Re: [DNSOP] [dnsext] Re: Priming query transport selection
Alfred Hönes <ah@TR-Sys.de> Sun, 24 January 2010 16:23 UTC
Return-Path: <A.Hoenes@TR-Sys.de>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6F4733A68F0 for <dnsop@core3.amsl.com>; Sun, 24 Jan 2010 08:23:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.851
X-Spam-Level: ***
X-Spam-Status: No, score=3.851 tagged_above=-999 required=5 tests=[BAYES_50=0.001, CHARSET_FARAWAY_HEADER=3.2, HELO_EQ_DE=0.35, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RmTQF38nq2Si for <dnsop@core3.amsl.com>; Sun, 24 Jan 2010 08:23:48 -0800 (PST)
Received: from TR-Sys.de (gateway.tr-sys.de [213.178.172.147]) by core3.amsl.com (Postfix) with ESMTP id 2672B3A688D for <dnsop@ietf.org>; Sun, 24 Jan 2010 08:23:46 -0800 (PST)
Received: from ZEUS.TR-Sys.de by w. with ESMTP ($Revision: 1.37.109.26 $/16.3.2) id AA250800206; Sun, 24 Jan 2010 17:23:26 +0100
Received: (from ah@localhost) by z.TR-Sys.de (8.9.3 (PHNE_25183)/8.7.3) id RAA00666; Sun, 24 Jan 2010 17:23:24 +0100 (MEZ)
From: Alfred Hönes <ah@TR-Sys.de>
Message-Id: <201001241623.RAA00666@TR-Sys.de>
To: mayer@gis.net
Date: Sun, 24 Jan 2010 17:23:24 +0100
In-Reply-To: <4B5BDCCB.50504@gis.net> from Danny Mayer at Jan "24, " 2010 "00:38:19" am
X-Mailer: ELM [$Revision: 1.17.214.3 $]
Mime-Version: 1.0
Content-Type: text/plain; charset="hp-roman8"
Content-Transfer-Encoding: 7bit
Cc: namedroppers@ops.ietf.org, dnsop@ietf.org
Subject: Re: [DNSOP] [dnsext] Re: Priming query transport selection
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jan 2010 16:23:49 -0000
Danny Mayer wrote, in a response sent to me, referring to Olafur Gudmundsson's text proposal quoted in my posting on Jan 13: >>> Proposed replacement text: >>> >>> |2.1. Parameters of a Priming Query >>> | >>> | A priming query MUST use a QNAME of "." and a QTYPE of NS, QCLASS >>> | of IN, with RD bit set to 0, the source port of the query should >>> | be randomly selected [RFC5452]. >>> | >>> | A DNSSEC aware resolver SHOULD sent the priming query over TCP. >>> | If TCP is refused a different server SHOULD be tried, after 3 tries >>> | the resolver SHOULD fall back on UDP. >>> | >>> | A DNSSEC ignorant but EDNS0 capable, resolver SHOULD issue the >>> | priming query over UDP, ENDS0 option MUST be included with buffer >>> | size of 1220 or larger. If the UDP query times out TCP SHOULD be >>> | tried. >>> | >>> | An EDNS0 ignorant resolver MUST issue the priming query over UDP. >>> >>> ... > > I'm not sure I understand the point to this part. Since this is a draft > and you would be talking about the next versions of resolvers that would > be expect to support this (as opposed to existing ones) why would you > expect there to be any future resolver ignorant of DNSSEC? Aren't we > trying to make DNSSEC mandatory for future resolvers? > > Danny Danny, Please note that the quoted block of text wasn't mine, so maybe your message ought to have be addressed primarily to its author. But never mind. It has arrived there and on the lists. The primary goals of my posting were to point out that: - limiting the recommended priming query discussion and advice in teh Priming Query draft by a perspective on 1024-bit RSA keys and signatures is too narrow-headed if the advice shall last for more than a very small couple of years, and - with respect to message size issues and efficiency, DNSEXT should resume work on ECC keys and signatures for DNSSEC ASAP. Regarding your argument agaibst Olafur's suggested text, I fear there will be lots of resolvers for many years that cannot reasonably be expected to be DNSSEC aware, i.e. performing DNSSEC validation. I do not want to touch on policy issues -- whether CPE and end systems are in a better place for providing