Re: [DNSOP] dnssec-kskroll-sentinel-06 clarifications

> On 20 Mar 2018, at 3:10 am, Vladimír Čunát wrote: > > On 03/18/2018 09:44 PM, Petr Špaček wrote: >> The current text in section 5 is written with an assumption that query >> with +CD bit cannot result in "Secure" status and thus cannot trigger >> sentinel processing, but this depends on implem

[DNSOP] Fwd: New Version Notification for draft-ietf-dnsop-attrleaf-03.txt

Folks, I'll limit what should be an extensive and elaborate apology to just this: I'm sorry for the year of inactivity. The -03 version should provide some useful substance of progress. I've gone over last summer's comments and the -03 version should reflect what the wg agreed to. Basically

[DNSOP] I-D Action: draft-ietf-dnsop-attrleaf-03.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : DNS Scoped Data Through '_Underscore' Naming of Attribute Leaves Author : Dave Crocker

Re: [DNSOP] Terminology question: split DNS

On 19 March 2018 at 21:30, Steve Crocker wrote: > I haven't been following the current thread but I have encountered this > topic before and I have thought about the implications for DNSSEC. > > The terminology of "split DNS" -- and equivalently "split horizon DNS" -- > is, in my opinion, a bit l

Re: [DNSOP] New Version Notification for draft-pwouters-powerbind-00.txt (fwd)

Paul Wouters wrote: > On Mon, 19 Mar 2018, Robert Edmonds wrote: > > > Viktor Dukhovni wrote: > > > The idea is to log the DNSKEY RRs observed at each zone apex. > > > Without the proposed flag, one would also have to log denial of > > > existence which would make the logs much too large. > > > >

Re: [DNSOP] Terminology question: split DNS

Steve Crocker wrote: I haven't been following the current thread but I have encountered this topic before and I have thought about the implications for DNSSEC. The terminology of "split DNS" -- and equivalently "split horizon DNS" -- is, in my opinion, a bit limited. It's not too hard to imag

Re: [DNSOP] New Version Notification for draft-pwouters-powerbind-00.txt (fwd)

On Mon, 19 Mar 2018, Stephane Bortzmeyer wrote: I'm opposed to this idea. Can you clarify whether you oppose to be a user of this new flag, or whether you oppose of giving others the option of using this flag? While the root and TLD zones are asumed to be almost exclusively delegation-only z

Re: [DNSOP] Status of draft-ietf-dnsop-terminology-bis

Matthew Pounsett wrote: ... I would suggest that only NXDOMAIN and NOERROR+ANCOUNT=0 are negative responses. SERVFAIL, FORMERR, and REFUSED are error responses; you do not know as a result of those responses whether the name/type tuple queried about exists. +1. -- P Vixie

Re: [DNSOP] New Version Notification for draft-pwouters-powerbind-00.txt (fwd)

On Mon, 19 Mar 2018, Robert Edmonds wrote: Viktor Dukhovni wrote: The idea is to log the DNSKEY RRs observed at each zone apex. Without the proposed flag, one would also have to log denial of existence which would make the logs much too large. Can you expand on what you mean by "much too larg

Re: [DNSOP] Terminology question: split DNS

I haven't been following the current thread but I have encountered this topic before and I have thought about the implications for DNSSEC. The terminology of "split DNS" -- and equivalently "split horizon DNS" -- is, in my opinion, a bit limited. It's not too hard to imagine further carve outs.

Re: [DNSOP] Terminology question: split DNS

On 3/19/18 11:14 AM, Jim Reid wrote: On 19 Mar 2018, at 18:09, Artyom Gavrichenkov wrote: Another issue here is that, for some enterprises at least, there's no single "internal network" anymore. We don't need to enumerate every potential split DNS scenario (or how it's implemented). The o

Re: [DNSOP] Terminology question: split DNS

On Mon, 19 Mar 2018, John Heidemann wrote: +1 on "split-horizon dns" as the term, over "split dns" and some other neologism, on the basis of running code and existing documentation and existing wide use. I and google disagree: "split dns": 72900 hits "split horizon dns": 5640 hits If the d

Re: [DNSOP] Terminology question: split DNS

On Mon, 19 Mar 2018 11:33:12 -0700, Paul Vixie wrote: > > >Ted Lemon wrote: >> On Mar 19, 2018, at 6:10 PM, George Michaelson > > wrote: >>> "A DNS resolver which looks at the client requesting address, and uses >> >> That's a different thing. There's a distinction betwee

Re: [DNSOP] New Version Notification for draft-pwouters-powerbind-00.txt (fwd)

Viktor Dukhovni wrote: > The idea is to log the DNSKEY RRs observed at each zone apex. > Without the proposed flag, one would also have to log denial of > existence which would make the logs much too large. Can you expand on what you mean by "much too large"? There are already existing large scale

