[DNSOP] Using NSEC authoritatively - cutting down on NXD requests...
Warren Kumari <warren@kumari.net> Thu, 15 October 2015 17:53 UTC
Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 367EE1B33DF for <dnsop@ietfa.amsl.com>; Thu, 15 Oct 2015 10:53:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QFBeD01gr9U0 for <dnsop@ietfa.amsl.com>; Thu, 15 Oct 2015 10:53:52 -0700 (PDT)
Received: from mail-yk0-f173.google.com (mail-yk0-f173.google.com [209.85.160.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 76F111B33DB for <dnsop@ietf.org>; Thu, 15 Oct 2015 10:53:52 -0700 (PDT)
Received: by ykdt21 with SMTP id t21so24937362ykd.3 for <dnsop@ietf.org>; Thu, 15 Oct 2015 10:53:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=LXLAgNyIOG6u9P/nDglAsJVlLbe/2VMFZVWfW1glp1A=; b=PSMUDSBHX8z6qdiU3ruSdXsK4QI/87tQ14pfsLT91qENas75y7+3xmqZNDjPmsfz1P bdSbI3PUcZL+cbVPcAw/rb11QAbjrlaVuJ5UBeQPuG1VzdXppPmswOEAA81Ma++9zuBG U4m1u+baKV/Tsq6Y9/mVfeNXRMhoYaLkD8NBMEmq8o+V6nG/8Pr0QcnC+HSMBjuc/vDq 2hlQQ1HGMeN5UaCF/hn9RbZdCB1vdszZ4CeLdNma6GIDWG1D/YIwrr4sNo5+kgu0Sflo J3lS3J7Ew1I14fhxR3ynGwOxnBSIqtFUEvf4B1KkOlS91xiYeljqtTOgztWc4JbIldS0 aaAQ==
X-Gm-Message-State: ALoCoQktaJOjb5jJhBBC+EMr4xQZvBoRAtou8LY+OeT0ahiAWzz/9TZIRl6bf0ufWIa6UQLZ0dE/
MIME-Version: 1.0
X-Received: by 10.13.219.194 with SMTP id d185mr7555540ywe.333.1444931631540; Thu, 15 Oct 2015 10:53:51 -0700 (PDT)
Received: by 10.37.124.69 with HTTP; Thu, 15 Oct 2015 10:53:51 -0700 (PDT)
Date: Thu, 15 Oct 2015 13:53:51 -0400
Message-ID: <CAHw9_i+P13cuUv1UYiFEmdm-Km-j332A6a0MfSdW+0o1or9VaQ@mail.gmail.com>
From: Warren Kumari <warren@kumari.net>
To: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/Shllc7QLcLt_aKOrKSjvU52wSI4>
Subject: [DNSOP] Using NSEC authoritatively - cutting down on NXD requests...
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Oct 2015 17:53:54 -0000
Hi all, I wanted to mention a document that Geoff and I wrote a few weeks back: draft-wkumari-dnsop-cheese-shop-00 - "Believing NSEC records in the DNS root" - https://datatracker.ietf.org/doc/draft-wkumari-dnsop-cheese-shop/ Basically this is a simplification of Kazunori Fujiwara's I-D.fujiwara-dnsop-nsec-aggressiveuse, restricted in scope to only be validated NSEC, and only for the root. Being simpler, we believe that cheese-shop allows for simpler implementation and gaining experience. We complement, not compete with nsec-aggressiveuse. The root has some nice properties -- we understand a lot about the structure of the zone (e.g no wildcards, no cname's), and it is known to get a bunch of junk queries. Using NSEC for negative caching is known to work well in this case; we can expand the scope of the document sometime after discussions... W -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [DNSOP] Using NSEC authoritatively - cutting down… Warren Kumari
- Re: [DNSOP] Using NSEC authoritatively - cutting … Shane Kerr
- Re: [DNSOP] Using NSEC authoritatively - cutting … Stephane Bortzmeyer
- Re: [DNSOP] Using NSEC authoritatively - cutting … Bob Harold
- Re: [DNSOP] Using NSEC authoritatively - cutting … Stephane Bortzmeyer
- Re: [DNSOP] Using NSEC authoritatively - cutting … Paul Vixie