Re: [DNSOP] [Ext] Starting a -bis document for RFC 8109: Initializing a DNS Resolver with Priming Queries

Paul Hoffman <> Thu, 06 August 2020 23:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E60273A07C0 for <>; Thu, 6 Aug 2020 16:20:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JaZ-QMLsGzOb for <>; Thu, 6 Aug 2020 16:20:56 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 419DA3A07B5 for <>; Thu, 6 Aug 2020 16:20:56 -0700 (PDT)
Received: from ( []) by ( with ESMTPS id 076NKqBc018731 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 6 Aug 2020 23:20:52 GMT
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.595.3; Thu, 6 Aug 2020 16:20:51 -0700
Received: from ([]) by ([]) with mapi id 15.02.0595.003; Thu, 6 Aug 2020 16:20:51 -0700
From: Paul Hoffman <>
To: George Michaelson <>
CC: dnsop WG <>
Thread-Topic: [DNSOP] [Ext] Starting a -bis document for RFC 8109: Initializing a DNS Resolver with Priming Queries
Thread-Index: AQHWbEGVG6WK1Jdbc0iKJeiPCy0IJKksLUcA
Date: Thu, 6 Aug 2020 23:20:51 +0000
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
x-originating-ip: []
x-source-routing-agent: Processed
Content-Type: multipart/signed; boundary="Apple-Mail=_D2E54361-D968-4E84-A81A-547BF80495AA"; protocol="application/pkcs7-signature"; micalg=sha-256
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-08-06_17:2020-08-06, 2020-08-06 signatures=0
Archived-At: <>
Subject: Re: [DNSOP] [Ext] Starting a -bis document for RFC 8109: Initializing a DNS Resolver with Priming Queries
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 06 Aug 2020 23:20:58 -0000

On Aug 6, 2020, at 3:32 PM, George Michaelson <> wrote:
> If I (insanely) ran a totally manual, out of band process to
> periodically canvas the space and injected the knowns into the model
> of "root" for my resolver, would I be able to say I am primed?

Not by the standard, no. RFC 8109 was passed by this WG as a standard.

> I am trying to get to the point that the "how" part is only exemplary,
> explanatory. The requirement is that you have the information, now how
> you get it or how it comes into your resolver.

That is not true for this standard. This standard gives the way to be primed following what has already been standardized before now. You can get the NS RRset for the root zone into your resolver in other ways, and the resolver would work fine, but that is not priming as standardized here.

If you're asking the trivial question of whether you could continue to operate without following the standard, the trivial answer is of course "yes".

> The distinction between shipped states of the root.hints and the
> actual live mappings of the domain labels inherent in it, to addresses
> (if you like) I can bypass the hints file ,and use SQL to update my
> root mapping.
> I think the intent of "priming" is that you then populate the
> information from 'inside' DNS. But, again, its only advisory, its not
> standards enforced is it?

You could ask to remove that designation in this -bis document if you want. I, for one, would disagree with such a request.

> I can populate my continuing knowledge of
> the state of the DNS at the root, or anywhere else, in any mechanism I
> like.

Yep, and nothing in the current standard or this updating document says that you can't. They say that the standard for priming is done this way. 

> I could periodically FTP the zone files from places, and populate my
> resolver cache state from these. I could basically "never" forward DNS
> queries high in the tree, if I felt like making my server do that.
> Am I "not primed" if I do this?

Not by the standard, no. You still would have a running system. If you want to call it "primed" (or "Fred"), that's up to you.

--Paul Hoffman