Re: [DNSOP] Fwd: New Version Notification for draft-ogud-dnsop-any-notimp-00.txt

Tony Finch wrote: > > On 6 Mar 2015, at 22:53, Paul Vixie wrote: > if you want to change how DNSSEC works, i'll listen. ... >>> ... implementing RRSIG >>> is as hard as implementing ANY with regard to the aspect that you have >>> to use/look for more than one query type, which is different

[DNSOP] Definition of "validating resolver"

Greetings again. Paul Wouters noticed an inconsistency in the terminology draft, and upon investigation, I believe it is a problem (hopefully fixable) with the definitions in RFC 4033. RFC 4033 and 4035 use the term "validating resolver" in a few places. However, RFC 4033 never defines that. RFC

Re: [DNSOP] Definition of "validating resolver"

On Sun, 8 Mar 2015, Paul Hoffman wrote: My personal interpretation is that "validating resolver" is a synonym for "security-aware resolver". Do others agree? If not, how would you differentiate them? I agree :) Two other issues I noticed when trying to rewrite my draft to stick to terms in t

[DNSOP] Suggestion for "any" - TCP only

Hey, everyone, Given the diagnostic value of "any" (and similarly "RRSIG" et al), I would prefer deprecation of only the UDP version, via mechanisms that are "dig"-friendly. E.g. return TC=1 (and minimal response) instead, to trigger TCP retry. It throws out the bath water, but keeps the baby.

Re: [DNSOP] Definition of "validating resolver"

Moin! On Sun, Mar 08, 2015 at 12:21:49PM -0700, Paul Hoffman wrote: > Greetings again. Paul Wouters noticed an inconsistency in the terminology > draft, and upon investigation, I believe it is a problem (hopefully > fixable) with the definitions in RFC 4033. RFC 4033 and 4035 use the term > "vali

Re: [DNSOP] Suggestion for "any" - TCP only

Moin! On Sun, Mar 08, 2015 at 02:55:37PM -0700, Brian Dickson wrote: > Hey, everyone, > > Given the diagnostic value of "any" (and similarly "RRSIG" et al), I would > prefer deprecation of only the UDP version, via mechanisms that are > "dig"-friendly. I still fail to see the diagnostic value of

Re: [DNSOP] Suggestion for "any" - TCP only

> Brian Dickson > Sunday, March 08, 2015 2:55 PM > Hey, everyone, > > Given the diagnostic value of "any" (and similarly "RRSIG" et al), I > would prefer deprecation of only the UDP version, via mechanisms that > are "dig"-friendly. alas, in a post-snowden

Re: [DNSOP] "DNS resolver should not use 'ANY' to get cached records for TTL" (bugzilla)

Good folk, On 8/03/2015 4:15 am, "Olafur Gudmundsson" wrote: >Paul, >Marek and I agree with you to expand the scope to include all meta types >at Authoratitive servers. >And address your other points as well, thanks for the support. >Olafur I've been vacillating(*) on this more than I prob

Re: [DNSOP] Suggestion for "any" - TCP only

On Sun, 8 Mar 2015, Brian Dickson wrote: Given the diagnostic value of "any" (and similarly "RRSIG" et al), I would prefer deprecation of only the UDP version, via mechanisms that are "dig"-friendly. A better description would be to require "source IP verification", so that eastlake-cookies a

Re: [DNSOP] More work for DNSOP :-)

There is a new version in the works, expect it late tomorrow (monday) It does not outlaw ANY per say, just says limit it to trusted parties. I tries to define that resolver treat NOTIMP as long term signal that resolver should keep track of and not retry. It says ignore RD=1 on meta queries.

Re: [DNSOP] More work for DNSOP :-)

On Mar 8, 2015, at 6:23 PM, Olafur Gudmundsson wrote: > There is a new version in the works, expect it late tomorrow (monday) > > It does not outlaw ANY per say, just says limit it to trusted parties. > I tries to define that resolver treat NOTIMP as long term signal that > resolver should ke

Re: [DNSOP] Suggestion for "any" - TCP only

Paul Wouters wrote: > On Sun, 8 Mar 2015, Brian Dickson wrote: > >> Given the diagnostic value of "any" (and similarly "RRSIG" et al), I >> would prefer deprecation of only the UDP version, via mechanisms >> that are "dig"-friendly. > > A better description would be to require "source IP verifica

Re: [DNSOP] Suggestion for "any" - TCP only

On Sun, 8 Mar 2015, Paul Vixie wrote: again, the next revision of olafur's document will remove all mention of amplification/reflection. that meme is dead. So why are we proposing to ACL the ANY queries again? If you put ANY queries under an ACL, it means you are limiting the ANY query diagn

Re: [DNSOP] Suggestion for "any" - TCP only

> Paul Wouters > Sunday, March 08, 2015 9:03 PM > On Sun, 8 Mar 2015, Paul Vixie wrote: > > > So why are we proposing to ACL the ANY queries again? because people like me with dig-based diagnostic tools want to be able to run ANY queries against our own servers, from our