On Thu, Apr 23, 2020 at 7:29 AM Giovane C. M. Moura <giovane.moura=
40sidn...@dmarc.ietf.org> wrote:

> Hi Shumon,
>
> > The main recommendations in the draft are to: (1) deterministically
> > prefer the authoritative child NS set over the non-authoritative,
> > unsigned, delegating NS set in the parent
>
> This was a problem waiting to be addressed for a long time. Thanks for
> writing this.
>

Thanks Giovane ..


> For what is worth, we have a recent study[0] that measures how
> resolvers, in the wild, choose when presented with inconsistent NSSets
> at parent and child.
>
> Higher order bits are:
>  - .com,.org, and .net have 8% of second-level domains with != NSSet at
> parent/child
>  - We classify the impact of these "misconfigurations"  in the wild,
> with controlled experiments, and show that it impacts how queries are
> distributed among diff NSes --- and  minimum response changes the results
> - We evaluate specific versions of resolvers
>

I skimmed your paper quickly (will read in more detail later), but
it has lots of interesting information in it, so thanks for doing this
work!

Your recommendations in the paper largely match what is already
specified in the delegation revalidation draft.

I was thinking the test zones that you setup to investigate resolver
behavior might also be useful to software developers (e.g.
implementers of resolvers and diagnostic tools) to test their code
against. Do you plan to maintain the parent/child disjoint NS
domain (marigliano.xyz) going forward? And what about the test
domains for other types of misconfigurations?

Did you look at the potential problem of members of the child (or
parent) NS sets emitting different information? I suspect that case
also happens.

Do you have any plans to look at the behavior of the large public
resolvers?

Thanks,
Shumon Huque
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to