Re: [DNSOP] DNS privacy : now at least two drafts

Stephane Bortzmeyer <> Sat, 08 March 2014 17:37 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id D0E371A02B5 for <>; Sat, 8 Mar 2014 09:37:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_37=0.6] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ewJF3pOYRl33 for <>; Sat, 8 Mar 2014 09:37:40 -0800 (PST)
Received: from ( [IPv6:2001:4b98:dc0:41:216:3eff:fece:1902]) by (Postfix) with ESMTP id 7E2A11A0205 for <>; Sat, 8 Mar 2014 09:37:40 -0800 (PST)
Received: by (Postfix, from userid 10) id 63D2C3C241; Sat, 8 Mar 2014 17:37:33 +0000 (UTC)
Received: by tyrion (Postfix, from userid 1000) id AE17BF00C93; Sat, 8 Mar 2014 18:34:56 +0100 (CET)
Date: Sat, 8 Mar 2014 17:34:56 +0000
From: Stephane Bortzmeyer <>
To: Florian Weimer <>
Message-ID: <>
References: <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
X-Transport: UUCP rules
X-Operating-System: Ubuntu 13.10 (saucy)
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [DNSOP] DNS privacy : now at least two drafts
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 08 Mar 2014 17:37:42 -0000

On Sat, Mar 08, 2014 at 06:07:48PM +0100,
 Florian Weimer <> wrote 
 a message of 17 lines which said:

> > It is. Section 2.2.2
> Can you quote it here? 

2.2.2.  In the authoritative name servers

   A possible solution would be to minimize the amount of data sent from
   the resolver.  When a resolver receives the query "What is the AAAA
   record for"quot;, it sends to the root (assuming a cold
   resolver, whose cache is empty) the very same question.  Sending
   "What are the NS records for .com?"  would be sufficient (since it
   will be the answer from the root anyway).  To do so would be
   compatible with the current DNS system and therefore could be
   deployable, since it is an unilateral change to the resolvers.

   To do so, the resolver needs to know the zone cut [RFC2181].  There
   is not a zone cut at every label boundary.  If we take the name, it is possible that there is a zone cut between
   "foo" and "bar" but not between "bar" and "example".  So, assuming
   the resolver already knows the name servers of .example, when it
   receives the query "What is the AAAA record of"quot;,
   it does not always know if the request should be sent to the name
   servers of bar.example or to those of example.  [RFC2181] suggests an
   algorithm to find the zone cut, so resolvers may try it.

   Note that DNSSEC-validating resolvers already have access to this
   information, since they have to find the zone cut (the DNSKEY record
   set is just below, the DS record set just above).

   It can be noted that minimizing the amount of data sent also
   partially addresses the case of a wire sniffer.

   One should note that the behaviour suggested here (minimizing the
   amount of data sent in qnames) is NOT forbidden by the [RFC1034]
   (section 5.3.3) or [RFC1035] (section 7.2).  Sending the full qname
   to the authoritative name server is a tradition, not a protocol

   Another note is that the answer to the NS query, unlike the referral
   sent when the question is a full qname, is in the Answer section, not
   in the Authoritative section.  It has probably no practical