcD9-DUkDDxJTo=+g@mail.gmail.com>
To: Vernon Schryver <vjs@rhyolite.com>
Cc: dnsop <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c1957843f0e510556c6665c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/PaPcvCL1qbR0Vib1mDzzj-vxDbA>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Aug 2017 08:16:46 -0000
Hi Vernon, Thanks for your advice, :-) Vernon Schryver <vjs@rhyolite.com>于2017年8月15日周二 下午2:52写道: > > From: Lanlan Pan <abbypan@gmail.com> > > > Don't judy other's motivation with meaningless skeptics. The endless > > skeptics can also push on your RPZ to DNSSEC. > > A significant difference between RPZ and the SWILD is that RPZ does > not depend on non-participants doing anything. For example, RPZ works > fine on a single, isolated resolver. > (Of course, the owners of the IETF printing presses would have to > agree to publish anything, but publishing a description is neither > implementing nor deploying.) > > The history of RPZ might suggest a temporary solution. Why not implement > SWILD using a private rtype or perhaps even TXT? An implementation > and a few 1000 installations might convince some skeptics and render > many objections moot. > Yeah, TXT is my history plan: Recursive Resolvers that support wildcard detect method with TXT record <https://github.com/abbypan/dns_wildcard_on_intermediate_nameservers/blob/a4188548c87b6a10af45aa23575b86d9f33f39ec/draft.txt> > > > > DNSSEC deployment will sharply rise if global nameservers desire *dns > > security*, but almost impossible because of an addtional wildcards > feature. > > I don't understand that. My zones have plenty of wildcards, but as > far as I can tell, no new wildcard features will break my DNSSEC > signatures. > > I don't understand "global nameservers [desiring] dns security". > Are "global nameservers" resolvers or authorities? If they are resolvers, then there is absolutely no immediate prospect > of many (any?) resolvers that might be called "global" dropping > unsigned DNS data. > Both recursives and authoritatives. I mean more and more recursives and authoritatives enable DNSSEC for dns query by default configuration, sorry for my poor English. If they are authorities, then I thought that the reasons why almost > all com zones are unsigned are well understood, recently listed here, > and have nothing to do with wildcards. What am I missing? > http://scoreboard.verisignlabs.com/ > http://scoreboard.verisignlabs.com/percent-trace.png The deployment problem is on the Authoritative Nameservers of billions of second level domains, not on TLD. And Recursive must enable DNSSEC validation for dns query by default configuration. > > ....................... > > ] From: Mark Andrews <marka@isc.org> > > ] I can't see how you can say push your RPZ to DNSSEC as RPZ breaks > ] DNSSEC. > > I describe the same facts as the opposite, as "either DNSSEC breaks RPZ > or DNSSEC and RPZ work together perfectly well" (in either case, > assuming a trusted path such as (trusted) localhost name or 127.0.0.1 > address to a trusted resolver, where "trusted resolver" includes > "trusted to rewrite." Of course, without a trusted path to a trusted > resolver or a verifying stub, DNSSEC doesn't mean much.) > > As Mark Andrews understands but many people don't, the common RPZ > implementation parameter "BREAK-DNSSEC yes" does NOT mean "RPZ breaks > DNSSEC", but "RPZ should ignore DNSSEC request bits despite the fast > that RPZ invalidates and removes signatures and so verifying stubbs > and verifying downstream resolvers will not accept rewritten answers." > > Also, in the two RPZ implementations I've written, the default > BREAK-DNSSEC value is "no" so that requesting DNSSEC turns off RPZ. > > > Vernon Schryver vjs@rhyolite.com > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop > -- 致礼 Best Regards 潘蓝兰 Pan Lanlan
- [DNSOP] Fwd: New Version Notification for draft-p… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Tony Finch
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Petr Špaček
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Matthew Pounsett
- Re: [DNSOP] New Version Notification for draft-pa… Paul Hoffman
- Re: [DNSOP] Fwd: New Version Notification for dra… Richard Gibson
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Matthew Pounsett
- Re: [DNSOP] Fwd: New Version Notification for dra… Dave Crocker
- Re: [DNSOP] New Version Notification for draft-pa… Peter van Dijk
- Re: [DNSOP] New Version Notification for draft-pa… Matthew Pounsett
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Mark Andrews
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Mark Andrews
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Vernon Schryver
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Vernon Schryver
- Re: [DNSOP] Fwd: New Version Notification for dra… Ted Lemon
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Mukund Sivaraman
- Re: [DNSOP] Fwd: New Version Notification for dra… Mikael Abrahamsson
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Mukund Sivaraman
- Re: [DNSOP] Fwd: New Version Notification for dra… Mukund Sivaraman
- Re: [DNSOP] Fwd: New Version Notification for dra… Mikael Abrahamsson
- Re: [DNSOP] Fwd: New Version Notification for dra… Mukund Sivaraman
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Mark Andrews
- Re: [DNSOP] Fwd: New Version Notification for dra… Davey Song
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] New Version Notification for draft-pa… Ralf Weber
- Re: [DNSOP] New Version Notification for draft-pa… Lanlan Pan
- Re: [DNSOP] Fwd: New Version Notification for dra… Davey Song
- Re: [DNSOP] Fwd: New Version Notification for dra… Mikael Abrahamsson
- Re: [DNSOP] Fwd: New Version Notification for dra… Ted Lemon
- Re: [DNSOP] Fwd: New Version Notification for dra… Vernon Schryver
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Vernon Schryver
- Re: [DNSOP] fragile dnssec, was Fwd: New Version John Levine
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] Fwd: New Version Notification for dra… Vernon Schryver
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Mark Andrews
- Re: [DNSOP] Fwd: New Version Notification for dra… Lanlan Pan
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Petr Špaček
- Re: [DNSOP] Fwd: New Version Notification for dra… Paul Vixie
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Matthew Pounsett
- Re: [DNSOP] fragile dnssec, was Fwd: New Version John R Levine
- Re: [DNSOP] New Version Notification for draft-pa… Ted Lemon
- Re: [DNSOP] fragile dnssec, was Fwd: New Version John R Levine
- Re: [DNSOP] New Version Notification for draft-pa… Ralf Weber
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Mark Andrews
- Re: [DNSOP] fragile dnssec, was Fwd: New Version John R Levine
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Mark Andrews
- Re: [DNSOP] updating fragile dnssec, was Fwd: New… John R Levine
- Re: [DNSOP] updating fragile dnssec, was Fwd: New… Patrik Fältström
- Re: [DNSOP] New Version Notification for draft-pa… Lanlan Pan
- Re: [DNSOP] New Version Notification for draft-pa… Lanlan Pan
- Re: [DNSOP] New Version Notification for draft-pa… Ted Lemon
- Re: [DNSOP] fragile dnssec, was Fwd: New Version John Levine
- Re: [DNSOP] New Version Notification for draft-pa… Warren Kumari
- Re: [DNSOP] New Version Notification for draft-pa… Lanlan Pan
- Re: [DNSOP] fragile dnssec, was Fwd: New Version Petr Špaček
- Re: [DNSOP] fragile dnssec, was Fwd: New Version A. Schulze