Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

2015-03-16 Thread Paul Vixie
removing dns-operations@ as a cc. one mailing list at a time, please? Michael Sinatra wrote: > On 3/16/15 4:15 PM, P Vixie wrote: >> > Michael, what attacks do you think we can stop by limiting ANY? Paul > ... > > * These domains are DNSSEC-signed with NSEC3. Many tools set the TTL of > NSEC3PA

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

2015-03-16 Thread Paul Vixie
note: replying only to dnsop@. no thread is ever appropriate for dnsop@ plus some other mailing list. please stop cc'ing dns-operations@ on your replies; this is not an operational thread, and the people in the dns community who care about protocol development, are probably on both lists. > Mark A

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

2015-03-16 Thread hellekin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 03/16/15 23:20, Paul Wouters wrote: > > It seems odd that two documents would be requesting an IANA action for > ".onion" ? > *** Well yes, it sounds like a mistake to me. But we can also consider it a god-given gift for people who argued agains

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

2015-03-16 Thread Paul Wouters
On Mon, 16 Mar 2015, hellekin wrote: Is this meant to replace or augment draft-grothoff-iesg-special-use-p2p-names ? *** This draft only covers .onion, one of the two pTLDs related to the Tor Project in the P2PNames draft, so the obvious answer is that it won't replace it. Now the P2PNames dr

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

2015-03-16 Thread hellekin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On 03/16/15 22:14, Paul Wouters wrote: > On Mon, 16 Mar 2015, Jacob Appelbaum wrote: > >> Subject: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt > > Is this meant to replace or augment > draft-grothoff-iesg-special-use-p2p-names ? >

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

2015-03-16 Thread Michael Sinatra
On 03/16/15 18:07, Yunhong Gu wrote: > > > On Mon, Mar 16, 2015 at 8:50 PM, Michael Sinatra > wrote: > > On 3/16/15 4:15 PM, P Vixie wrote: > > > > > > On March 17, 2015 7:42:09 AM GMT+09:00, Michael Sinatra > mailto:mich...@brokendns.net>> wrote

Re: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

2015-03-16 Thread Paul Wouters
On Mon, 16 Mar 2015, Jacob Appelbaum wrote: Subject: [DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt Is this meant to replace or augment draft-grothoff-iesg-special-use-p2p-names ? - most importantly is the date October 1st. On that date we'll have a death day for currently iss

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

2015-03-16 Thread Mark Andrews
In message <55077a64.7050...@brokendns.net>, Michael Sinatra writes: > On 3/16/15 4:15 PM, P Vixie wrote: > > > > > > On March 17, 2015 7:42:09 AM GMT+09:00, Michael Sinatra net> wrote: > >> > >> > >> On 03/16/15 07:23, bert hubert wrote: > >> > >>> Separately, I fail to see why we actually nee

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

2015-03-16 Thread Michael Sinatra
On 3/16/15 4:15 PM, P Vixie wrote: > > > On March 17, 2015 7:42:09 AM GMT+09:00, Michael Sinatra > wrote: >> >> >> On 03/16/15 07:23, bert hubert wrote: >> >>> Separately, I fail to see why we actually need to outlaw ANY queries >> when we >>> can happily TC=1 them. >> >> If the public recursi

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

2015-03-16 Thread P Vixie
On March 17, 2015 7:42:09 AM GMT+09:00, Michael Sinatra wrote: > > >On 03/16/15 07:23, bert hubert wrote: > >> Separately, I fail to see why we actually need to outlaw ANY queries >when we >> can happily TC=1 them. > >If the public recursives also support TC=1 on all ANY queries, then >this >w

[DNSOP] discussion for draft-appelbaum-dnsop-onion-tld-00.txt

2015-03-16 Thread Jacob Appelbaum
Hi, I realized after uploading that I hadn't sent this along for discussion. Hopefully it is a topic of discussion in Dallas. Tor's onion names are widely deployed and used by lots of folks all around the world. Our deployment size isn't news or really much of a discussion point - rather, I'm pr

