Re: [DNSOP] DNS versioning, was The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"

Stephane Bortzmeyer <> Thu, 20 July 2017 15:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CA98E131473 for <>; Thu, 20 Jul 2017 08:27:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TxXb3e2fc-tl for <>; Thu, 20 Jul 2017 08:27:58 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9A6C2126C0F for <>; Thu, 20 Jul 2017 08:27:58 -0700 (PDT)
Received: by (Postfix, from userid 10) id 2034731CE6; Thu, 20 Jul 2017 17:27:57 +0200 (CEST)
Received: by godin (Postfix, from userid 1000) id B289AEC0B75; Thu, 20 Jul 2017 17:25:59 +0200 (CEST)
Date: Thu, 20 Jul 2017 17:25:59 +0200
From: Stephane Bortzmeyer <>
To: John Levine <>
Message-ID: <>
References: <> <20170719215749.2241.qmail@ary.lan>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20170719215749.2241.qmail@ary.lan>
X-Transport: UUCP rules
X-Operating-System: Ubuntu 16.04 (xenial)
X-Charlie: Je suis Charlie
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <>
Subject: Re: [DNSOP] DNS versioning, was The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 20 Jul 2017 15:28:00 -0000

On Wed, Jul 19, 2017 at 09:57:49PM -0000,
 John Levine <> wrote 
 a message of 38 lines which said:

> We did this in a horrible ad-hoc way with DNSSEC, and even with
> DNSSEC there's the fallback that the unsigned answers you get from a
> server that doesn't understand RRSIG et al. are for many purposes
> adequate.

I do not understand. If you sign on the master and forget to check the
slaves (for instance if they are BIND with dnssec-enable no), the
results are catastrophic for validating resolvers. You HAVE TO know
and check your secondaries. It is the same with BULK as it is with

And DNSSEC is not the only case where we introduced RRtypes where you
have to check your slaves to be sure they support it. There was also

That's why I don't share the fears about BULK: you cannot easily
deploy a new feature that will require a change in the resolvers,
because you don't know all the resolvers, and cannot change them even
if you know they are too old. But your secondaries are only a small
set of carefully chosen servers, and you have your say.