IETF Logo Mail Archive

Re: [DNSOP] Proposal for a new record type: SNI

Mark Andrews <marka@isc.org> Tue, 21 February 2017 01:42 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FF14129573 for <dnsop@ietfa.amsl.com>; Mon, 20 Feb 2017 17:42:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zpJENtHNmj8K for <dnsop@ietfa.amsl.com>; Mon, 20 Feb 2017 17:42:49 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB465129572 for <dnsop@ietf.org>; Mon, 20 Feb 2017 17:42:48 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.ams1.isc.org (Postfix) with ESMTPS id E29F824AE08; Tue, 21 Feb 2017 01:42:38 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id BED88160043; Tue, 21 Feb 2017 01:42:37 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id ADFCE160055; Tue, 21 Feb 2017 01:42:37 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Jt0FpXzzkEh4; Tue, 21 Feb 2017 01:42:37 +0000 (UTC)
Received: from rock.dv.isc.org (c27-253-115-14.carlnfd2.nsw.optusnet.com.au [27.253.115.14]) by zmx1.isc.org (Postfix) with ESMTPSA id 7217F160043; Tue, 21 Feb 2017 01:42:34 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id ACBFF643FBCF; Tue, 21 Feb 2017 12:42:30 +1100 (EST)
To: Phillip Hallam-Baker <phill@hallambaker.com>
From: Mark Andrews <marka@isc.org>
References: <CAHbrMsA278usgFNzxhrsLS6_EfXPeMoAKN65ec0YhCW93oKNYg@mail.gmail.com> <20170217220309.9637.qmail@ary.lan> <CAHbrMsAdgRU6g4E6wCCA0zs6p=yTU4VJE3UWzvsuU5JAtnxaWQ@mail.gmail.com> <alpine.OSX.2.20.1702172143530.94448@ary.qy> <CAHbrMsApypey9WRvFMzAPupjmts-sdG9N=zuwtP=PZ1cxV=rvg@mail.gmail.com> <alpine.OSX.2.20.1702182014260.99706@ary.qy> <alpine.DEB.2.11.1702201458030.23970@grey.csi.cam.ac.uk> <CAMm+LwjzZ0M4Yt6bpWKXCuKw_Tq4MYNUNTAwNX5azKnCOEDHQg@mail.gmail.com> <CAHbrMsAFn4VfXaOdP7p8vYv-v4_0h_5siQ+QB_S1eMX7-6D68A@mail.gmail.com> <CAMm+Lwj1JZLUh6K1ipYjW_989u6ea+tYHHps4Gavf_d=sVNzJA@mail.gmail.com>
In-reply-to: Your message of "Mon, 20 Feb 2017 19:06:37 -0500." <CAMm+Lwj1JZLUh6K1ipYjW_989u6ea+tYHHps4Gavf_d=sVNzJA@mail.gmail.com>
Date: Tue, 21 Feb 2017 12:42:30 +1100
Message-Id: <20170221014230.ACBFF643FBCF@rock.dv.isc.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/xfeHrdtZRhF5ciVaLOUvw4GJgRU>
Cc: Ben Schwartz <bemasc@google.com>, Tony Finch <dot@dotat.at>, "dnsop@ietf.org" <dnsop@ietf.org>
Subject: Re: [DNSOP] Proposal for a new record type: SNI
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2017 01:42:51 -0000

