IETF Logo Mail Archive

Re: [DNSOP] [dnsext] Re: Priming query transport selection

Danny Mayer <mayer@gis.net> Sun, 24 January 2010 05:39 UTC

Return-Path: <mayer@gis.net>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1CE8C3A67F8 for <dnsop@core3.amsl.com>; Sat, 23 Jan 2010 21:39:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.699
X-Spam-Level:
X-Spam-Status: No, score=-0.699 tagged_above=-999 required=5 tests=[BAYES_50=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xbb6s5ZuuXwH for <dnsop@core3.amsl.com>; Sat, 23 Jan 2010 21:39:43 -0800 (PST)
Received: from gis.net (mx05.gis.net [208.218.130.13]) by core3.amsl.com (Postfix) with ESMTP id 163CA3A67E1 for <dnsop@ietf.org>; Sat, 23 Jan 2010 21:39:41 -0800 (PST)
Received: from [127.0.0.1] ([63.209.235.12]) by mx05.gis.net; Sun, 24 Jan 2010 00:38:26 -0500
Message-ID: <4B5BDCCB.50504@gis.net>
Date: Sun, 24 Jan 2010 00:38:19 -0500
From: Danny Mayer <mayer@gis.net>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Alfred HÎnes <ah@TR-Sys.de>
References: <201001132058.VAA11959@TR-Sys.de>
In-Reply-To: <201001132058.VAA11959@TR-Sys.de>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Mailman-Approved-At: Sun, 24 Jan 2010 01:36:57 -0800
Cc: namedroppers@ops.ietf.org, dnsop@ietf.org
Subject: Re: [DNSOP] [dnsext] Re: Priming query transport selection
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mayer@gis.net
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jan 2010 05:39:44 -0000

Alfred HÎnes wrote:
> I apologize for cross-posting due to topical overlap.
> Please confine follow-up messages to the appropriate list.
> 
> 
> In the message to DNSOP regarding draft-ietf-dnsop-resolver-priming-02
> archived at
>   <http://www.IETF.ORG/mail-archive/web/dnsop/current/msg07843.html>,
> Olafur Gudmundsson scratched at a topic of interest to namedroppers
> as well; he wrote:
> 
>>  ...
>>
>> Background:
>> 26 signed glue records will require about 5K answer if each RRSet is
>> signed by a single 1024 bit RSA key.
>> This will never fit into an ENDS0 answer as number of implementations
>> have 4096 byte hard limit on answer size.
> 
> 
> Did you read the News these days?
> 
> An international team lead by the BSI (the "German NSA") and others
> has solved the RSA-768 challenge, and experts reportedly expect, due
> to significant progresses, that RSA-1024 will be solved in a rather
> short time, likely by the end of this year or so!
> 
> This means that we should immediately plan operationally for
> widespread use of 2048-bit RSA keys in the "near" future.
> 
> 
>> As of today all the root servers instances that my host reached
>> answered a TCP query.
>>
>> Proposed replacement text:
>>
>> |2.1.  Parameters of a Priming Query
>> |
>> |  A priming query MUST use a QNAME of "." and a QTYPE of NS, QCLASS
>> |  of IN, with RD bit set to 0, the source port of the query should
>> |  be randomly selected [RFC5452].
>> |
>> |  A DNSSEC aware resolver SHOULD sent the priming query over TCP.
>> |  If TCP is refused a different server SHOULD be tried, after 3 tries
>> |  the resolver SHOULD fall back on UDP.
>> |
>> |  A DNSSEC ignorant but EDNS0 capable, resolver SHOULD issue the
>> |  priming query over UDP, ENDS0 option MUST be included with buffer
>> |  size of 1220 or larger.  If the UDP query times out TCP SHOULD be
>> |  tried.
>> |
>> |  An EDNS0 ignorant resolver MUST issue the priming query over UDP.
>>
>> ...

I'm not sure I understand the point to this part. Since this is a draft
and you would be talking about the next versions of resolvers that would
be expect to support this (as opposed to existing ones) why would you
expect there to be any future resolver ignorant of DNSSEC? Aren't we
trying to make DNSSEC mandatory for future resolvers?

Danny

v2.23.0 | Report a Bug | By Email