In message
, =?UTF-8?B?w5NsYWZ1ciBHdcOwbXVuZHNzb24=?= writes:
>
> On Sun, Oct 4, 2015 at 7:32 AM, Dave Lawrence wrote:
>
> > A couple of quick observations:
> >
> > * The draft says that the answer in a signed zone MAY be unsigned.
> > Since this will ultimately cause a SERVFAIL for validati
On Sun, Oct 4, 2015 at 7:32 AM, Dave Lawrence wrote:
> A couple of quick observations:
>
> * The draft says that the answer in a signed zone MAY be unsigned.
> Since this will ultimately cause a SERVFAIL for validating
> resolvers, it is not really acceptable.
>
You and Evan,
are right we w
A couple of quick observations:
* The draft says that the answer in a signed zone MAY be unsigned.
Since this will ultimately cause a SERVFAIL for validating
resolvers, it is not really acceptable.
* The draft does not describe at all what the proper behaviour is for
an owner name that has
On Thu, Oct 01, 2015 at 09:02:09AM -0700, Ólafur Guðmundsson wrote:
> Only validating resolver will send follow up query,
Correct, but it would send them to every name server until it
got a non-bogus reply. This is unnecessary collateral damage.
> Here is the deal there are 3 sources of ANY queri
On Wed, Sep 30, 2015 at 10:08 PM, Evan Hunt wrote:
> On Wed, Sep 30, 2015 at 11:28:45PM -0400, Joe Abley wrote:
> > 1. Return an unsigned response. This will be marked as bogus, and
> > trigger a QTYPE=HINFO re-query that will either return an actual signed
> > HINFO from the zone or a signed pro
Shane Kerr wrote:
>
>
> In the case where people just want to reduce the damage of ANY queries
> in reflection attacks, I quite like the PowerDNS option of forcing ANY
> queries to TCP via truncation. I'm not sure if this has been documented
> in any RFC, but if not then perhaps it bears mentioni
On 2015-10-01 12:13+0100
Dick Franks wrote:
> Dick Franks
>
>
>
> On 1 October 2015 at 11:12, Shane Kerr wrote:
>
> >
> > In the case where people just want to reduce the damage of ANY queries
> > in reflection attacks, I quite like the PowerDNS option of forcing ANY
Dick Franks
On 1 October 2015 at 11:12, Shane Kerr wrote:
>
> In the case where people just want to reduce the damage of ANY queries
> in reflection attacks, I quite like the PowerDNS option of forcing ANY
> queries to TCP via truncation. I'm not sure if this has been d
Joe and all,
On 2015-10-01 02:25-0400
"Joe Abley" wrote:
> On 1 Oct 2015, at 1:08, Evan Hunt wrote:
>
> > The disadvantages of pick-one-RRset that I can see are 1) more
> > information leaked (but nothing that couldn't be obtained by sending
> > queries for individual qtypes anyway), and 2) mod
On 1 Oct 2015, at 1:08, Evan Hunt wrote:
The disadvantages of pick-one-RRset that I can see are 1) more
information leaked (but nothing that couldn't be obtained by sending
queries for individual qtypes anyway), and 2) modestly larger response
size (but still a lot better than unminimized ANY
On Wed, Sep 30, 2015 at 11:28:45PM -0400, Joe Abley wrote:
> 1. Return an unsigned response. This will be marked as bogus, and
> trigger a QTYPE=HINFO re-query that will either return an actual signed
> HINFO from the zone or a signed proof of non-existence. We think. I
> haven't actually tested
On 30 Sep 2015, at 22:58, Evan Hunt wrote:
The new proposal to return an empty HINFO record has the advantage of
a smaller response, but will be inconvenient for DNSSEC-signed zones,
unless the server has access to the signing key and can generate a
covering RRSIG. This should be mentioned in
12 matches
Mail list logo