In message <CAMm+Lwj1JZLUh6K1ipYjW_989u6ea+tYHHps4Gavf_d=sVNzJA@mail.gmail.com>
, Phillip Hallam-Baker writes:
> On Mon, Feb 20, 2017 at 4:08 PM, Ben Schwartz <bemasc@google.com> wrote:
>
> > On Mon, Feb 20, 2017 at 3:39 PM, Phillip Hallam-Baker <
> > phill@hallambaker.com> wrote:
> >
> >> I really don't like the proposal at all. The idea of beginning the TLS
> >> handshake in DNS is sound. But it is a completely new handshake and
> >> authentication layer.
> >>
> >
> > What you're proposing does sound like a completely new handshake.  To be
> > clear, this proposal makes no change to TLS.
> >
>
> Well there is your problem. There is little point in doing this unless
> you
> feed the result into the TLS handshake to follow.
>
>
> Right now we have a bit of a mess with service discovery. We have a solid
> >> proposal that makes sense written up as a standard
> >>
> >
> > Could you point me to which document you're referring to?
> >
>
> https://tools.ietf.org/html/rfc6763
>
>
>
> > and we have a lot of folk saying we should do something different,
> either
> >> for legacy reasons or because they find it impure.
> >>
> >> The solid proposal is as follows:
> >>
> >> * Discover all services using SRV *without exception*
> >>
> >> * Use TXT records to provide additional data *that is required for
> >> discovery and binding*
> >>
> >> * TXT records may be bound to the service definition, thus covering all
> >> hosts or be bound to a specific host instance.
> >>
> >> * Domain names used for services MAY use CNAME or DNAME. Domain names
> >> that identify services MUST NOT.
> >>
> >
> > I'm not sure I understand this distinction.
> >
>
> Ooops...
>
>  Domain names that identify
> HOSTS
>  MUST NOT.
>
> A service is an abstract Internet service which may be provided by any
> host chosen from group of hosts specified in an SRV record. A host is a
> physical machine.
>
> SRV records map services to hosts.
> A and AAAA records map hosts to IP addresses.
>
>
> > How many DNS and destination roundtrips does this require?  My
> impression
> > is that SRV records have proven unpopular in part because they generally
> > add a DNS roundtrip delay to each initial connection.
> >
>
> One if it is done right.

Zero if it is done right.  We can easily extend the DNS to say
"Fetch the additional record for the SRV records before answering"
if you have this EDNS option present or just have the server do it
without the option.  There is nothing preventing a recursive server
just doing this today.

This is the essential difference between a CNAME and SRV records
as far as browser vendors are concerned.  Waiting for the "full"
answer rather than returning a partial answer when there are no
cached address records.

We already have RFC that say go lookup missing data before constructing
a response.  We do this for DNS64.  We do this for CNAME.

If the SRV prefix is _http._tcp or _https._tcp then the recursive
server SHOULD fetch any missing additional address records for the
SRV server including CNAME records if the server name maps to a
CNAME and add them to the addtional section prior to returning the
response.  You could even just do this for all SRV lookups.

A RFC saying something like this would solve the SRV issue over the
long term a recursive servers get replaced.  Unfortunately brower
vendors don't seem to want to say "yes, we will add SRV support if
you change the DNS to do this".

And if they have a issue with the prefix one can allocate a new TYPE(s)
for class IN that does the same as SRV records but is for http and https.

Service to address can be done with a single lookup and can include the
TLSA records as well.

This is a server that prefetches missing additional data and know
about looking up TLSA records.  You will notice that the additional
section get populated just by the client looking up MX records.  If
you ask with DO=1 you can even get validatible results.

Mark

[rock:~/git/bind9-marka] marka% dig mx isc.org +dnssec
;; BADCOOKIE, retrying.

; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> mx isc.org +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50368
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 5d5611ff91b234cea8fc5d2858ab99833bfd56c3a5adef30 (good)
;; QUESTION SECTION:
;isc.org.			IN	MX

;; ANSWER SECTION:
isc.org.		7200	IN	MX	20 mx.ams1.isc.org.
isc.org.		7200	IN	MX	10 mx.pao1.isc.org.
isc.org.		7200	IN	RRSIG	MX 5 2 7200 20170322234053 20170220234053 13953 isc.org. gH/RpE45SX9aZTGEWmIHcCGYN8ihF/4H3RwYuVkfMPlrZKc/5OsRSuXd AP6wxYgBWNpTWKK3Rl/tCWkDiW9bHA+XjEvhMLeYabdr8Zt8zbXrLFGc mcRGE34YA0uPKkNqTVKjWU6uqFrKkEjxoQU+bWkDnlyd71FRhxIcdZSS hGQ=

;; Query time: 2435 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 21 12:36:03 EST 2017
;; MSG SIZE  rcvd: 279

[rock:~/git/bind9-marka] marka% dig mx isc.org +dnssec
;; BADCOOKIE, retrying.

; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> mx isc.org +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47874
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 577d2fa83b7277682a8675f358ab9986654bdc6b80e4161c (good)
;; QUESTION SECTION:
;isc.org.			IN	MX

;; ANSWER SECTION:
isc.org.		7197	IN	MX	20 mx.ams1.isc.org.
isc.org.		7197	IN	MX	10 mx.pao1.isc.org.
isc.org.		7197	IN	RRSIG	MX 5 2 7200 20170322234053 20170220234053 13953 isc.org. gH/RpE45SX9aZTGEWmIHcCGYN8ihF/4H3RwYuVkfMPlrZKc/5OsRSuXd AP6wxYgBWNpTWKK3Rl/tCWkDiW9bHA+XjEvhMLeYabdr8Zt8zbXrLFGc mcRGE34YA0uPKkNqTVKjWU6uqFrKkEjxoQU+bWkDnlyd71FRhxIcdZSS hGQ=

;; ADDITIONAL SECTION:
mx.pao1.isc.org.	3599	IN	A	149.20.64.53
mx.pao1.isc.org.	3599	IN	RRSIG	A 5 4 3600 20170322234239 20170220234239 56778 pao1.isc.org. lCq2rUOEhMVaUReRtetEQpn3ceuw5Y0vJq8wU7quPsrmFLN7SYMtLgyZ DzVAHJThrrO1WERjz2uA3PTkG4KSQFpRCDC33wTWi9hWsdTapgYablmO tOK/uOabKX8invwG/R7EVZ9KQ1lRamtn8gWDRI77NLQ3PWcV+4BnydaG 8bk=

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 21 12:36:06 EST 2017
;; MSG SIZE  rcvd: 467

[rock:~/git/bind9-marka] marka% dig mx isc.org +dnssec
;; BADCOOKIE, retrying.

; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> mx isc.org +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64268
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: eb9c5203e623a5489e068cae58ab9988f7a5f11cc716a2df (good)
;; QUESTION SECTION:
;isc.org.			IN	MX

;; ANSWER SECTION:
isc.org.		7195	IN	MX	10 mx.pao1.isc.org.
isc.org.		7195	IN	MX	20 mx.ams1.isc.org.
isc.org.		7195	IN	RRSIG	MX 5 2 7200 20170322234053 20170220234053 13953 isc.org. gH/RpE45SX9aZTGEWmIHcCGYN8ihF/4H3RwYuVkfMPlrZKc/5OsRSuXd AP6wxYgBWNpTWKK3Rl/tCWkDiW9bHA+XjEvhMLeYabdr8Zt8zbXrLFGc mcRGE34YA0uPKkNqTVKjWU6uqFrKkEjxoQU+bWkDnlyd71FRhxIcdZSS hGQ=

;; ADDITIONAL SECTION:
mx.pao1.isc.org.	3597	IN	A	149.20.64.53
mx.pao1.isc.org.	3598	IN	AAAA	2001:4f8:0:2::2b
mx.pao1.isc.org.	3597	IN	RRSIG	A 5 4 3600 20170322234239 20170220234239 56778 pao1.isc.org. lCq2rUOEhMVaUReRtetEQpn3ceuw5Y0vJq8wU7quPsrmFLN7SYMtLgyZ DzVAHJThrrO1WERjz2uA3PTkG4KSQFpRCDC33wTWi9hWsdTapgYablmO tOK/uOabKX8invwG/R7EVZ9KQ1lRamtn8gWDRI77NLQ3PWcV+4BnydaG 8bk=
mx.pao1.isc.org.	3598	IN	RRSIG	AAAA 5 4 3600 20170322234239 20170220234239 56778 pao1.isc.org. rOGdKaW/50E/UWD1Ko0rWwcMDJa9gp2tlX+LS1yoHm95TNZ6v5ZIxugj WUPl73nG3mJ8S15/rP+CLz6twIDJkFi5eCS7wXEmBXjuCVJfBhqDzIVJ tA+9AalM44j77nZpn71FWi50EW8M7NVV89c8BxdOkHtV/o4RjvVEs1iU GV0=

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 21 12:36:08 EST 2017
;; MSG SIZE  rcvd: 667

[rock:~/git/bind9-marka] marka% dig mx isc.org +dnssec
;; BADCOOKIE, retrying.

; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> mx isc.org +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6978
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 7

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 1a50a8309bac059e81215eed58ab998ad77ca4375f67865f (good)
;; QUESTION SECTION:
;isc.org.			IN	MX

;; ANSWER SECTION:
isc.org.		7193	IN	MX	10 mx.pao1.isc.org.
isc.org.		7193	IN	MX	20 mx.ams1.isc.org.
isc.org.		7193	IN	RRSIG	MX 5 2 7200 20170322234053 20170220234053 13953 isc.org. gH/RpE45SX9aZTGEWmIHcCGYN8ihF/4H3RwYuVkfMPlrZKc/5OsRSuXd AP6wxYgBWNpTWKK3Rl/tCWkDiW9bHA+XjEvhMLeYabdr8Zt8zbXrLFGc mcRGE34YA0uPKkNqTVKjWU6uqFrKkEjxoQU+bWkDnlyd71FRhxIcdZSS hGQ=

;; ADDITIONAL SECTION:
mx.pao1.isc.org.	3595	IN	A	149.20.64.53
mx.pao1.isc.org.	3596	IN	AAAA	2001:4f8:0:2::2b
mx.pao1.isc.org.	3595	IN	RRSIG	A 5 4 3600 20170322234239 20170220234239 56778 pao1.isc.org. lCq2rUOEhMVaUReRtetEQpn3ceuw5Y0vJq8wU7quPsrmFLN7SYMtLgyZ DzVAHJThrrO1WERjz2uA3PTkG4KSQFpRCDC33wTWi9hWsdTapgYablmO tOK/uOabKX8invwG/R7EVZ9KQ1lRamtn8gWDRI77NLQ3PWcV+4BnydaG 8bk=
mx.pao1.isc.org.	3596	IN	RRSIG	AAAA 5 4 3600 20170322234239 20170220234239 56778 pao1.isc.org. rOGdKaW/50E/UWD1Ko0rWwcMDJa9gp2tlX+LS1yoHm95TNZ6v5ZIxugj WUPl73nG3mJ8S15/rP+CLz6twIDJkFi5eCS7wXEmBXjuCVJfBhqDzIVJ tA+9AalM44j77nZpn71FWi50EW8M7NVV89c8BxdOkHtV/o4RjvVEs1iU GV0=
_25._tcp.mx.pao1.isc.org. 3598	IN	RRSIG	TLSA 5 6 3600 20170322234239 20170220234239 56778 pao1.isc.org. VnV0NTtAdpvfqpLaS2zF4IDKjIN97YPuKSmZ1tXrMLvoVlxutwPiH6El cTCQe/1Pi3QTqTFWr3kste3zIxDgAnnbmCKPbQDH2qsf67MBKM/Rv01O 1jmny3qM18Oqhsf+XTMsYEPe/YYsJzyw9aNydqI2egzkb4X8mpCTl+ge di4=
_25._tcp.mx.pao1.isc.org. 3598	IN	TLSA	3 0 1 71903FF43D60CA91BDB7AA0DFE9C247B1A2C5A6002C436451C3C1684 0C607AE0

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 21 12:36:10 EST 2017
;; MSG SIZE  rcvd: 895

[rock:~/git/bind9-marka] marka% dig mx isc.org +dnssec
;; BADCOOKIE, retrying.

; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> mx isc.org +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50265
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 1143a155c849920e213ee6cf58ab998f2fc22d8d9cdeb566 (good)
;; QUESTION SECTION:
;isc.org.			IN	MX

;; ANSWER SECTION:
isc.org.		7188	IN	MX	10 mx.pao1.isc.org.
isc.org.		7188	IN	MX	20 mx.ams1.isc.org.
isc.org.		7188	IN	RRSIG	MX 5 2 7200 20170322234053 20170220234053 13953 isc.org. gH/RpE45SX9aZTGEWmIHcCGYN8ihF/4H3RwYuVkfMPlrZKc/5OsRSuXd AP6wxYgBWNpTWKK3Rl/tCWkDiW9bHA+XjEvhMLeYabdr8Zt8zbXrLFGc mcRGE34YA0uPKkNqTVKjWU6uqFrKkEjxoQU+bWkDnlyd71FRhxIcdZSS hGQ=

