Re: [DNSOP] Resolver behaviour with multiple trust anchors
Michael StJohns <msj@nthpermutation.com> Tue, 31 October 2017 21:04 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FF3013F70B for <dnsop@ietfa.amsl.com>; Tue, 31 Oct 2017 14:04:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nthpermutation-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kovzuo2gYflD for <dnsop@ietfa.amsl.com>; Tue, 31 Oct 2017 14:04:00 -0700 (PDT)
Received: from mail-qt0-x235.google.com (mail-qt0-x235.google.com [IPv6:2607:f8b0:400d:c0d::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B1E013F6F0 for <dnsop@ietf.org>; Tue, 31 Oct 2017 14:03:59 -0700 (PDT)
Received: by mail-qt0-x235.google.com with SMTP id p1so453553qtg.2 for <dnsop@ietf.org>; Tue, 31 Oct 2017 14:03:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nthpermutation-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=GcdfD0+bHRAm2eJnHr665H+PUN92XmEnW6RK81osEgM=; b=pZqO95KEfxUwMNF+w81QxMMKPtcCQATJ31JwWOj/E0qiBhkQqHScoVyTM2LNhEe/yp 6Yi8nLFe7ftJSX3uDPFjGN/+b1zwnEUzS57bAtP884te/YCz3SJCtaCmkRaaPTBGrqkR dpHRNuVIQLbnkV1WxGTnkvqPOQxoQqLGNDlgtfVJ43nPgB1kXE/X8CgkW6PYvP37FcLu W+Mt+b7px2bsmRcFmQUor+yhLZiAA/MID3c4mFJB+tZkUag1iIzVL3iNwcCaRPTHeDuY 0pSKRvwwz8mCE0ogzjiCeMFKH/s+VPjrEg/exaKm7iVUfsvrUkvV3HKw08B+YahOaYl1 vzig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=GcdfD0+bHRAm2eJnHr665H+PUN92XmEnW6RK81osEgM=; b=dIdXDhaZ1W3HAZjbPvNUZkyiA8L7t9mIu26OmqCGWMH47wsDXpPW+3oVoBHb9ZctlQ XBmJOI6QdWBzzpWr9TlpLcUPftCcEmPCwFRg1yIrcUpf4vLEQtWB6UAtnwXC1RuhaSEG 0k3M7xghr2LOyUeVWGhWh8t23wAhFNxVERQ1wu+NgTFVSdGQhiOzFYAQUHcYqshun2ZX T1lrc6ieBvsGOwn7t6Wo7nzTFakLvrd59TZX3uyStxSdxPyWyQphXpKtb9x5V+y/VJZI lWRzDfxfp5RP9tQHI4lcsHdd2Vvf9sChXXBznkzZ3Hq1/OSYZzwDN/6nBSj9Nr95JDdO Cl0g==
X-Gm-Message-State: AMCzsaVmnEndvLNs56vjfTvOruIfgeN3jDgYJgXcNuo0gBcMWTLNnxns l61kbawKwAwtvPtj/M8mKUfNIB4J
X-Google-Smtp-Source: ABhQp+QjZfGyR661xKOnjhhdGermvC9MYSefeC1RHcgbX+q7zTVgxl6B5+AZRWKn1lA33Y3/Slgs7Q==
X-Received: by 10.200.55.253 with SMTP id e58mr5106221qtc.234.1509483837968; Tue, 31 Oct 2017 14:03:57 -0700 (PDT)
Received: from ?IPv6:2601:152:4400:720f::146e? ([2601:152:4400:720f::146e]) by smtp.gmail.com with ESMTPSA id l1sm1559360qtf.5.2017.10.31.14.03.56 for <dnsop@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 31 Oct 2017 14:03:57 -0700 (PDT)
To: dnsop@ietf.org
References: <121CDBC2-D68C-48EE-A56E-46C61FC21538@sidn.nl> <d85db292-47fa-f146-a908-add09a8f6bdc@nthpermutation.com> <148C88F0-FEED-4759-8026-F3FB95B44252@vpnc.org>
From: Michael StJohns <msj@nthpermutation.com>
Message-ID: <c5dfc13a-e196-97c2-521b-3809b0147c23@nthpermutation.com>
Date: Tue, 31 Oct 2017 17:03:54 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <148C88F0-FEED-4759-8026-F3FB95B44252@vpnc.org>
Content-Type: multipart/alternative; boundary="------------638A584F5362DFF6DC96BEFB"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/pV_qxogLpdOTbxpQIlKdIGQ1sU0>
Subject: Re: [DNSOP] Resolver behaviour with multiple trust anchors
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Oct 2017 21:04:12 -0000
