Re: [dnsext] perhaps we should reintroduce "resimprove"
Florian Weimer <fw@deneb.enyo.de> Fri, 10 February 2012 14:50 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFD8321F86B6; Fri, 10 Feb 2012 06:50:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1328885419; bh=KAgRYdjfMkPSewPrw3mYQ/nL4bBQdvaTkHaAglEM9O4=; h=From:To:References:Date:In-Reply-To:Message-ID:MIME-Version:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=ehp9EarsVfOO57Ox1UqO+lc6adFdVYBNE+GZGpRWfuAFf/qrEOdcARkxcO4hl8tqE y3xQrHb1GOyBGKEMLnf8vMuE8THOkXw8zqPN76R16j1uSLJ5Xdv+YTAXmZEGEMunGD RqZl48lgIKSRrmcTBQbjtyVQWYpk/UoukQHd3v9c=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4B7921F86B6 for <dnsext@ietfa.amsl.com>; Fri, 10 Feb 2012 06:50:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.139
X-Spam-Level:
X-Spam-Status: No, score=-1.139 tagged_above=-999 required=5 tests=[AWL=1.110, BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BeCOU6E32siD for <dnsext@ietfa.amsl.com>; Fri, 10 Feb 2012 06:50:15 -0800 (PST)
Received: from ka.mail.enyo.de (ka.mail.enyo.de [87.106.162.201]) by ietfa.amsl.com (Postfix) with ESMTP id B72C921F86B5 for <dnsext@ietf.org>; Fri, 10 Feb 2012 06:50:10 -0800 (PST)
Received: from [172.17.135.4] (helo=deneb.enyo.de) by ka.mail.enyo.de with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) id 1Rvrnb-0000zB-67; Fri, 10 Feb 2012 15:50:07 +0100
Received: from fw by deneb.enyo.de with local (Exim 4.72) (envelope-from <fw@deneb.enyo.de>) id 1Rvrna-0004D9-Uo; Fri, 10 Feb 2012 15:50:07 +0100
From: Florian Weimer <fw@deneb.enyo.de>
To: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
References: <3699_1328861785_4F34D258_3699_2027_1_4F33E1A6.4030902@isc.org> <20120210084439.GB7284@laperouse.bortzmeyer.org> <4F34E0BF.9060305@nlnetlabs.nl>
Date: Fri, 10 Feb 2012 15:50:06 +0100
In-Reply-To: <4F34E0BF.9060305@nlnetlabs.nl> (W. C. A. Wijngaards's message of "Fri, 10 Feb 2012 10:17:51 +0100")
Message-ID: <87lioayc81.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Cc: dnsext@ietf.org
Subject: Re: [dnsext] perhaps we should reintroduce "resimprove"
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
* W. C. A. Wijngaards: > This replacement is wrong. We must have '=' in >= to pick up zone > changes from the same server. We must have revalidation at the parent > for the ghost-domain problem, it is simply a case of having the NS TTL > expire (i.e. meaning, the NS RRset can be replaced with a newer one but > the NS TTL does not increase). This is correct for the immediate delegation. However, it does not help if there is yet another delegation. This one would have attacker-controlled TTLs in the parent (child) and child (grandchild). Therefore, I fear that an approach which just picks up the data from the child while keeping the TTL from the parent does not actually address the issue of crafted TTLs. Some sort of recursive, tree-dependent approach appears to be required. _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext
- [dnsext] perhaps we should reintroduce "resimprov… paul vixie
- Re: [dnsext] perhaps we should reintroduce "resim… Andrew Sullivan
- Re: [dnsext] perhaps we should reintroduce "resim… Frederico A C Neves
- Re: [dnsext] perhaps we should reintroduce "resim… Andrew Sullivan
- Re: [dnsext] perhaps we should reintroduce "resim… Andrew Sullivan
- Re: [dnsext] perhaps we should reintroduce "resim… Warren Kumari
- Re: [dnsext] perhaps we should reintroduce "resim… Stephane Bortzmeyer
- Re: [dnsext] perhaps we should reintroduce "resim… paul vixie
- Re: [dnsext] perhaps we should reintroduce "resim… W.C.A. Wijngaards
- Re: [dnsext] perhaps we should reintroduce "resim… Florian Weimer
- Re: [dnsext] perhaps we should reintroduce "resim… Olafur Gudmundsson
- Re: [dnsext] perhaps we should reintroduce "resim… Nicholas Weaver
- Re: [dnsext] perhaps we should reintroduce "resim… Paul Hoffman
- Re: [dnsext] perhaps we should reintroduce "resim… Evan Hunt
- Re: [dnsext] perhaps we should reintroduce "resim… Olafur Gudmundsson
- Re: [dnsext] perhaps we should reintroduce "resim… Blacka, David
- Re: [dnsext] perhaps we should reintroduce "resim… Olafur Gudmundsson
- [dnsext] Ghost domain names Edward Lewis
- Re: [dnsext] perhaps we should reintroduce "resim… Blacka, David
- Re: [dnsext] perhaps we should reintroduce "resim… Olafur Gudmundsson
- Re: [dnsext] Ghost domain names Florian Weimer
- Re: [dnsext] perhaps we should reintroduce "resim… Mohan Parthasarathy
- Re: [dnsext] perhaps we should reintroduce "resim… Edward Lewis
- Re: [dnsext] perhaps we should reintroduce "resim… Paul Vixie
- Re: [dnsext] perhaps we should reintroduce "resim… Mohan Parthasarathy
- Re: [dnsext] perhaps we should reintroduce "resim… Mark Andrews
- Re: [dnsext] perhaps we should reintroduce "resim… Mohan Parthasarathy