;; ADDITIONAL SECTION:
mx.pao1.isc.org.	3590	IN	A	149.20.64.53
mx.ams1.isc.org.	3597	IN	A	199.6.1.65
mx.pao1.isc.org.	3591	IN	AAAA	2001:4f8:0:2::2b
mx.pao1.isc.org.	3590	IN	RRSIG	A 5 4 3600 20170322234239 20170220234239 56778 pao1.isc.org. lCq2rUOEhMVaUReRtetEQpn3ceuw5Y0vJq8wU7quPsrmFLN7SYMtLgyZ DzVAHJThrrO1WERjz2uA3PTkG4KSQFpRCDC33wTWi9hWsdTapgYablmO tOK/uOabKX8invwG/R7EVZ9KQ1lRamtn8gWDRI77NLQ3PWcV+4BnydaG 8bk=
mx.pao1.isc.org.	3591	IN	RRSIG	AAAA 5 4 3600 20170322234239 20170220234239 56778 pao1.isc.org. rOGdKaW/50E/UWD1Ko0rWwcMDJa9gp2tlX+LS1yoHm95TNZ6v5ZIxugj WUPl73nG3mJ8S15/rP+CLz6twIDJkFi5eCS7wXEmBXjuCVJfBhqDzIVJ tA+9AalM44j77nZpn71FWi50EW8M7NVV89c8BxdOkHtV/o4RjvVEs1iU GV0=
_25._tcp.mx.pao1.isc.org. 3593	IN	RRSIG	TLSA 5 6 3600 20170322234239 20170220234239 56778 pao1.isc.org. VnV0NTtAdpvfqpLaS2zF4IDKjIN97YPuKSmZ1tXrMLvoVlxutwPiH6El cTCQe/1Pi3QTqTFWr3kste3zIxDgAnnbmCKPbQDH2qsf67MBKM/Rv01O 1jmny3qM18Oqhsf+XTMsYEPe/YYsJzyw9aNydqI2egzkb4X8mpCTl+ge di4=
mx.ams1.isc.org.	3597	IN	RRSIG	A 5 4 3600 20170322234059 20170220234059 13926 ams1.isc.org. AWHYspeFvJNWrYl78Q4XNnrhIFTUgYS40RUD8tYK0lJ/cIm61yMVzfSJ 5goMRIDXGDBFCAhkNoh7Ld09hfxI4rP6p0pxSRZIbuBj/CQDQ9e8/Wry o4WfRnKajj80/aU4p+68JNg8Fy92s2s/MWqsfBbtJ35Bubc4Qq33rvTE YYE=
_25._tcp.mx.pao1.isc.org. 3593	IN	TLSA	3 0 1 71903FF43D60CA91BDB7AA0DFE9C247B1A2C5A6002C436451C3C1684 0C607AE0

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 21 12:36:15 EST 2017
;; MSG SIZE  rcvd: 1083

[rock:~/git/bind9-marka] marka% dig mx isc.org +dnssec
;; BADCOOKIE, retrying.

; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> mx isc.org +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24483
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 11

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 0d0910d171a5c357fa78b5e458ab999a280908b6527ae8bb (good)
;; QUESTION SECTION:
;isc.org.			IN	MX

;; ANSWER SECTION:
isc.org.		7177	IN	MX	10 mx.pao1.isc.org.
isc.org.		7177	IN	MX	20 mx.ams1.isc.org.
isc.org.		7177	IN	RRSIG	MX 5 2 7200 20170322234053 20170220234053 13953 isc.org. gH/RpE45SX9aZTGEWmIHcCGYN8ihF/4H3RwYuVkfMPlrZKc/5OsRSuXd AP6wxYgBWNpTWKK3Rl/tCWkDiW9bHA+XjEvhMLeYabdr8Zt8zbXrLFGc mcRGE34YA0uPKkNqTVKjWU6uqFrKkEjxoQU+bWkDnlyd71FRhxIcdZSS hGQ=

