On Thu, Apr 23, 2020 at 7:29 AM Giovane C. M. Moura <giovane.moura= 40sidn...@dmarc.ietf.org> wrote:
> Hi Shumon, > > > The main recommendations in the draft are to: (1) deterministically > > prefer the authoritative child NS set over the non-authoritative, > > unsigned, delegating NS set in the parent > > This was a problem waiting to be addressed for a long time. Thanks for > writing this. > Thanks Giovane .. > For what is worth, we have a recent study[0] that measures how > resolvers, in the wild, choose when presented with inconsistent NSSets > at parent and child. > > Higher order bits are: > - .com,.org, and .net have 8% of second-level domains with != NSSet at > parent/child > - We classify the impact of these "misconfigurations" in the wild, > with controlled experiments, and show that it impacts how queries are > distributed among diff NSes --- and minimum response changes the results > - We evaluate specific versions of resolvers > I skimmed your paper quickly (will read in more detail later), but it has lots of interesting information in it, so thanks for doing this work! Your recommendations in the paper largely match what is already specified in the delegation revalidation draft. I was thinking the test zones that you setup to investigate resolver behavior might also be useful to software developers (e.g. implementers of resolvers and diagnostic tools) to test their code against. Do you plan to maintain the parent/child disjoint NS domain (marigliano.xyz) going forward? And what about the test domains for other types of misconfigurations? Did you look at the potential problem of members of the child (or parent) NS sets emitting different information? I suspect that case also happens. Do you have any plans to look at the behavior of the large public resolvers? Thanks, Shumon Huque
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
