Re: [DNSOP] DNS privacy : now at least two drafts

Florian Weimer <fw@deneb.enyo.de> Sun, 16 March 2014 15:07 UTC

Return-Path: <fw@deneb.enyo.de>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 166701A02F2 for <dnsop@ietfa.amsl.com>; Sun, 16 Mar 2014 08:07:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RP_MATCHES_RCVD=-0.547] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c1Ue7lk06Ocs for <dnsop@ietfa.amsl.com>; Sun, 16 Mar 2014 08:07:29 -0700 (PDT)
Received: from ka.mail.enyo.de (ka.mail.enyo.de [87.106.162.201]) by ietfa.amsl.com (Postfix) with ESMTP id 7CB161A01D2 for <dnsop@ietf.org>; Sun, 16 Mar 2014 08:07:29 -0700 (PDT)
Received: from [172.17.135.4] (helo=deneb.enyo.de) by ka.mail.enyo.de with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) id 1WPCem-0003NP-BA; Sun, 16 Mar 2014 16:07:20 +0100
Received: from fw by deneb.enyo.de with local (Exim 4.80) (envelope-from <fw@deneb.enyo.de>) id 1WPCem-0005UN-73; Sun, 16 Mar 2014 16:07:20 +0100
From: Florian Weimer <fw@deneb.enyo.de>
To: Mark Andrews <marka@isc.org>
References: <20131217112527.GA18176@nic.fr> <87ob1geis0.fsf@mid.deneb.enyo.de> <20140308165741.GA15121@laperouse.bortzmeyer.org> <8761noehzv.fsf@mid.deneb.enyo.de> <20140308173456.GB17348@laperouse.bortzmeyer.org> <87fvmsd0nk.fsf@mid.deneb.enyo.de> <20140311080053.5FCF910E2D41@rock.dv.isc.org>
Date: Sun, 16 Mar 2014 16:07:20 +0100
In-Reply-To: <20140311080053.5FCF910E2D41@rock.dv.isc.org> (Mark Andrews's message of "Tue, 11 Mar 2014 19:00:53 +1100")
Message-ID: <87y50auqqf.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Archived-At: http://mailarchive.ietf.org/arch/msg/dnsop/kr0U7zxDmDNONyDCCmFjc_HT7Io
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] DNS privacy : now at least two drafts
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Mar 2014 15:07:32 -0000

* Mark Andrews:

>>>    Another note is that the answer to the NS query, unlike the referral
>>>    sent when the question is a full qname, is in the Answer section, not
>>>    in the Authoritative section.  It has probably no practical
>>>    consequences.
>> 
>> Most resolvers do not make NS queries, and some authoritative servers
>> do not return useful data (or any data at all).  So using NS queries
>> for zone cut discovery does not work reliably.
>
> Any resolver that is DNSSEC aware will make NS queries (whether
> validating or not).

Really?  Where is this mentioned in the protocol RFCs?

> Nameservers that fail to handle NS queries are broken.  More NS
> queries would be good for the overall health of the DNS as it would
> flush out the broken servers.

Sure, but in practice, no one wants to be the person who exerts this
perssure on zone publishers.