Re: [DNSOP] Priming query transport selection

Olafur Gudmundsson <> Wed, 13 January 2010 21:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0CB9F3A6867 for <>; Wed, 13 Jan 2010 13:21:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.682
X-Spam-Status: No, score=-2.682 tagged_above=-999 required=5 tests=[AWL=-0.083, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7r93G87EnFsm for <>; Wed, 13 Jan 2010 13:21:52 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id D52A33A6899 for <>; Wed, 13 Jan 2010 13:21:49 -0800 (PST)
Received: from ( []) by (8.14.3/8.14.3) with ESMTP id o0DLQDPX070042; Wed, 13 Jan 2010 16:26:14 -0500 (EST) (envelope-from
Message-Id: <>
X-Mailer: QUALCOMM Windows Eudora Version
Date: Wed, 13 Jan 2010 16:05:49 -0500
To: Alex Bligh <>,
From: Olafur Gudmundsson <>
In-Reply-To: <4748449C0E5079B5A4376DF3@Ximines.local>
References: <> <4748449C0E5079B5A4376DF3@Ximines.local>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.67 on
Subject: Re: [DNSOP] Priming query transport selection
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 13 Jan 2010 21:21:56 -0000

At 15:01 13/01/2010, Alex Bligh wrote:

>--On 13 January 2010 13:19:30 -0500 Olafur Gudmundsson <> wrote:
>>Going forward I think this is a bad recommendation.  I would like to
>>propose that the document take the plunge of recommending that
>>modern DNSSEC capable resolvers perform the priming query over TCP.
>>By making this change section 2.4 can be dropped, the one
>>on not asking for signed answers.
>Not sure I agree.
>I think there is a good case to be made that IF the DO bit is set,
>THEN the response SHOULD be made over TCP, but you are asking
>that even non DNSSEC capable resolvers which would query with
>DO clear make queries over TCP; in these instances the response
>packet would be much smaller.

DNSSEC compliance requires ENDS0 see RFC4035 section 4.1 and 3.
Why not ask for signatures ?
Paranoid Validating Resolver will need them to make sure the
glue is not forged in particular if the answer over the wire different
from what the validator was bootstrapped with.

With DNSSEC validation you can ignore what section answer came from
if you can create a trust chain to the data.