IETF Logo Mail Archive

Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-priming

"Paul Hoffman" <paul.hoffman@vpnc.org> Sat, 23 January 2016 20:47 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9BE41A19F2 for <dnsop@ietfa.amsl.com>; Sat, 23 Jan 2016 12:47:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.347
X-Spam-Level:
X-Spam-Status: No, score=-1.347 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bwUZpoAZnplP for <dnsop@ietfa.amsl.com>; Sat, 23 Jan 2016 12:47:29 -0800 (PST)
Received: from hoffman.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C9E41A07BC for <dnsop@ietf.org>; Sat, 23 Jan 2016 12:47:29 -0800 (PST)
Received: from [10.32.60.45] (50-1-98-110.dsl.dynamic.fusionbroadband.com [50.1.98.110]) (authenticated bits=0) by hoffman.proper.com (8.15.2/8.14.9) with ESMTPSA id u0NKlR1b055033 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 23 Jan 2016 13:47:28 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host 50-1-98-110.dsl.dynamic.fusionbroadband.com [50.1.98.110] claimed to be [10.32.60.45]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: "Wessels, Duane" <dwessels@verisign.com>
Date: Sat, 23 Jan 2016 12:47:27 -0800
Message-ID: <C702935B-C23E-4DBC-9467-6DD024E172DE@vpnc.org>
In-Reply-To: <2552EB05-B015-42F6-ABA6-D67B21CEBD4F@verisign.com>
References: <12831BC8-EE53-46C7-80A5-A7DAE651F157@vpnc.org> <2552EB05-B015-42F6-ABA6-D67B21CEBD4F@verisign.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.3r5187)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/X9vp7dGWnNeMx4ywdUB51dviEpM>
Cc: dnsop WG <dnsop@ietf.org>
Subject: Re: [DNSOP] DNSSEC in draft-ietf-dnsop-resolver-priming
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Jan 2016 20:47:30 -0000

On 22 Jan 2016, at 14:44, Wessels, Duane wrote:

> I think I'm okay with "resolvers SHOULD send DO when priming."  Seems 
> like BIND and Unbound already do this.

Noted. Waiting to hear from a bunch more people on this.

> Do we also need to say that the resolver SHOULD/MUST retry with DO=0 
> if there is no response to the first priming query?

Personal opinion: yes for SHOULD, but we need to integrate it with the 
earlier text about going to a different server if you don't get a 
response within 2 seconds.

> The more important question may be: what shall the resolver do if 
> validation of the priming response fails? I'm skeptical that we, as a 
> group, will be willing to say that the resolver should refuse to 
> forward any queries to a root unless validation succeeds.

Personal opinion: agree. We can say that it is local policy. One 
possible policy is to keep trying other hints until one response 
validates.

--Paul Hoffman

v2.23.0 | Report a Bug | By Email