IETF Logo Mail Archive

Re: [DNSOP] Priming query transport selection

Olafur Gudmundsson <ogud@ogud.com> Wed, 13 January 2010 21:21 UTC

Return-Path: <ogud@ogud.com>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0CB9F3A6867 for <dnsop@core3.amsl.com>; Wed, 13 Jan 2010 13:21:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.682
X-Spam-Level:
X-Spam-Status: No, score=-2.682 tagged_above=-999 required=5 tests=[AWL=-0.083, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7r93G87EnFsm for <dnsop@core3.amsl.com>; Wed, 13 Jan 2010 13:21:52 -0800 (PST)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by core3.amsl.com (Postfix) with ESMTP id D52A33A6899 for <dnsop@ietf.org>; Wed, 13 Jan 2010 13:21:49 -0800 (PST)
Received: from valholl.ogud.com (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.3/8.14.3) with ESMTP id o0DLQDPX070042; Wed, 13 Jan 2010 16:26:14 -0500 (EST) (envelope-from ogud@ogud.com)
Message-Id: <201001132126.o0DLQDPX070042@stora.ogud.com>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Wed, 13 Jan 2010 16:05:49 -0500
To: Alex Bligh <alex@alex.org.uk>, dnsop@ietf.org
From: Olafur Gudmundsson <ogud@ogud.com>
In-Reply-To: <4748449C0E5079B5A4376DF3@Ximines.local>
References: <201001131823.o0DINxYv068180@stora.ogud.com> <4748449C0E5079B5A4376DF3@Ximines.local>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.67 on 66.92.146.20
Subject: Re: [DNSOP] Priming query transport selection
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2010 21:21:56 -0000

At 15:01 13/01/2010, Alex Bligh wrote:


>--On 13 January 2010 13:19:30 -0500 Olafur Gudmundsson <ogud@ogud.com> wrote:
>
>>Going forward I think this is a bad recommendation.  I would like to
>>propose that the document take the plunge of recommending that
>>modern DNSSEC capable resolvers perform the priming query over TCP.
>...
>>By making this change section 2.4 can be dropped, the one
>>on not asking for signed answers.
>
>Not sure I agree.
>
>I think there is a good case to be made that IF the DO bit is set,
>THEN the response SHOULD be made over TCP, but you are asking
>that even non DNSSEC capable resolvers which would query with
>DO clear make queries over TCP; in these instances the response
>packet would be much smaller.

DNSSEC compliance requires ENDS0 see RFC4035 section 4.1 and 3.
Why not ask for signatures ?
Paranoid Validating Resolver will need them to make sure the
glue is not forged in particular if the answer over the wire different
from what the validator was bootstrapped with.

With DNSSEC validation you can ignore what section answer came from
if you can create a trust chain to the data.

         Olafur

v2.23.0 | Report a Bug | By Email