Re: [DNSOP] Terminology question: split DNS

On Mon, 19 Mar 2018 19:26:42 + "Darcy Kevin (FCA)" wrote: > How about just "disjoint DNS" or "non-synchronized DNS"? Or, to > hijack the Perl motto, TMTOWTRI (There's More Than One Way To Resolve > It :-) Coming up with new names though is less than ideal. The Microsoft community has used s

Re: [DNSOP] New Version Notification for draft-pwouters-powerbind-00.txt (fwd)

On Mon, Mar 19, 2018 at 02:12:38PM -0400, Bob Harold wrote: > > > We have just submitted a draft aimed at increasing the security of > > > the DNSSEC with respect to the power that parental zones have over > > > their children. > > > > I'm opposed to this idea. > > If the parent simply pointed the

Re: [DNSOP] Terminology question: split DNS

The trouble with "split horizon" is that it is a term of inter-network routing of much older and more-established provenance, and thus to use it for DNS can be viewed as a usurpation, and ultimately, confusing. (I know Cricket had the same observation, circa 2000). I occasionally use "schizophr

Re: [DNSOP] Fwd: New Version Notification for draft-jabley-dnsop-bootstrap-validator-00.txt

On 19 March 2018 at 11:14, Joe Abley wrote: > Dave and I imagine this kind of thinking might be relevant and timely. Tim > and Suz have kindly tolerated my increasingly frantic handwaving on this > subject and have offered me some minutes in the dnsop meeting tomorrow, > where I intend to suggest

Re: [DNSOP] Status of draft-ietf-dnsop-terminology-bis

On 19 March 2018 at 08:21, Matthijs Mekking wrote: > I and some others have been using the term 'Negative response' to indicate > that the response does not contain any records in the Answer section. > Current definition seems to imply that this is only the case if the RCODE > is NXDOMAIN, NOERRO

Re: [DNSOP] Terminology question: split DNS

The quality to me, which was there in abstract, is a port-53 bound daemon, which uses the client IP network or /32 to specify how it answers. Server, Resolver, these are distinct classes. I felt split-horizon was the moment of decision logic from "who asked" If anyone has actually bound it to "wh

Re: [DNSOP] Terminology question: split DNS

Ted Lemon wrote: On Mar 19, 2018, at 6:10 PM, George Michaelson mailto:g...@algebras.org>> wrote: "A DNS resolver which looks at the client requesting address, and uses That's a different thing. There's a distinction between a resolver that gives different answers, and a set of authoritative

Re: [DNSOP] Terminology question: split DNS

Artyom Gavrichenkov wrote: > On Mon, Mar 19, 2018 at 5:47 PM, Paul Hoffman wrote: > > [..] the basic point is that the > >correspondence between a given FQDN (fully qualified domain name) and a > >given IPv4 address is no longer universal and stable over long periods." > > IP v. being wha

Re: [DNSOP] Terminology question: split DNS

On Mar 19, 2018, at 6:10 PM, George Michaelson wrote: > "A DNS resolver which looks at the client requesting address, and uses That's a different thing. There's a distinction between a resolver that gives different answers, and a set of authoritative servers that give different answers. I be

Re: [DNSOP] Terminology question: split DNS

> On 19 Mar 2018, at 18:09, Artyom Gavrichenkov wrote: > > Another issue here is that, for some enterprises at least, there's no > single "internal network" anymore. We don't need to enumerate every potential split DNS scenario (or how it's implemented). The original text says "there are many

Re: [DNSOP] Terminology question: split DNS

Bob Harold wrote: I think the key part is: "different answers depending on the source of the query." In practice this is done by using either different DNS servers (or processes), or multiple "views" in a DNS configuration. (Is "view" in BIND called something else in other software?) bob hal

Re: [DNSOP] Terminology question: split DNS

yeah, a simple example of such an exception is an anycast DNS network which doesn't even look at the source IP address, but just has completely different zones deployed in different points of presence. When a PoP goes down, the same IP address will be directed to another PoP and will start rece

Re: [DNSOP] New Version Notification for draft-pwouters-powerbind-00.txt (fwd)

On Mon, Mar 19, 2018 at 12:34 PM, Stephane Bortzmeyer wrote: > On Mon, Mar 19, 2018 at 08:22:03AM -0400, > Paul Wouters wrote > a message of 57 lines which said: > > > We have just submitted a draft aimed at increasing the security of > > the DNSSEC with respect to the power that parental zone

Re: [DNSOP] Terminology question: split DNS

"A DNS resolver which looks at the client requesting address, and uses this to serve different versions of information about a zone based on which client address or prefix requests it." the concept of "side" is rather limited. split DNS can encompass more than two sides can't it? -George On Mon,

Re: [DNSOP] Terminology question: split DNS

On Mon, Mar 19, 2018 at 6:05 PM, Bob Harold wrote: > In practice this is done by using either different DNS servers (or > processes), or multiple "views" in a DNS configuration. Another issue here is that, for some enterprises at least, there's no single "internal network" anymore. There are diff

