Hi Nicholas, On 2012-06-12, at 10:58, Nicholas Weaver wrote:
> On Jun 12, 2012, at 7:40 AM, Warren Kumari wrote: > >> So, back in (AFAIR) Taipei I proposed making AS112 instances simply be >> authoritative for *everything*, and then simply delegating and undelegating >> things to it as appropriate (this would make things much simpler as there >> would be very little coordination needed). At the time I realized that this >> would require synthesizing answers (always a bit of a controversial topic), >> but it turns out that there are a number of other things that may be equally >> contentious, such as (thanks to Joe for this partial list): > > To be honest, it seems like almost a no-brainer good idea to me. And whats > wrong about synthesizing answers? Actually, from the perspective of the omniscient AS112 server there's no real answer synthesis; the AS112 servers just serve an empty, unsigned namespace in which nothing exists apart from required zone scaffolding. > The only question I have is DNSSEC. I take it since the model is this is all > bogus traffic, just have an NSEC above it saying "No DNSSEC information", but > I just want to be sure that doesn't change. The only reason a resolver would normally send a query to an AS112 server (current, or omniscient) is if they followed a delegation there. Since these are all junk domains of no global significance, it's hard to see how they could be signed. The expectation is (as currently) that they would not be. A resolver would hence be receiving an unsigned name error (no NSEC RRs in the response) for a name that is verifiably insecure (due to the lack of a corresponding RRSet in the parent zone). The only potential wrinkle is the SOA record returned with the name error. I can't think of a reason why a resolver would be upset to receive a name error from an AS112 server where the included (enclosing, root) SOA record attached is unsigned, but perhaps there are corner cases. > Stupid question on the SOA record however: why not dynamically generate an > exact match SOA? > > > So if the query is, say > > 121.14.34.10.in-addr.arpa. IN PTR > > Instead of returning > > > 10.in-addr.arpa. 300 IN SOA prisoner.iana.org. > hostmaster.root-servers.org. 2002040800 1800 900 604800 604800 > (current) > > or > > . 300 IN SOA a.root-servers.net. > nstld.verisign-grs.com. 2012061200 1800 900 604800 86400 > (omniscient) > > > Why not return > > 121.14.34.10.in-addr.arpa. 300 IN SOA prisoner.iana.org. > hostmaster.root-servers.org. 2002040800 1800 900 604800 604800 > > as the SOA? That would involve custom software. At present, anybody can run an AS112 server using whatever choice of platform and DNS code they feel like. Requiring custom code for an AS112 server and expecting it to be maintained on multiple platforms seems unlikely, but no doubt it could be done. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
