Re: [DNSOP] Fwd: New Version Notification for draft-ogud-dnsop-any-notimp-00.txt

Paul Vixie <> Fri, 06 March 2015 21:51 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A39461A873E for <>; Fri, 6 Mar 2015 13:51:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.31
X-Spam-Status: No, score=-1.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, J_CHICKENPOX_55=0.6, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LqxJsyw4FKXT for <>; Fri, 6 Mar 2015 13:51:56 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 27D9D1A8737 for <>; Fri, 6 Mar 2015 13:51:56 -0800 (PST)
Received: from [IPv6:2001:559:8000:cb:b015:3cb0:25ba:df77] (unknown [IPv6:2001:559:8000:cb:b015:3cb0:25ba:df77]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Postfix) with ESMTPSA id 691C41851D; Fri, 6 Mar 2015 21:51:56 +0000 (UTC)
Message-ID: <>
Date: Fri, 06 Mar 2015 13:51:53 -0800
From: Paul Vixie <>
User-Agent: Postbox 3.0.11 (Windows/20140602)
MIME-Version: 1.0
To: Ralf Weber <>
References: <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/alternative; boundary="------------080309040208000504060102"
Archived-At: <>
Cc: Olafur Gudmundsson <>,
Subject: Re: [DNSOP] Fwd: New Version Notification for draft-ogud-dnsop-any-notimp-00.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 06 Mar 2015 21:51:57 -0000

> Ralf Weber <>
> Friday, March 06, 2015 1:38 PM
> Moin!
> On Fri, Mar 06, 2015 at 11:14:21AM -0800, Paul Vixie wrote:
>>> Also why have
>>> you limited the this to authoritative servers?
>> this raises the point: ANY deserves its own access control list, or
>> other non-BIND equivilent. because ANY is useful for diagnostics, local
>> sysadmins ought to be able to make such queries.
> That depends. If you have other mechanisms than dig to get data out
> of your cache you don't need it.

that's a big "if". here's another: if your diagnostic tools can use some
method other than "dig" to do your debugging for you, then, again, you
don't need ANY. those are two very big "if"'s.
>  I would like to see it deprecated to
> the level that no one relies on the query being answered with a record.

me too. that's why i'm saying, ACL, default "nobody".

> So even the resolver can answer with NOTIMP. 

any RCODE other than 0 or 3 will cause spectacularly bad storms. i
prefer RCODE=0/ANCOUNT=0 to refuse "ANY".
>> this way lies madness. you can't know that a validator has no reasonable
>> intent behind an RRSIG query.
> I can not see how there is a reason for a validator to issue an RRSIG
> query, and I do not know of an validator that does this (there might
> be).

i heard several people enumerate the TCP initiators they could think of,
when arguing about whether to change the client's behaviour to
"keepopen". as i said there-- our ability to enumerate means precisely
nothing: if someone somewhere coded a reasonable expectation based on
RFC text and tested to work, then we have to act as if there are an
unknown, and treat as unknowable, but real and relevant set of users of
that encoding.

>  RRSIG is as complex as the ANY query as you have to look for all
> resource record types and not just one. We don't need to include that
> in this draft, but the complexity of the query is higher than a normal
> query and the use of it is way lower (IMHO it is not needed).

if you want to change how DNSSEC works, i'll listen. but there's no
reasonable interpretation of past or current specifications by which
QTYPE=RRSIG can be categorized a "meta-query". (unlike
QTYPE=ANY/IXFR/AXFR, or RD=0 when speaking to a recursive-only server.)

> Just two quick datapoints I got. On a recursive server farm that of a
> medium ISP (that doesn't do validation, but has it server DNSSEC enabled)
> out of a total of 15 billion queries a day there were 6 RRSIG queries 
> and on an authoritative server for a DNSSEC secured domain that has 
> around 2 million queries a day there were 7 RRSIG quries. So maybe we 
> deprecate it before people use it more ;-).

you could multiply all those numbers by six trillion, and they would
still not be relevant to the standard of care by which the DNS
specification must evolve.

Paul Vixie