Re: [DNSOP] Terminology question: split DNS

On Mon, Mar 19, 2018 at 2:00 PM, Artyom Gavrichenkov wrote: > On Mon, Mar 19, 2018 at 5:47 PM, Paul Hoffman > wrote: > > [..] the basic point is that the > >correspondence between a given FQDN (fully qualified domain name) and > a > >given IPv4 address is no longer universal and stable o

Re: [DNSOP] Terminology question: split DNS

On Mon, Mar 19, 2018 at 5:47 PM, Paul Hoffman wrote: > [..] the basic point is that the >correspondence between a given FQDN (fully qualified domain name) and a >given IPv4 address is no longer universal and stable over long periods." IP v. being whatever, 4 or 6, there's a bunch of reaso

Re: [DNSOP] Terminology question: split DNS

On Mar 19, 2018, at 5:47 PM, Paul Hoffman wrote: > Some folks had reservations about the current definition of "split DNS": > "Where a corporate network serves up partly or completely different DNS > inside and outside > its firewall. There are many possible variants on this; the basic point

Re: [DNSOP] Terminology question: split DNS

> On 19 Mar 2018, at 17:47, Paul Hoffman wrote: > > Some folks had reservations about the current definition of "split DNS": > "Where a corporate network serves up partly or completely different DNS > inside and outside > its firewall. There are many possible variants on this; the basic po

Re: [DNSOP] Terminology question: split DNS

Paul Hoffman wrote: Some folks had reservations about the current definition of "split DNS": "Where a corporate network serves up partly or completely different DNS inside and outside its firewall. There are many possible variants on this; the basic point is that the correspondence between a gi

[DNSOP] Terminology question: split DNS

Some folks had reservations about the current definition of "split DNS": "Where a corporate network serves up partly or completely different DNS inside and outside its firewall. There are many possible variants on this; the basic point is that the correspondence between a given FQDN (fu

Re: [DNSOP] New Version Notification for draft-pwouters-powerbind-00.txt (fwd)

On Mon, Mar 19, 2018 at 08:22:03AM -0400, Paul Wouters wrote a message of 57 lines which said: > We have just submitted a draft aimed at increasing the security of > the DNSSEC with respect to the power that parental zones have over > their children. I'm opposed to this idea. > While the roo

Re: [DNSOP] I-D Action: draft-ietf-dnsop-kskroll-sentinel-03.txt

On 03/06/2018 01:30 AM, Wessels, Duane wrote: > I think its different. The above can tell you whether certain names were > resolvable (maybe even validatable?) but kskroll sentinel tells you that > specific key tags are or are not present in the TA store even if those keys > don't have "active"

Re: [DNSOP] Comments on draft-ietf-dnsop-session-signal-06

On 5 Mar 2018, at 14:56, Paul Hoffman wrote: > This draft is much clearer about DSO unacknowledged messages, which really > helps understanding the protocol. Also, thank you for switching from "octet" > to "byte". :-) Thanks for your feedback Paul. > A few other comments: > > In this docum

Re: [DNSOP] dnssec-kskroll-sentinel-06 clarifications

On 03/18/2018 09:44 PM, Petr Špaček wrote: > The current text in section 5 is written with an assumption that query > with +CD bit cannot result in "Secure" status and thus cannot trigger > sentinel processing, but this depends on implementation. I just want to note that this situation of answerin

[DNSOP] I-D Action: draft-ietf-dnsop-session-signal-07.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations WG of the IETF. Title : DNS Stateful Operations Authors : Ray Bellis Stuart Cheshire

Re: [DNSOP] Fwd: New Version Notification for draft-jabley-dnsop-bootstrap-validator-00.txt

I will say that I tolerate Joe's hand waving, I can't speak for my co-chair. On Mon, Mar 19, 2018 at 3:14 PM, Joe Abley wrote: > Hi all, > > This draft from 2011 emerged blinking into the sunlight from the grave > where it expired, growling something about KSK rollovers and brains. Dave > and

[DNSOP] Fwd: New Version Notification for draft-jabley-dnsop-bootstrap-validator-00.txt

Hi all, This draft from 2011 emerged blinking into the sunlight from the grave where it expired, growling something about KSK rollovers and brains. Dave and I promptly wrestled it to the ground and locked it in the datatracker where we can safely poke sticks at it through the reinforced metal b

[DNSOP] New Version Notification for draft-pwouters-powerbind-00.txt (fwd)

We have just submitted a draft aimed at increasing the security of the DNSSEC with respect to the power that parental zones have over their children. The aim of this draft is twofold: 1) Allow zones to publicly commit to being delegation_only zones. The aim here is to counter the argument that

Re: [DNSOP] Status of draft-ietf-dnsop-terminology-bis

Hi, While I was not waiting for WG last call, it is a while ago since I have read this draft. Positive is that I read it without it leading to a lot of confusion or outrage. I have some small comments though. Negative response: I and some others have been using the term 'Negative response