IETF Logo Mail Archive

Re: [DNSOP] Fwd: New Version Notification for draft-jabley-dnsop-refuse-any-00.txt

Evan Hunt <each@isc.org> Thu, 01 October 2015 02:58 UTC

Return-Path: <each@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BB361AD061 for <dnsop@ietfa.amsl.com>; Wed, 30 Sep 2015 19:58:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.611
X-Spam-Level:
X-Spam-Status: No, score=-6.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hCjRb2-uZ_km for <dnsop@ietfa.amsl.com>; Wed, 30 Sep 2015 19:58:38 -0700 (PDT)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DF2E1ACF19 for <dnsop@ietf.org>; Wed, 30 Sep 2015 19:58:38 -0700 (PDT)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id 1662D1FCD59 for <dnsop@ietf.org>; Thu, 1 Oct 2015 02:58:35 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10292) id D302F216C57; Thu, 1 Oct 2015 02:58:33 +0000 (UTC)
Date: Thu, 01 Oct 2015 02:58:33 +0000
From: Evan Hunt <each@isc.org>
To: Ólafur Guðmundsson <olafuratcloudflare.com@isc.org>
Message-ID: <20151001025833.GA51655@isc.org>
References: <20150930190405.17300.40441.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/lJSEwr19LnSbv7qaDfbRddvWlqg>
Cc: dnsop <dnsop@ietf.org>
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-jabley-dnsop-refuse-any-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Oct 2015 02:58:40 -0000

On Wed, Sep 30, 2015 at 04:20:25PM -0700, Ólafur Guðmundsson wrote:
> FYI,
> this is latest incarnation of of how to give out minimal answer to ANY
> query without breaking anything and being friendly to resolvers. 
> Olafur

This was discussed at some length back around the Toronto IETF
and I made a suggestion that seemed to garner fairly wide support,
i.e., selecting a single RRset from the ANY response and returning
only that.  See:

  https://www.ietf.org/mail-archive/web/dnsop/current/msg13945.html

...and its followups. Is there a reason you decided not to go in
that direction?  (I'd be happy to contribute text if you like.)

The new proposal to return an empty HINFO record has the advantage of
a smaller response, but will be inconvenient for DNSSEC-signed zones,
unless the server has access to the signing key and can generate a
covering RRSIG. This should be mentioned in security considerations.

The pick-one-RRset mechanism doesn't have this problem, because
the covering RRSIG will already exist for whichever RRset is
returned.

--
Evan Hunt -- each@isc.org
Internet Systems Consortium, Inc.

v2.23.0 | Report a Bug | By Email