see inline.
Viktor Dukhovni wrote on 2023-03-27 18:00:
[ Multi-response to four upthread messages. ]
-------
...
A possibly inconvenient question, just to make sure we're not ignoring
the obvious sceptical position:
* How compelling is compact DoE?
that may depend on the beholder's eye. for perspective, no root name
server has deployed this alternative form of Denial of Existence, and i
believe this includes the f-root anycast instances operated by
cloudflare under ISC's management. root name servers receive an awful
lot of junk, and aren't in general overfunded, so if compactness of DoE
was compelling for anybody, it seems like it would be for them. yet:
; <<>> DiG 9.18.9 <<>> +dnssec luasfluh. @f.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55686
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;luasfluh. IN A
;; AUTHORITY SECTION:
. 86400 IN SOA a.root-servers.net.
nstld.verisign-grs.com. 2023032800 1800 900 604800 86400
. 86400 IN RRSIG SOA 8 0 86400 20230410050000
20230328040000 951 . lNcrq1jIeyKGIpkcgMdpPW77yeCLJ+2vU9+HM9Jwr0m1g6RZE8YyxlRA
+q2oIuDHailclFDPMdjgX2lAMhxaNjWl/H+c2fjZN4+yIRWDcUPnDou5
sn0S5s2fZQTqdnVghSz4JVXJUCo6bTPWDoA8kt/kuXL/bamISWiI0P39
VYplvnIVVm7/oQ8gYmWChNfl3TkCXZsbLtsKc2sW5Ssjb50Gs7WKduvo
UCJRmviRNfJvWcZt1nzZWNGTlwDQcJKTLQDSdXXQd+j4FyUpgIAS3THd
GzpQblEEKSgYRrGUGbZJ9QKAy0niI2D0JVqHmeHP+g3M8CC7QKKK3FsH Xb9Paw==
lu. 86400 IN NSEC lundbeck. NS DS RRSIG NSEC
lu. 86400 IN RRSIG NSEC 8 1 86400 20230410050000
20230328040000 951 . KS2/AAlD6atD3EfuRwCciYyBtl4aedoOMd2Z60EzZFoXbbGm9ghYPFeB
xO+7MpYUTeNQ8ZSI9hZXeNf5ood3QORw4Wevo+XxoQoFnHxyXnLjlpXA
2h+N3/yPjt20iCTD6zF1n/AOxDnATzIabj6StaMO4dMD7pXTHQxWE+a5
vCQNRrWVQKv43QFj7zkEBaYX7YHFwKyODdIXnIBnrq1sItGqpZ8nYoaZ
odCGzFyaMh3vN1FPbrgVhTDeDFFAkQ8k9nZjmQ+r6YtZqgdsx9zY5Lao
K/EfL6+2UtGiQSVi1O/KzxjZ933t0BkyFNv6jqZANNfTIt1PBvbFWDH+ jfiCbw==
. 86400 IN NSEC aaa. NS SOA RRSIG NSEC DNSKEY
. 86400 IN RRSIG NSEC 8 0 86400 20230410050000
20230328040000 951 . s9mtWsArs0D1e93ri9e7FVsvMH8gQE/R2zO2plcvd+gkbNuuQwR+SyYT
rJu7s0mUkuKCsNyU26k8E4ve5S7RbI7Zkg5mGVUoaoLOlk229l3PGPzj
pj1k8fyHUh1ed1PyYxq1UlnIxPAGiSCocKHlB5Dp1CHACCw4zYT4bl/V
czCCcyqesCD+eTI+CF1hMiZOOIc9heViHENFzG1qPCH8PLDHJVpl3cJm
H0zriGwGQk8D/JGp2M7SEgr/JmJCSpmHwmMbwC//UUaPKvpFLqoEFr5x
6TCxDDg5u8eynptBeuoRqKYBWey+nl1pAC30tBhkjwqCjS19fNBVhmbh BbygbA==
;; Query time: 3 msec
;; SERVER: 2001:500:2f::f#53(f.root-servers.net) (UDP)
;; WHEN: Tue Mar 28 12:42:04 UTC 2023
;; MSG SIZE rcvd: 1028
i strongly suspect that the era has passed during which compactness of
DoE was worth its complexity cost. however, i think that's a decision
for each operator. my only objective concern is that all Denial of
Existence signals emitted by any DNS server be distinguishable from
NODATA and distinguishable from ENT. so if "compact DoE" goes forward
those should be hard requirements.
The reason to ask is that both the original and now modified protocols
involve non-trivial complexity, and would likely require resolvers to
...
i feel you, brother. however, if operators insist that they've got to
have this, we'll have to accept the complexity costs necessary to meet
my above-described hard requirements.
--
P Vixie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
