Re: [DNSOP] [internet-drafts@ietf.org: I-D Action: draft-bortzmeyer-dnsop-nxdomain-cut-00.txt]
Mark Andrews <marka@isc.org> Wed, 11 November 2015 02:31 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5842B1B46C5 for <dnsop@ietfa.amsl.com>; Tue, 10 Nov 2015 18:31:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.89
X-Spam-Level:
X-Spam-Status: No, score=-5.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SKB9MiWRluQK for <dnsop@ietfa.amsl.com>; Tue, 10 Nov 2015 18:31:44 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3883C1B43C5 for <dnsop@ietf.org>; Tue, 10 Nov 2015 18:31:44 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.ams1.isc.org (Postfix) with ESMTPS id 8BBDD1FCAB3; Wed, 11 Nov 2015 02:31:41 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id B36A016007B; Wed, 11 Nov 2015 02:32:05 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id A19C316004E; Wed, 11 Nov 2015 02:32:05 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id g_sRLy4r7ilZ; Wed, 11 Nov 2015 02:32:05 +0000 (UTC)
Received: from rock.dv.isc.org (c122-106-161-187.carlnfd1.nsw.optusnet.com.au [122.106.161.187]) by zmx1.isc.org (Postfix) with ESMTPSA id 5E11216007B; Wed, 11 Nov 2015 02:32:05 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id D07DE3C82D4B; Wed, 11 Nov 2015 13:31:37 +1100 (EST)
From: Mark Andrews <marka@isc.org>
References: <20151106082238.GA2307@nic.fr> <A62EC834-C954-446C-9F7A-AB6D1F955C7F@verisign.com> <20151111020725.34CE83C82BB6@rock.dv.isc.org>
In-reply-to: Your message of "Wed, 11 Nov 2015 13:07:25 +1100." <20151111020725.34CE83C82BB6@rock.dv.isc.org>
Date: Wed, 11 Nov 2015 13:31:37 +1100
Message-Id: <20151111023137.D07DE3C82D4B@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/peWdxU7usML5y3rbTkYlXvxsvjs>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>, "Wessels, Duane" <dwessels@verisign.com>
Subject: Re: [DNSOP] [internet-drafts@ietf.org: I-D Action: draft-bortzmeyer-dnsop-nxdomain-cut-00.txt]
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2015 02:31:45 -0000
In message <20151111020725.34CE83C82BB6@rock.dv.isc.org>, Mark Andrews writes: > In message <A62EC834-C954-446C-9F7A-AB6D1F955C7F@verisign.com>, "Wessels, Dua > ne > " writes: > > > I think the WG needs to discuss and agree whether or not to make the > > NXDOMAIN cut based on QNAME only, or on the SOA owner name. If the > > goal is to thwart random qname attacks, then it would be better to > > use the SOA (or hope for wide adoptionof qname minimization). How can the NXDOMAIN be based on the SOA owner name? It identifies the administrative boundary not whether names exist or not. NSEC / NSEC3 can thwart random qname as those define the containing namespace. <random>.existing.name.example can't be thwarted by looking for parent NXDOMAINs as they don't exist. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [DNSOP] [internet-drafts@ietf.org: I-D Action: dr… Stephane Bortzmeyer
- Re: [DNSOP] [internet-drafts@ietf.org: I-D Action… Wessels, Duane
- Re: [DNSOP] [internet-drafts@ietf.org: I-D Action… Mark Andrews
- Re: [DNSOP] [internet-drafts@ietf.org: I-D Action… Mark Andrews
- Re: [DNSOP] [internet-drafts@ietf.org: I-D Action… Stephane Bortzmeyer
- Re: [DNSOP] [internet-drafts@ietf.org: I-D Action… Paul Hoffman
- Re: [DNSOP] [internet-drafts@ietf.org: I-D Action… Wessels, Duane
- Re: [DNSOP] [internet-drafts@ietf.org: I-D Action… Mark Andrews
- Re: [DNSOP] [internet-drafts@ietf.org: I-D Action… Stephane Bortzmeyer
- [DNSOP] Using the SOA in a NXDOMAIN response (Was… Stephane Bortzmeyer
- Re: [DNSOP] [internet-drafts@ietf.org: I-D Action… Stephane Bortzmeyer
- Re: [DNSOP] [internet-drafts@ietf.org: I-D Action… Stephane Bortzmeyer
- Re: [DNSOP] Using the SOA in a NXDOMAIN response … John Levine
- Re: [DNSOP] Using the SOA in a NXDOMAIN response … Wessels, Duane
- Re: [DNSOP] [internet-drafts@ietf.org: I-D Action… Tony Finch