;; ADDITIONAL SECTION:
mx.pao1.isc.org.	3579	IN	A	149.20.64.53
mx.ams1.isc.org.	3586	IN	A	199.6.1.65
mx.pao1.isc.org.	3580	IN	AAAA	2001:4f8:0:2::2b
mx.ams1.isc.org.	3589	IN	AAAA	2001:500:60::65
mx.pao1.isc.org.	3579	IN	RRSIG	A 5 4 3600 20170322234239 20170220234239 56778 pao1.isc.org. lCq2rUOEhMVaUReRtetEQpn3ceuw5Y0vJq8wU7quPsrmFLN7SYMtLgyZ DzVAHJThrrO1WERjz2uA3PTkG4KSQFpRCDC33wTWi9hWsdTapgYablmO tOK/uOabKX8invwG/R7EVZ9KQ1lRamtn8gWDRI77NLQ3PWcV+4BnydaG 8bk=
mx.pao1.isc.org.	3580	IN	RRSIG	AAAA 5 4 3600 20170322234239 20170220234239 56778 pao1.isc.org. rOGdKaW/50E/UWD1Ko0rWwcMDJa9gp2tlX+LS1yoHm95TNZ6v5ZIxugj WUPl73nG3mJ8S15/rP+CLz6twIDJkFi5eCS7wXEmBXjuCVJfBhqDzIVJ tA+9AalM44j77nZpn71FWi50EW8M7NVV89c8BxdOkHtV/o4RjvVEs1iU GV0=
_25._tcp.mx.pao1.isc.org. 3582	IN	RRSIG	TLSA 5 6 3600 20170322234239 20170220234239 56778 pao1.isc.org. VnV0NTtAdpvfqpLaS2zF4IDKjIN97YPuKSmZ1tXrMLvoVlxutwPiH6El cTCQe/1Pi3QTqTFWr3kste3zIxDgAnnbmCKPbQDH2qsf67MBKM/Rv01O 1jmny3qM18Oqhsf+XTMsYEPe/YYsJzyw9aNydqI2egzkb4X8mpCTl+ge di4=
mx.ams1.isc.org.	3586	IN	RRSIG	A 5 4 3600 20170322234059 20170220234059 13926 ams1.isc.org. AWHYspeFvJNWrYl78Q4XNnrhIFTUgYS40RUD8tYK0lJ/cIm61yMVzfSJ 5goMRIDXGDBFCAhkNoh7Ld09hfxI4rP6p0pxSRZIbuBj/CQDQ9e8/Wry o4WfRnKajj80/aU4p+68JNg8Fy92s2s/MWqsfBbtJ35Bubc4Qq33rvTE YYE=
mx.ams1.isc.org.	3589	IN	RRSIG	AAAA 5 4 3600 20170322234059 20170220234059 13926 ams1.isc.org. RsCprRb3PCx0I6U5H+F5QVGNZhg978B1UJCHP/OEoZ8tK0cPZFyiXKk/ BhKeW9QjuDPWg2oYEXYmggowvMy3lWxlOODA161vD1DPaaS79lxCSp19 4GRmdl1146FYZD+jFi2OHsOpn2cTcXtw4bAK4KG9YiFytOBEftD58q3B h+g=
_25._tcp.mx.pao1.isc.org. 3582	IN	TLSA	3 0 1 71903FF43D60CA91BDB7AA0DFE9C247B1A2C5A6002C436451C3C1684 0C607AE0

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 21 12:36:26 EST 2017
;; MSG SIZE  rcvd: 1283

[rock:~/git/bind9-marka] marka% dig mx isc.org +dnssec
;; BADCOOKIE, retrying.

; <<>> DiG 9.12.0-pre-alpha+hotspot+add-prefetch+marka <<>> mx isc.org +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58776
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 13

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 9a370fc4fe12b2f891fb40ef58ab9a32f9725da6e638d98c (good)
;; QUESTION SECTION:
;isc.org.			IN	MX

;; ANSWER SECTION:
isc.org.		7025	IN	MX	20 mx.ams1.isc.org.
isc.org.		7025	IN	MX	10 mx.pao1.isc.org.
isc.org.		7025	IN	RRSIG	MX 5 2 7200 20170322234053 20170220234053 13953 isc.org. gH/RpE45SX9aZTGEWmIHcCGYN8ihF/4H3RwYuVkfMPlrZKc/5OsRSuXd AP6wxYgBWNpTWKK3Rl/tCWkDiW9bHA+XjEvhMLeYabdr8Zt8zbXrLFGc mcRGE34YA0uPKkNqTVKjWU6uqFrKkEjxoQU+bWkDnlyd71FRhxIcdZSS hGQ=

