IETF Logo Mail Archive

Re: [DNSOP] AS112 for TLDs

Peter Koch <pk@DENIC.DE> Mon, 14 April 2008 15:54 UTC

Return-Path: <dnsop-bounces@ietf.org>
X-Original-To: dnsop-archive@lists.ietf.org
Delivered-To: ietfarch-dnsop-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6CE253A6E8E; Mon, 14 Apr 2008 08:54:46 -0700 (PDT)
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CF6093A6AFF for <dnsop@core3.amsl.com>; Mon, 14 Apr 2008 08:54:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.249
X-Spam-Level:
X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z6lDp069yjV4 for <dnsop@core3.amsl.com>; Mon, 14 Apr 2008 08:54:39 -0700 (PDT)
Received: from office.denic.de (gw-office.denic.de [81.91.160.182]) by core3.amsl.com (Postfix) with ESMTP id 50A443A6D94 for <dnsop@ietf.org>; Mon, 14 Apr 2008 08:54:39 -0700 (PDT)
Received: from x27.adm.denic.de ([10.122.64.128]) by office.denic.de with esmtp id 1JlR1Q-0004iR-US; Mon, 14 Apr 2008 17:55:08 +0200
Received: from localhost by x27.adm.denic.de with local id 1JlR13-0006MT-HX; Mon, 14 Apr 2008 17:54:45 +0200
Date: Mon, 14 Apr 2008 17:54:45 +0200
From: Peter Koch <pk@DENIC.DE>
To: IETF DNSOP WG <dnsop@ietf.org>
Message-ID: <20080414155445.GE10249@x27.adm.denic.de>
References: <20080404151957.GK1184@commandprompt.com> <C41BFEF4.75F6%john.crain@icann.org>
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <C41BFEF4.75F6%john.crain@icann.org>
User-Agent: Mutt/1.4.2.3i
Subject: Re: [DNSOP] AS112 for TLDs
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsop-bounces@ietf.org
Errors-To: dnsop-bounces@ietf.org

On Fri, Apr 04, 2008 at 03:51:16PM -0700, John L. Crain wrote:

> I don't think the disease is life threatening. I keep hearing about the "Problem" of bogus queries to the root. It is certainly messy and ugly but from my perspective as an operator it is more of irritant than anything else. The capacity building for root operators, at least in our case, is not built around those bogus queries, it's build around other problems such as the number of hosts with weak security that are available for use in DDOS attacks.

thanks, John, for bringing this up.  The topic is re-occuring and for judging the
cure vs. the disease we would need to know not only how widespread the disease
is (in percent of the queries), but whether the patient actually suffers.
Also, it would be interesting to not only watch the "bogus" queries but also
at the ratio of "bogus" vs. "legitimate" queries per source IP address, also
taking into account other query parameters.  This would help getting an idea
whether measures implemented in the average recursive full resolver would
actually lead to a significant change.

For the "AS112 for TLDs" I sense there is consensus to go to WGLC with maintaining
the drafts' current focus.

> For now I still believe the best answer is to keep answering with NXDOMAIN and hoping that one day, this is where I am delusional,  that those do the querying will fix their end of the problem...

Since "information leakage" has been mentioned already and additional delay
is another concern on the client side, it might be worth addressing the "disease"
from this end. However, we have no indication that anybody actually suffers here.

So, unless we'd like to live with the topic popping up over again, we could try
a "trade offs document" for a start.  Not sure this will end up as something
to be reasonably published as an RFC, but it might at least serve as a pointer
target next time the idea comes up.

-Peter
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email