Mark Delany wrote:
> On 17May14, Mark Andrews allegedly wrote:
>> domain ENAME domain {0|1} [type list of included / excluded types]
>> (0 == include, 1 == exclude)
>
> As I recall, the HTTP/2.0 folks have been intermittently talking about
> supporting SRV. Would encouraging tha
On 17May14, Mark Andrews allegedly wrote:
>
> domain ENAME domain {0|1} [type list of included / excluded types]
> (0 == include, 1 == exclude)
As I recall, the HTTP/2.0 folks have been intermittently talking about
supporting SRV. Would encouraging that group on that front be
domain ENAME domain {0|1} [type list of included / excluded types]
(0 == include, 1 == exclude)
"domain ENAME domain 1" is equivalent to "domain CNAME domain"
(exclude nothing)
"domain ENAME domain 1 NS DNSKEY SOA" is CNAME at apex
You would be insane to publish varient DS records with edns-client-subnet
to the public as there is no requirement for clients to use the
same address to lookup DS records as they use to lookup DNSKEY
records. Similarly for DNSKEY or RRSIGs based on DNSKEYs which are
varient based on edns-client-
Tim,
On May 16, 2014, at 9:31 AM, Tim Wicinski
mailto:tjw.i...@gmail.com>>
wrote:
On 5/16/14, 8:18 AM, Andrew Sullivan wrote:
Second, the Internet is actually working today using those kinds of
CDN tricks. Indeed, some of the most important and most successful
nodes on the Internet rely very
one of the icann ssac (then "secsac") consensus processes i am most
proud to have been part of was this, in 2004:
http://www.icann.org/en/groups/ssac/report-redirection-com-net-09jul04-en.pdf
indeed, this document and the process followed in creating it may still
stand today, as ssac's finest hou
I don't want to spend a lot of time in this rathole (and this will be
my last remark on it), but I want to clarify something about what I
was trying to say. I suppose I should have picked better language.
On Fri, May 16, 2014 at 07:50:10AM -0700, Paul Vixie wrote:
>
> "not allowed" is interestin
On May 16, 2014, at 11:02 AM, S Moonesamy wrote:
> I gave up on reading the first response to my comments as I did not want to
> push back strongly; it's an effort and it can be viewed as antagonistic.
I think there's a fine line between ratholing and not getting the point across.
I would rea
On Fri, May 16, 2014 at 04:41:17PM +0200, Jelte Jansen wrote:
> To implement client-subnet means to implement a form of views within
> your resolver in the form of split caches. If you don't implement it at
> all there is no problem, but it certainly does change the model of the
> world that resol
Hi Ted,
At 04:56 16-05-2014, Ted Lemon wrote:
Did you feel that your comments were adequately addressed by the
working group?
I gave up on reading the first response to my comments as I did not
want to push back strongly; it's an effort and it can be viewed as
antagonistic.
Regards,
S. Moon
On May 16, 2014, at 8:13 AM, Colm MacCárthaigh wrote:
> I've never been able to make prioritisation really work at microsecond scale.
> I can imagine a dedicated process for signing and having prioritized queues
> to it, but that would need so much packet copying that it would likely
> degrade
On Fri, May 16, 2014 at 7:54 AM, Nicholas Weaver
wrote:
> > 16k/second is nothing, and I can generate that from a wristwatch
> computer. Caching doesn't help, as the attackers can (and do) bust caches
> with nonce-names and so on :/ A 16 core machine can do a million QPS
> relatively easily - so
On Fri, May 16, 2014 at 7:50 AM, Paul Vixie wrote:
>
> what we do have is advice: "if you're going to do this, here is a way
> that works." in many cases, and DNSSEC is an example, the advice has an
> additional property: "if you want a system like this, here is how
> everybody else is doing it."
On May 16, 2014, at 10:54 AM, Nicholas Weaver wrote:
> You miss my point. That server is doing a million QPS, but its only
> providing ~16k/s distinct answers.
> [...]
I will reiterate that it would be really wonderful if all this creative energy
could go into writing a document explaining h
On May 16, 2014, at 7:44 AM, Colm MacCárthaigh wrote:
>> Actually, you can. You prioritize non-NSEC3 records, since thats a finite,
>> identifiable, priority set, and cache the responses. Thus if you have 10k
>> valid names, each with 100 different possible responses, and have a max 1
>> mi
>
>
> On 5/16/14, 8:18 AM, Andrew Sullivan wrote:
>> ...
