Re: [DNSOP] CD bit (was Re: Whiskey Tango Foxtrot on key lengths...)

Andrew Sullivan <> Wed, 02 April 2014 04:28 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 9684D1A010F for <>; Tue, 1 Apr 2014 21:28:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.141
X-Spam-Status: No, score=-0.141 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_INFO=1.448, HOST_MISMATCH_NET=0.311] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Tl1p1M0IHrAY for <>; Tue, 1 Apr 2014 21:28:03 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 6DB621A010E for <>; Tue, 1 Apr 2014 21:28:03 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 1A5B08A031 for <>; Wed, 2 Apr 2014 04:27:59 +0000 (UTC)
Date: Wed, 2 Apr 2014 00:27:57 -0400
From: Andrew Sullivan <>
Message-ID: <>
References: <> <> <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [DNSOP] CD bit (was Re: Whiskey Tango Foxtrot on key lengths...)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 Apr 2014 04:28:04 -0000

On Wed, Apr 02, 2014 at 02:23:50PM +1100, Mark Andrews wrote:

> And I pointed out before RFC 6840 was published that the appendix
> was incomplete in its analysis.

For whatever it's worth, my recollection is that, among other things,
you offered the sort of calm, reasoned, fully-explained analysis that
you and Nick Weaver seem to be competing to offer in this discussion,
with the all-caps lines and everything.  But in any case, since that
was another WG and since that document is published, I'm not sure the
value in debating the history.

There _is_ discussion of some of these issues in 6840, and I think it
is helpful for people to have read it.  It would not surprise me, of
course, if it turned out that 6840 or any other document about the DNS
turned out to have some issues.

> Actually it does as it shows that recursive servers need to validate.

No, it shows that under some use cases the recursive server will
provide better results if it validates, which is subtly different from
what you say there.  "Need to" is too strong.  "Undesirable things
happen if not" might be true.  

Best regards,


Andrew Sullivan