On 10/31/2017 4:51 PM, Paul Hoffman wrote: >> And once again we see the folly of the words "implementation choice" >> when trying to come up with a coherent DNS. > > The full quote makes the situation murkier: it is a combination of > implementation choice plus configuration options. Some folks on this > list strongly prefer that, others strongly don't. My main and only desire when querying the DNS is that given the same inputs to the system you should always get the same output. Getting different answers on something that's as important as security because you queried different implementations continues to seem to be to be a bad idea. Having a standard default (which was not what this was) and having configuration options to change it for good reason is different than "which to use is a matter of implementation choice". Later, Mike
- [DNSOP] Resolver behaviour with multiple trust an… Moritz Muller
- Re: [DNSOP] [Ext] Resolver behaviour with multipl… Edward Lewis
- Re: [DNSOP] Resolver behaviour with multiple trus… Paul Hoffman
- Re: [DNSOP] Resolver behaviour with multiple trus… Philip Homburg
- Re: [DNSOP] Resolver behaviour with multiple trus… Ólafur Guðmundsson
- Re: [DNSOP] Resolver behaviour with multiple trus… Paul Wouters
- Re: [DNSOP] Resolver behaviour with multiple trus… Michael StJohns
- Re: [DNSOP] [Ext] Re: Resolver behaviour with mul… Edward Lewis
- Re: [DNSOP] [Ext] Re: Resolver behaviour with mul… Paul Wouters
- Re: [DNSOP] [Ext] Re: Resolver behaviour with mul… Paul Vixie
- Re: [DNSOP] Resolver behaviour with multiple trus… Paul Hoffman
- Re: [DNSOP] Resolver behaviour with multiple trus… Michael StJohns
- Re: [DNSOP] Resolver behaviour with multiple trus… Mark Andrews
- Re: [DNSOP] [Ext] Re: Resolver behaviour with mul… Mark Andrews
- Re: [DNSOP] [Ext] Re: Resolver behaviour with mul… Edward Lewis
- Re: [DNSOP] [Ext] Re: Resolver behaviour with mul… Edward Lewis
- Re: [DNSOP] Resolver behaviour with multiple trus… Patrik Wallstrom
- Re: [DNSOP] [Ext] Re: Resolver behaviour with mul… Edward Lewis
- Re: [DNSOP] [Ext] Re: Resolver behaviour with mul… Paul Hoffman
- Re: [DNSOP] Resolver behaviour with multiple trus… Ólafur Guðmundsson
- Re: [DNSOP] [Ext] Re: Resolver behaviour with mul… Edward Lewis
- Re: [DNSOP] [Ext] Re: Resolver behaviour with mul… Philip Homburg
- Re: [DNSOP] Resolver behaviour with multiple trus… Matt Larson
- Re: [DNSOP] Resolver behaviour with multiple trus… Bob Harold
- Re: [DNSOP] Resolver behaviour with multiple trus… Paul Hoffman
- Re: [DNSOP] Resolver behaviour with multiple trus… Warren Kumari
- Re: [DNSOP] [Ext] Re: Resolver behaviour with mul… Edward Lewis
- Re: [DNSOP] [Ext] Re: Resolver behaviour with mul… Edward Lewis
- Re: [DNSOP] Resolver behaviour with multiple trus… Tony Finch
- Re: [DNSOP] Resolver behaviour with multiple trus… Tony Finch
- Re: [DNSOP] Resolver behaviour with multiple trus… Joe Abley
- Re: [DNSOP] Resolver behaviour with multiple trus… Brian Dickson
- Re: [DNSOP] [Ext] Re: Resolver behaviour with mul… Mark Andrews
- Re: [DNSOP] [Ext] Re: Resolver behaviour with mul… Petr Špaček
- Re: [DNSOP] [Ext] Re: Resolver behaviour with mul… Paul Hoffman
- Re: [DNSOP] [Ext] Re: Resolver behaviour with mul… Petr Špaček
- Re: [DNSOP] [Ext] Re: Resolver behaviour with mul… Paul Hoffman
- Re: [DNSOP] [Ext] Re: Resolver behaviour with mul… Edward Lewis
- Re: [DNSOP] [Ext] Re: Resolver behaviour with mul… Paul Wouters
- Re: [DNSOP] Resolver behaviour with multiple trus… Lanlan Pan
- Re: [DNSOP] [Ext] Re: Resolver behaviour with mul… Edward Lewis
- Re: [DNSOP] [Ext] Re: Resolver behaviour with mul… Ólafur Guðmundsson
- Re: [DNSOP] Resolver behaviour with multiple trus… william manning
- Re: [DNSOP] Resolver behaviour with multiple trus… william manning