IETF Logo Mail Archive

Re: [DNSOP] New Version Notification for draft-jabley-dnsop-refuse-any-00.txt

"Joe Abley" <jabley@hopcount.ca> Thu, 01 October 2015 03:28 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D39641A1A66 for <dnsop@ietfa.amsl.com>; Wed, 30 Sep 2015 20:28:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_55=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s8KHKEp8TnRr for <dnsop@ietfa.amsl.com>; Wed, 30 Sep 2015 20:28:48 -0700 (PDT)
Received: from mail-ig0-x231.google.com (mail-ig0-x231.google.com [IPv6:2607:f8b0:4001:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 008541A1A64 for <dnsop@ietf.org>; Wed, 30 Sep 2015 20:28:47 -0700 (PDT)
Received: by igbkq10 with SMTP id kq10so8692168igb.0 for <dnsop@ietf.org>; Wed, 30 Sep 2015 20:28:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-type; bh=ahQkOcxxisfVwTOFnyBkQLIHQdTEGhCJaF7LSRYzjw8=; b=YqKVVx1T4bix02I8LNzLnCCGfpf8caliVSIfJsGHYavP+JylqQzIpvBGpLb7/U3A7g LaKZtPA+Im66Wl4jzeUJhLV3XCWxBOgOzUt0H5fBzV2huhw9AaMJFSj2NnvrErEtLm7W oARtfUl4d/idJ/sg3VWZrN67C5tM6CU/9U+tU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-type; bh=ahQkOcxxisfVwTOFnyBkQLIHQdTEGhCJaF7LSRYzjw8=; b=DhemmB5jKwbJPJOerMoZgjnIxThp5Fq40BYMvkWyo5/PlgBJbNK1EpPqq59R43rsWP 6KSRv3Sthn+ihf7lkZ0F7YlACDjqR0YoqXCUpu0zw34XO9tdur3o29rx/rE8K5t7AqDN HOY8J5inRU+XXU15UxghTMpAH8J8QCQtBLIsHn+MCdv51KfpqDxgCsE3MS+UnEkRylLT VYHbHBDw6H5Urj7lT7AeBqPk1xhrViZweAVY9vLQaQLeuKHEca7MX7esXy9el3Qeyj0T bpCFB1fJY7G7tL7KZcYWSU/O1sRsaLKgjFfaJ1pzJOdJn3YsniNL2OULsc+MXKxDOnCr Q4Yw==
X-Gm-Message-State: ALoCoQlNwVi4Ehdf9sQXIRp0m+lBOKr56pFRto1AI5eFaBnqjeaoAKCSPLX0sjfqx5ZGF6aMX/8k
X-Received: by 10.50.50.198 with SMTP id e6mr841174igo.13.1443670127340; Wed, 30 Sep 2015 20:28:47 -0700 (PDT)
Received: from [199.212.92.18] (135-23-68-43.cpe.pppoe.ca. [135.23.68.43]) by smtp.gmail.com with ESMTPSA id ql6sm418329igc.15.2015.09.30.20.28.46 (version=TLSv1 cipher=RC4-SHA bits=128/128); Wed, 30 Sep 2015 20:28:46 -0700 (PDT)
From: Joe Abley <jabley@hopcount.ca>
To: Evan Hunt <each@isc.org>
Date: Wed, 30 Sep 2015 23:28:45 -0400
Message-ID: <0F438B6C-4797-4250-ABCA-4C5AE1D5F232@hopcount.ca>
In-Reply-To: <20151001025833.GA51655@isc.org>
References: <20150930190405.17300.40441.idtracker@ietfa.amsl.com> <20151001025833.GA51655@isc.org>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.2r5141)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/m0d9dIxqSBP3RtHqGxF_aBtNZ-M>
Cc: dnsop <dnsop@ietf.org>, Ólafur Guðmundsson <olafuratcloudflare.com@isc.org>
Subject: Re: [DNSOP] New Version Notification for draft-jabley-dnsop-refuse-any-00.txt
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Oct 2015 03:28:49 -0000


On 30 Sep 2015, at 22:58, Evan Hunt wrote:

> The new proposal to return an empty HINFO record has the advantage of
> a smaller response, but will be inconvenient for DNSSEC-signed zones,
> unless the server has access to the signing key and can generate a
> covering RRSIG. This should be mentioned in security considerations.

There are two options for a signed zone that we mentioned in the text:

1. Return an unsigned response. This will be marked as bogus, and 
trigger a QTYPE=HINFO re-query that will either return an actual signed 
HINFO from the zone or a signed proof of non-existence. We think. I 
haven't actually tested that a re-query will happen, but Olafur is 
confident. :-)

2. Sign the HINFO RR as it is synthesised (or pre-sign one, to avoid the 
edge authority servers needing access to a signing key).

> The pick-one-RRset mechanism doesn't have this problem, because
> the covering RRSIG will already exist for whichever RRset is
> returned.

That is true. However, one of the use-cases for this approach is a 
nameserver for which a search for records present at a particular owner 
name (as would normally be performed when responding to an ANY query) is 
expensive. A synthesised HINFO is cheaper, even if it's a child only a 
mother could love.


Joe

v2.23.0 | Report a Bug | By Email