Re: [DNSOP] Fwd: New Version Notification for draft-ogud-dnsop-any-notimp-00.txt

* Olafur Gudmundsson: > Title: Standard way for Authoratitive DNS servers to refuse ANY NOTIMP doesn't do that, it tells resolvers to query another name server for the zone. The authoriative server part of this proposal increases the number of upstream ANY queries instead of reducing th

Re: [DNSOP] Fwd: New Version Notification for draft-ogud-dnsop-any-notimp-00.txt

Tony Finch wrote: > > On 6 Mar 2015, at 22:53, Paul Vixie wrote: > if you want to change how DNSSEC works, i'll listen. ... >>> ... implementing RRSIG >>> is as hard as implementing ANY with regard to the aspect that you have >>> to use/look for more than one query type, which is different

Re: [DNSOP] Fwd: New Version Notification for draft-ogud-dnsop-any-notimp-00.txt

Personally RRSIG is worse for a implementer than ANY. I remember a time when there was a hope that you could do DNSSEC through a non DNSSEC aware server. RRSIG queries come from such a time. I would be happy to ban RRSIG queries. That said banning RRSIG or ANY queries won't help with amplifica

Re: [DNSOP] Fwd: New Version Notification for draft-ogud-dnsop-any-notimp-00.txt

Another thought: responses to RRSIG queries cannot be validated. I hope resolvers don't cache them, or at least treat them with great suspicion. Tony. -- f.anthony.n.finchhttp://dotat.at > On 7 Mar 2015, at 21:19, Tony Finch wrote: > > >> On 7 Mar 2015, at 21:04, Tony Finch wrote: >> >

Re: [DNSOP] Fwd: New Version Notification for draft-ogud-dnsop-any-notimp-00.txt

> On 7 Mar 2015, at 21:04, Tony Finch wrote: > > I think Ralf is right that QTYPE=RRSIG is weird just like ANY, in that it is > asking for (part of) all? any? RRsets at a given owner name. I wonder how > caches handle it... OK, that's fun, a test demonstrated that BIND treats RRSIG queries li

Re: [DNSOP] Fwd: New Version Notification for draft-ogud-dnsop-any-notimp-00.txt

> On 6 Mar 2015, at 22:53, Paul Vixie wrote: > >>> if you want to change how DNSSEC works, i'll listen. but there's no >>> reasonable interpretation of past or current specifications by which >>> QTYPE=RRSIG can be categorized a "meta-query". (unlike >>> QTYPE=ANY/IXFR/AXFR, or RD=0 when speaki

Re: [DNSOP] Fwd: New Version Notification for draft-ogud-dnsop-any-notimp-00.txt

Moin! On Fri, Mar 06, 2015 at 02:53:34PM -0800, Paul Vixie wrote: > > i'd appreciate not having to argue about whether the term "ACL" is one > of art or one of practice. let's talk about what we're trying to > accomplish in terms of protocol revision, rather than talking about what > specific appl

Re: [DNSOP] Fwd: New Version Notification for draft-ogud-dnsop-any-notimp-00.txt

> Ralf Weber > Friday, March 06, 2015 2:33 PM > Moin! > > On Fri, Mar 06, 2015 at 01:51:53PM -0800, Paul Vixie wrote: >> that's a big "if". here's another: if your diagnostic tools can use some >> method other than "dig" to do your debugging for you, then, again, you >> do

Re: [DNSOP] Fwd: New Version Notification for draft-ogud-dnsop-any-notimp-00.txt

Moin! On Fri, Mar 06, 2015 at 01:51:53PM -0800, Paul Vixie wrote: > that's a big "if". here's another: if your diagnostic tools can use some > method other than "dig" to do your debugging for you, then, again, you > don't need ANY. those are two very big "if"'s. I can answer them with yes, so I th

Re: [DNSOP] Fwd: New Version Notification for draft-ogud-dnsop-any-notimp-00.txt

> Ralf Weber > Friday, March 06, 2015 1:38 PM > Moin! > > On Fri, Mar 06, 2015 at 11:14:21AM -0800, Paul Vixie wrote: >>> Also why have >>> you limited the this to authoritative servers? >> this raises the point: ANY deserves its own access control list, or >> other non-BI

Re: [DNSOP] Fwd: New Version Notification for draft-ogud-dnsop-any-notimp-00.txt

Moin! On Fri, Mar 06, 2015 at 11:14:21AM -0800, Paul Vixie wrote: > > Also why have > > you limited the this to authoritative servers? > > this raises the point: ANY deserves its own access control list, or > other non-BIND equivilent. because ANY is useful for diagnostics, local > sysadmins ough

Re: [DNSOP] Fwd: New Version Notification for draft-ogud-dnsop-any-notimp-00.txt

> Ralf Weber > Friday, March 06, 2015 10:24 AM > Moin! > I do support this. me too. > But it will not stop reflection attacks. very strong +1. such language must not be present in any form. > Also why have > you limited the this to authoritative servers? this raises t

Re: [DNSOP] Fwd: New Version Notification for draft-ogud-dnsop-any-notimp-00.txt

Ralf Weber wrote: > I do support this. But it will not stop reflection attacks. Also why have > you limited the this to authoritative servers? Yes, to all these points. Since most of the confusing beviour of ANY occurs on recursive servers it would make sense to deprecate it there as well. BTW,

Re: [DNSOP] Fwd: New Version Notification for draft-ogud-dnsop-any-notimp-00.txt

Moin! On Fri, Mar 06, 2015 at 12:33:52PM -0500, Olafur Gudmundsson wrote: > A new version of I-D, draft-ogud-dnsop-any-notimp-00.txt > has been successfully submitted by Olafur Gudmundsson and posted to the > IETF repository. > > Name: draft-ogud-dnsop-any-notimp > Revision: 00 >

[DNSOP] Fwd: New Version Notification for draft-ogud-dnsop-any-notimp-00.txt

As promised Olafur -- Forwarded message -- From: Date: Fri, Mar 6, 2015 at 12:27 PM Subject: New Version Notification for draft-ogud-dnsop-any-notimp-00.txt To: Olafur Gudmundsson , Marek Majkowski < ma...@cloudflare.com> A new version of I-D, draft-ogud-dnsop-any-notimp-00.tx