IETF Logo Mail Archive

Re: [DNSOP] Authoritative servers announcing capabilities

Paul Wouters <paul@nohats.ca> Sat, 12 September 2020 04:19 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A87F83A0B60 for <dnsop@ietfa.amsl.com>; Fri, 11 Sep 2020 21:19:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.078
X-Spam-Level:
X-Spam-Status: No, score=-2.078 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NO_DNS_FOR_FROM=0.001, T_SPF_HELO_TEMPERROR=0.01, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JPuaIKeRToNa for <dnsop@ietfa.amsl.com>; Fri, 11 Sep 2020 21:19:47 -0700 (PDT)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4960E3A0B5A for <DNSOP@ietf.org>; Fri, 11 Sep 2020 21:19:47 -0700 (PDT)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 4BpKCN6CjRz20B; Sat, 12 Sep 2020 06:19:44 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1599884384; bh=E6HXB/pAM84mVGydGmbkU/cc2j5t7w6ai34T37ZZCQM=; h=From:Subject:Date:References:Cc:In-Reply-To:To; b=l9RW+fz4uTpL44tr5TJMIzSLjeDdHyYoSsqIWiH98E/oFWpwsVtLRMFtNcaZJvXJU MaD0FbzSSfY9gJm29AARREYsVkG4a+DRPJLEnE4XcD/lNGDyKSIil0wa9E4duCI6Me HCYWrdICYKOvzIXZzmxlGmTnnLx4chzpfyWvUR8c=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id xiEJuqEHGTj8; Sat, 12 Sep 2020 06:19:43 +0200 (CEST)
Received: from bofh.nohats.ca (unknown [193.110.157.194]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Sat, 12 Sep 2020 06:19:43 +0200 (CEST)
Received: from [193.110.157.210] (unknown [193.110.157.210]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by bofh.nohats.ca (Postfix) with ESMTPSA id E0A216029BA6; Sat, 12 Sep 2020 00:19:41 -0400 (EDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Paul Wouters <paul@nohats.ca>
Mime-Version: 1.0 (1.0)
Date: Sat, 12 Sep 2020 00:19:40 -0400
Message-Id: <3AEBFFCA-4189-47A3-BFBB-7CE8554DD352@nohats.ca>
References: <20200912013402.GB703318@mycre.ws>
Cc: DNSOP@ietf.org
In-Reply-To: <20200912013402.GB703318@mycre.ws>
To: Robert Edmonds <edmonds@mycre.ws>
X-Mailer: iPhone Mail (17H35)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/gDl1MCwZ1wMtctI3u_aXya3dJVk>
Subject: Re: [DNSOP] Authoritative servers announcing capabilities
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Sep 2020 04:19:49 -0000

On Sep 11, 2020, at 21:34, Robert Edmonds <edmonds@mycre.ws> wrote:
> 
> Paul Wouters wrote:
>>> On Sep 11, 2020, at 20:48, Paul Vixie <paul@redbarn.org> wrote:
>>> 
>>> On Sat, Sep 12, 2020 at 09:40:11AM +1000, Mark Andrews wrote:
>>>> and why is it a RR type at all.  An EDNS option or a opcode is better suited
>>>> for this sort of thing.
>>> 
>>> +1.
>> 
>> An RR type can be signed and distributed differently and allow for preloading of (distributed) caches which enhanced the decentralization of recursive DNS servers.
> 
> As described in -00, a cached and re-distributed AUTHINFO RR is useless
> unless you know what nameserver address it applies to, and if an
> AUTHINFO RR isn't trustworthy unless it's signed then the AUTHINFO RR
> would need to embed the nameserver address that it applies to so that
> that information can be signed and validated as well.
> 

Put the RR at each NS name, eg _encdns.ns0.nohats.ca. 

Paul

v2.23.0 | Report a Bug | By Email