>>
>> First, if resolvers have expectations about consistency of zones and
>> so on, then they're broken. The DNS has only ever been loosely
>> coherent. You're simply _not allowed_ to make that assumption from
>> any point in the network
On Fri, May 16, 2014 at 7:34 AM, Nicholas Weaver
wrote:
>
> On May 16, 2014, at 7:29 AM, Colm MacCárthaigh wrote:
> >> And even 4096b RSA signatures only take a handful of milliseconds to
> construct on the fly, you can cache signature validity for minutes even in
> the very dynamic case, and thi
On 05/16/2014 02:18 PM, Andrew Sullivan wrote:
>
> First, if resolvers have expectations about consistency of zones and
> so on, then they're broken. The DNS has only ever been loosely
> coherent. You're simply _not allowed_ to make that assumption from
> any point in the network except inside t
On May 16, 2014, at 7:29 AM, Colm MacCárthaigh wrote:
>> And even 4096b RSA signatures only take a handful of milliseconds to
>> construct on the fly, you can cache signature validity for minutes even in
>> the very dynamic case, and this is one of those operations that parallelize
>> obscenel
On May 16, 2014, at 10:29 AM, Colm MacCárthaigh wrote:
> You won't survive a trivial DOS from a wristwatch computer with that approach
> :) Having static answers around greatly increases capacity, by many orders of
> magnitude.
Argh. Having just agreed with Nick, I have to admit that this is
On May 16, 2014, at 10:24 AM, Nicholas Weaver wrote:
> No its not. All you have to be willing to do is release the constraint on
> "all signatures offline". Doing online signatures allows all the CDN
> functionality you want to be DNSSEC validated (not like DNSSEC really does
> much good for
On Fri, May 16, 2014 at 7:24 AM, Nicholas Weaver
wrote:
> No its not. All you have to be willing to do is release the constraint on
> "all signatures offline". Doing online signatures allows all the CDN
> functionality you want to be DNSSEC validated (not like DNSSEC really does
> much good for
On May 16, 2014, at 10:00 AM, Olafur Gudmundsson wrote:
> few people saying this would cause the world to end and calling the
> proponents names.
FWIW, when mailing list subscribers behave this way, what they say probably
can't easily be considered part of the consensus evaluation, since they
On May 16, 2014, at 6:41 AM, Ted Lemon wrote:
> On May 16, 2014, at 8:18 AM, Andrew Sullivan wrote:
>> But it seems to me we ought to
>> be more enthusiastic than resigned in this case, even if we have to
>> hold our collective nose as well. Either those who understand how the
>> DNS works wil
On Fri, May 16, 2014 at 6:41 AM, Ted Lemon wrote:
> On May 16, 2014, at 8:18 AM, Andrew Sullivan
> wrote:
> > But it seems to me we ought to
> > be more enthusiastic than resigned in this case, even if we have to
> > hold our collective nose as well. Either those who understand how the
> > DNS
ICANN is a Contractor of the US Government - Department of Commerce
The following TEXT from .MARS is provided for .EARTH Archive Purposes Only
cat is one of the original UNIX commands - Sending email to C@T uses
the .T Top Level Domain
===
On May 16, 2014, at 7:56 AM, Ted Lemon wrote:
> On May 16, 2014, at 5:35 AM, S Moonesamy wrote:
>> I sent a few comments about that CDNI draft. The DNS discussion in the
>> draft was problematic. It is worth documenting what people are doing. It
>> is worthwhile to consider whether the mec
On May 16, 2014, at 8:18 AM, Andrew Sullivan wrote:
> But it seems to me we ought to
> be more enthusiastic than resigned in this case, even if we have to
> hold our collective nose as well. Either those who understand how the
> DNS works will document what to do, or else people who have no clue
On 5/16/14, 8:18 AM, Andrew Sullivan wrote:
On Thu, May 15, 2014 at 09:02:43AM -0400, Ted Lemon wrote:
makes the internet better, because it encourages practices with DNS
that wind up violating the expectations resolvers might have for
consistency of zones and so on.
Despite my personal fee
On Thu, May 15, 2014 at 09:02:43AM -0400, Ted Lemon wrote:
>
> makes the internet better, because it encourages practices with DNS
> that wind up violating the expectations resolvers might have for
> consistency of zones and so on.
Despite my personal feelings about CDN tricks and the DNS, I wou
On May 16, 2014, at 5:35 AM, S Moonesamy wrote:
> I sent a few comments about that CDNI draft. The DNS discussion in the draft
> was problematic. It is worth documenting what people are doing. It is
> worthwhile to consider whether the mechanism should be standardized by the
> IETF.
Did you
Hi Ted,
At 06:02 15-05-2014, Ted Lemon wrote:
I think it's worth documenting this option because there's a code
reserved for it, but I think it's highly questionable whether it
makes the internet better, because it encourages practices with DNS
that wind up violating the expectations resolvers
32 matches
Mail list logo