useful trust by performing DNSSEC validation than typical large-scale caching resolvers provided and maintained by ISPs. However: DNSSEC is a huge code addition, in particular for embedded TCP/IP implementations; the proliferation of signature algorithms we are starting to admit will make things even more complicated. In contrast, EDNS0 is a rather tiny addition providing general utility and it indeed really should be supported by such implementations. Therefore, I believe that we should give valid advice for such small-scale implementions as well -- they'll depend on working priming queries in any case. As pointed out by other folks in another current thread on DNSOP, BCP documents should not restrict the advice they are giving to a single mainstream scenario when the topic is more general in nature, but better cover various important scenarios. Thus, I indeed recommend to keep appropriate advice for DNSSEC unaware resolvers in the Priming Query draft. Kind regards, Alfred. -- +------------------------+--------------------------------------------+ | TR-Sys Alfred Hoenes | Alfred Hoenes Dipl.-Math., Dipl.-Phys. | | Gerlinger Strasse 12 | Phone: (+49)7156/9635-0, Fax: -18 | | D-71254 Ditzingen | E-Mail: ah@TR-Sys.de | +------------------------+--------------------------------------------+
- [DNSOP] Priming query transport selection Olafur Gudmundsson
- Re: [DNSOP] Priming query transport selection Jim Reid
- Re: [DNSOP] Priming query transport selection Alex Bligh
- Re: [DNSOP] Priming query transport selection Alex Bligh
- Re: [DNSOP] Priming query transport selection Jim Reid
- Re: [DNSOP] Priming query transport selection Alex Bligh
- Re: [DNSOP] Priming query transport selection Alfred Hönes
- Re: [DNSOP] Priming query transport selection Jim Reid
- Re: [DNSOP] Priming query transport selection Olafur Gudmundsson
- Re: [DNSOP] Priming query transport selection Alex Bligh
- Re: [DNSOP] Priming query transport selection Edward Lewis
- Re: [DNSOP] Priming query transport selection Alex Bligh
- Re: [DNSOP] Priming query transport selection Jim Reid
- Re: [DNSOP] Priming query transport selection Olafur Gudmundsson
- Re: [DNSOP] Priming query transport selection Jaap Akkerhuis
- Re: [DNSOP] Priming query transport selection Olafur Gudmundsson
- Re: [DNSOP] Priming query transport selection Jaap Akkerhuis
- Re: [DNSOP] Priming query transport selection Nicholas Weaver
- Re: [DNSOP] Priming query transport selection Ray.Bellis
- [DNSOP] RSA cracking Jim Reid
- Re: [DNSOP] Priming query transport selection Patrik Fältström
- Re: [DNSOP] Priming query transport selection bmanning
- Re: [DNSOP] Priming query transport selection Nicholas Weaver
- Re: [DNSOP] Priming query transport selection Patrik Fältström
- Re: [DNSOP] Priming query transport selection Sebastian Castro
- Re: [DNSOP] Priming query transport selection Ray.Bellis
- Re: [DNSOP] Priming query transport selection Simon Leinen
- Re: [DNSOP] Priming query transport selection Florian Weimer
- Re: [DNSOP] Priming query transport selection Jim Reid
- Re: [DNSOP] Priming query transport selection Florian Weimer
- Re: [DNSOP] Priming query transport selection George Barwood
- Re: [DNSOP] Priming query transport selection George Barwood
- [DNSOP] signing glue and additional data Jim Reid
- Re: [DNSOP] signing glue and additional data George Barwood
- Re: [DNSOP] Priming query transport selection Sebastian Castro
- [DNSOP] on what glue is (was: signing glue and ad… Andrew Sullivan
- Re: [DNSOP] on what glue is (was: signing glue an… Roy Arends
- Re: [DNSOP] [dnsext] Re: Priming query transport … Danny Mayer
- Re: [DNSOP] [dnsext] Re: Priming query transport … Alfred Hönes
- Re: [DNSOP] [dnsext] Re: Priming query transport … Olafur Gudmundsson