On 2023-06-10 22:48 UTC, Paul Hoffman <paul.hoff...@icann.org> wrote: > On Jun 10, 2023, at 1:38 PM, Philip Homburg <pch-ietf-dpr...@u-1.phicoh.com> > wrote: >> >>> In such a case, resolvers following >>> this protocol will look for authoritative answers to ports 53 and >>> 853 on that system, and the system would need to be able to >>> differentiate queries for recursive answers from queries for >>> authoritative answers.
I think this needs some MUST requirements because it's an interop problem. An issue with the draft is that it never specifies explicitly what a successful or unsuccessful probe is. My reading is that it decides successful / unsuccessful on the transport layer. E.g. when it can talk TLS to *something* on port 853 that's a success. Nevermind what that something is. >> >> For lack of a better term, I use the word 'lame' here: >> >> If, during probing, a recursive resolver decides that the authoritative >> server on port 853 is 'lame', then the recursive resolver should fall back >> to port 53. > > The feeling that I got from the other messages is that the server on > 853 is not lame: it is being authoritative for some names and > recursive for all others. If so, it's not lame at all. ns1.eu.org is authoritative for eu.org: $ dig +norec +noall +comments @ns1.eu.org eu.org NS ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54105 ;; flags: qr aa; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 5 The DoT recursive resolver refuses to talk to as when we turn of RD: $ dig +tls +norec +noall +comments @ns1.eu.org eu.org NS ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 9454 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 It is happy to give us a recursive answer though, heck, it's even DNSSEC validated: $ dig +tls +noall +comments @ns1.eu.org eu.org NS ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48894 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 5 >From the PoV of the draft (as it currently stands) the DoT probe is successful, because something responded to us. > > --Paul Hoffman > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy -- In my defence, I have been left unsupervised. _______________________________________________ dns-privacy mailing list dns-privacy@ietf.org https://www.ietf.org/mailman/listinfo/dns-privacy