;; ADDITIONAL SECTION:
mx.pao1.isc.org.	3427	IN	A	149.20.64.53
mx.ams1.isc.org.	3434	IN	A	199.6.1.65
mx.pao1.isc.org.	3428	IN	AAAA	2001:4f8:0:2::2b
mx.ams1.isc.org.	3437	IN	AAAA	2001:500:60::65
mx.pao1.isc.org.	3427	IN	RRSIG	A 5 4 3600 20170322234239 20170220234239 56778 pao1.isc.org. lCq2rUOEhMVaUReRtetEQpn3ceuw5Y0vJq8wU7quPsrmFLN7SYMtLgyZ DzVAHJThrrO1WERjz2uA3PTkG4KSQFpRCDC33wTWi9hWsdTapgYablmO tOK/uOabKX8invwG/R7EVZ9KQ1lRamtn8gWDRI77NLQ3PWcV+4BnydaG 8bk=
mx.pao1.isc.org.	3428	IN	RRSIG	AAAA 5 4 3600 20170322234239 20170220234239 56778 pao1.isc.org. rOGdKaW/50E/UWD1Ko0rWwcMDJa9gp2tlX+LS1yoHm95TNZ6v5ZIxugj WUPl73nG3mJ8S15/rP+CLz6twIDJkFi5eCS7wXEmBXjuCVJfBhqDzIVJ tA+9AalM44j77nZpn71FWi50EW8M7NVV89c8BxdOkHtV/o4RjvVEs1iU GV0=
_25._tcp.mx.pao1.isc.org. 3430	IN	RRSIG	TLSA 5 6 3600 20170322234239 20170220234239 56778 pao1.isc.org. VnV0NTtAdpvfqpLaS2zF4IDKjIN97YPuKSmZ1tXrMLvoVlxutwPiH6El cTCQe/1Pi3QTqTFWr3kste3zIxDgAnnbmCKPbQDH2qsf67MBKM/Rv01O 1jmny3qM18Oqhsf+XTMsYEPe/YYsJzyw9aNydqI2egzkb4X8mpCTl+ge di4=
mx.ams1.isc.org.	3434	IN	RRSIG	A 5 4 3600 20170322234059 20170220234059 13926 ams1.isc.org. AWHYspeFvJNWrYl78Q4XNnrhIFTUgYS40RUD8tYK0lJ/cIm61yMVzfSJ 5goMRIDXGDBFCAhkNoh7Ld09hfxI4rP6p0pxSRZIbuBj/CQDQ9e8/Wry o4WfRnKajj80/aU4p+68JNg8Fy92s2s/MWqsfBbtJ35Bubc4Qq33rvTE YYE=
mx.ams1.isc.org.	3437	IN	RRSIG	AAAA 5 4 3600 20170322234059 20170220234059 13926 ams1.isc.org. RsCprRb3PCx0I6U5H+F5QVGNZhg978B1UJCHP/OEoZ8tK0cPZFyiXKk/ BhKeW9QjuDPWg2oYEXYmggowvMy3lWxlOODA161vD1DPaaS79lxCSp19 4GRmdl1146FYZD+jFi2OHsOpn2cTcXtw4bAK4KG9YiFytOBEftD58q3B h+g=
_25._tcp.mx.ams1.isc.org. 3448	IN	RRSIG	TLSA 5 6 3600 20170322234059 20170220234059 13926 ams1.isc.org. IFlqqd2rOCNA/9lj++bw1UnlpwpvNE4AcgFpNj1JFwhHUvW6lbEWBjVY nYraYR1OMypOC+GxFxpxiSfTo+17V9j+PomD4tj7HeFVJNDteE1Uqqs9 iSfFj6pdtKK+DkA04svaO2CIKLONd/TabDb2f8fOMa7AFH/H6cSN69Qt uz4=
_25._tcp.mx.pao1.isc.org. 3430	IN	TLSA	3 0 1 71903FF43D60CA91BDB7AA0DFE9C247B1A2C5A6002C436451C3C1684 0C607AE0
_25._tcp.mx.ams1.isc.org. 3448	IN	TLSA	3 0 1 5EF9B10DA21B2711522982EAD699FBABE77FD07FF07AC810608A85DA 66AFE916

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 21 12:38:58 EST 2017
;; MSG SIZE  rcvd: 1511

[rock:~/git/bind9-marka] marka% 



> You are going to want to lock down your client to resolver DNS and you
> might as well fix the protocol at the same time. That is why standardizing
> on DNS-SD for everything is the way to go.
>

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email