IETF Logo Mail Archive

Re: [IAB] last call discussion status on draft-iab-2870bis

manning bill <bmanning@isi.edu> Fri, 06 March 2015 00:05 UTC

Return-Path: <bmanning@isi.edu>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B8111A909A; Thu, 5 Mar 2015 16:05:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Level:
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TziinePvod8b; Thu, 5 Mar 2015 16:05:15 -0800 (PST)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6460E1A90A2; Thu, 5 Mar 2015 16:05:05 -0800 (PST)
Received: from [198.32.4.206] ([198.32.4.206]) (authenticated bits=0) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id t2603mq9004324 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 5 Mar 2015 16:03:59 -0800 (PST)
Subject: Re: [IAB] last call discussion status on draft-iab-2870bis
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Content-Type: text/plain; charset="windows-1252"
From: manning bill <bmanning@isi.edu>
In-Reply-To: <20150305235743.8791F2AFAA23@rock.dv.isc.org>
Date: Thu, 05 Mar 2015 16:03:48 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <967372BF-F4D6-40A9-8394-09D25EF456FD@isi.edu>
References: <20140520204238.21772.64347.idtracker@ietfa.amsl.com> <500031A0-DF45-409E-AACB-F79C32032E38@viagenie.ca> <4B545BEB-EA0E-4BA8-A45E-15AF12CDB1EC@piuha.net> <20150305044122.4185F2AEEC2D@rock.dv.isc.org> <EC564286-9A5E-4702-A8ED-B2C8E404E68A@piuha.net> <6056F80B-2188-4E52-AE18-35E84BA98147@vpnc.org> <20150305214829.014352AF885A@rock.dv.isc.org> <20150305232806.GG1197@mx1.yitter.info> <20150305235743.8791F2AFAA23@rock.dv.isc.org>
To: Mark Andrews <marka@isc.org>
X-Mailer: Apple Mail (2.1878.6)
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: bmanning@isi.edu
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/zlxD9swCYMZCuuc5FJxCpvRoFy8>
X-Mailman-Approved-At: Fri, 06 Mar 2015 08:05:50 -0800
Cc: IAB <iab@iab.org>, Paul Hoffman <paul.hoffman@vpnc.org>, IETF Discussion List <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2015 00:05:18 -0000

wait… is RFC 2870bis for TLDS or the roots?  (I’ll note that conflation of roots and tlds was part of the problem with RFC 2870…)

/bill
PO Box 12317
Marina del Rey, CA 90295
310.322.8102

On 5March2015Thursday, at 15:57, Mark Andrews <marka@isc.org> wrote:

> 
> In message <20150305232806.GG1197@mx1.yitter.info>, Andrew Sullivan writes:
>> On Fri, Mar 06, 2015 at 08:48:27AM +1100, Mark Andrews wrote:
>>> required.  Yes, there are servers that do DNSSEC but don't correctly
>>> handle DO (it is not echoed in the response).  The current root
>>> servers are do not exibit this mis-behaviour.  This however comes
>>> from requiring DNSSEC support not EDNS support.
>> 
>> I would like to understand exactly what you mean by, "Do DNSSEC but
>> don't correctly handle DO."  That sounds to me like the kind of do
>> DNSSEC, not that they do it properly.  DNSSEC requires EDNS0, full
>> stop; therefore any additional text on the matter is unnecessary.
> 
> To get the DNSSEC records added the the responses the server needs
> to be able to see the DO=1 bit.  It does not need to properly handle
> unknown EDNS options.  It does not need to properly handle unknown
> flags.  It does not need to properly handle EDNS version != 0.  It
> does not need fully handle DO by adding DO=1 to the response.
> 
> I'm sure all the TLD operators listed in tld-report.html [1] with
> broken implementations think they are doing EDNS correctly.
> 
> [1] http://users.isc.org/~marka/tld-report.html
> 
> When only 65% of the world gets EDNS support right I don't think it
> unreasonable to make fully compliant EDNS support a requirement.
> 
>> Moreover, see upthread the exchange between Bill Manning and John
>> Klensin.  I think if we have a root server operator that starts
>> running some dodgy implementation of some name server code, the root
>> server operators are going to have a worse day of it than the IETF.  I
>> think we should specify exactly what we need and no more.  Since
>> DNSSEC entails EDNS0 support, we're done.
>> 
>> Best regards,
>> 
>> A
>> 
>> -- 
>> Andrew Sullivan
>> ajs@anvilwalrusden.com
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org
>

v2.23.0 | Report a Bug | By Email