Re: [DNSOP] How to respond to ANY and RRSIG queries when you don't want to

2015-03-16 Thread Robert Edmonds
Tony Finch wrote: > If the response would be NOERROR / NODATA and the zone is not signed, > synthesize a NULL RR and use that as the answer. It seems a little bit off to re-use the NULL RRtype, which has been reserved for experimental use, for this. There are at least some (marginal) uses of the

Re: [DNSOP] RFC 7477 on Child-to-Parent Synchronization in DNS

2015-03-16 Thread Bob Harold
My apologies for not seeing this sooner. In section "5. Security Considerations": To ensure that an older CSYNC record making use of the soaminimum flag cannot be replayed to revert values, the SOA serial number MUST NOT be incremented by more than 2^16 during the lifetime of the signature window

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

2015-03-16 Thread bert hubert
On Mon, Mar 16, 2015 at 03:16:08PM +, Ray Bellis wrote: > Hypothetically, if you're using one of those funky NoSQL-style backends > where RRs are looked up in a key-value store directly from a (QNAME, > QTYPE) tuple I can see how supporting QTYPE == ANY would be tricky. At DNS query rates, yo

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

2015-03-16 Thread Ray Bellis
> On 16 Mar 2015, at 15:22, bert hubert wrote: > > At DNS query rates, you could just query purely based on the name as the > key. You'd have to do so anyhow to determine what kind of NXDOMAIN/NOERROR > response to generate! Yes, that's a good point :) > Or are we going to flatten that distinc

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

2015-03-16 Thread Ray Bellis
> On 16 Mar 2015, at 15:05, bert hubert wrote: > > Sorry? We solve implementation hardship by standards action now? > > "Some modern Authoritative servers, such as those used by CDN's, do > not have DNS zones. For those servers answering ANY query truthfully > is hard work. Thus ignorin

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

2015-03-16 Thread Paul Vixie
> bert hubert > Tuesday, March 17, 2015 12:05 AM > > Sorry? We solve implementation hardship by standards action now? as with client-subnet, we recognize that people will do what they want, or stop doing what they don't want, especially if they are CDN provider

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

2015-03-16 Thread bert hubert
On Mon, Mar 16, 2015 at 11:53:17PM +0900, Paul Vixie wrote: > that is not the use case for this. the updated document makes clear that > the iteration complexity in split-authority systems having a lightweight > front end, is the situation where ANY is painful. Sorry? We solve implementation hards

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

2015-03-16 Thread Paul Vixie
> bert hubert > Monday, March 16, 2015 11:23 PM > On Mon, Mar 09, 2015 at 04:18:12PM +0100, bert hubert wrote: >> On Mon, Mar 09, 2015 at 11:08:03AM -, D. J. Bernstein wrote: >>> My "qmail" software is very widely deployed (on roughly 1 million SMTP >>> serv

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

2015-03-16 Thread bert hubert
On Mon, Mar 09, 2015 at 04:18:12PM +0100, bert hubert wrote: > On Mon, Mar 09, 2015 at 11:08:03AM -, D. J. Bernstein wrote: > > My "qmail" software is very widely deployed (on roughly 1 million SMTP > > server IP addresses) and, by default, relies upon ANY queries in a way > > that is guarantee

[DNSOP] How to respond to ANY and RRSIG queries when you don't want to

2015-03-16 Thread Tony Finch
This note is a consolidation of several messages to the IETF DNSOP working group last week. The principal motivation for not answering ANY queries is to allow for simplified implementations which do not need to enumerate all the data at a particular QNAME. This note also covers RRSIG queries, beca

Re: [DNSOP] Comments regarding the NSEC5

2015-03-16 Thread Jan Včelák
On Thursday, March 12, 2015 12:39:17 PM Florian Weimer wrote: > On 03/12/2015 11:36 AM, Jan Včelák wrote: > >> And does anyone actually use opt out with NSEC3? > > > > Yes, .com for example. My impression was that Opt-Out was the selling > > point of NSEC3, not the domain name hashing. > > Okay.