Re: [DNSOP] BULK RR as optional feature

Evan Hunt <each@isc.org> Wed, 29 March 2017 04:03 UTC

Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88C83127058 for <dnsop@ietfa.amsl.com>; Tue, 28 Mar 2017 21:03:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1UgfHwzv4vJa for <dnsop@ietfa.amsl.com>; Tue, 28 Mar 2017 21:03:44 -0700 (PDT)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0AF21292AE for <dnsop@ietf.org>; Tue, 28 Mar 2017 21:03:43 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [149.20.48.19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id DBA2D34930F; Wed, 29 Mar 2017 04:03:41 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id C911B216C1C; Wed, 29 Mar 2017 04:03:41 +0000 (UTC)
Date: Wed, 29 Mar 2017 04:03:41 +0000
From: Evan Hunt <each@isc.org>
To: John R Levine <johnl@taugh.com>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Message-ID: <20170329040341.GA27262@isc.org>
References: <20170328183156.2467.qmail@ary.lan> <20170328205151.GB23312@isc.org> <A05B583C828C614EBAD1DA920D92866BD0717CFC@PODCWMBXEX501.ctl.intranet> <20170329021935.GA25314@isc.org> <alpine.OSX.2.20.1703282245500.4804@ary.local>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.OSX.2.20.1703282245500.4804@ary.local>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/g8jZoCGGx3ZHA3-dnKrDqoOvZ2k>
Subject: Re: [DNSOP] BULK RR as optional feature
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2017 04:03:45 -0000

On Tue, Mar 28, 2017 at 10:47:02PM -0500, John R Levine wrote:
> That's exactly the problem -- a server that doesn't handle BULK will 
> return the wrong answer.  It might return the BULK record itself or 
> NXDOMAIN for an address that BULK would synthesize.

And, if the zone is signed, it'll be provably wrong.  I don't think it's
enough to handwave the problem as "not of great concern". At least,
please add some operational advice that BULK is not to be deployed in
any domain unless all auth servers for that domain fully implement it.

-- 
Evan Hunt -- each@isc.org
Internet Systems Consortium, Inc.