Jiankang Yao,
I think a simpler approach that works in general is the "HAMMER"
approach proposed by Warren Kumari, Roy Arends, and Suzanne Woolf a
couple of years ago:
https://tools.ietf.org/html/draft-wkumari-dnsop-hammer
Basically the idea is that if a query is made for a RRSET that is near
ex
All,
On Mon, 28 Sep 2015 16:53:25 +0100
Andras Salamon wrote:
> On Mon, Sep 28, 2015 at 07:59:00AM -0400, Joe Abley wrote:
> >This document describes existing practice, and provides guidance for
> >people who need to bootstrap a validator using the mechanisms provided
> >by ICANN back in 2009/
Paul(s) & all,
tl;dr a checksum adds some small benefit for a moderate cost... worth
it?
On Mon, 28 Sep 2015 10:21:54 -0700
Paul Vixie wrote:
> Paul Hoffman wrote:
> > Paul's "no" (which I agree with) shows what might be a fatal flaw in
> > draft-muks-dnsop-dns-message-checksums: an attac
Hi Shane
On Tue, Sep 29, 2015 at 12:02:19PM +, Shane Kerr wrote:
> If a checksum is added it will probably show up in the final fragment.
> An attacker now needs to insure that the final fragment shows up before
> the final fragment from the real authority server. This is not too
> difficult,
On 23 September 2015 at 21:40, Dave Lawrence wrote:
> Ted Lemon writes:
>> It would be helpful if the authors could explain why the REFUSED
>> response is being used here.
>
> Not to be glib, but because that's what Wilmer originally specified.
> That's thus what got implemented by the existing im
On 29 Sep 2015, at 2:20, Shane Kerr wrote:
Jiankang Yao,
I think a simpler approach that works in general is the "HAMMER"
approach proposed by Warren Kumari, Roy Arends, and Suzanne Woolf a
couple of years ago:
https://tools.ietf.org/html/draft-wkumari-dnsop-hammer
A huge +1 to this. The pro
Joe Abley wrote:
>
> +---+---+-+
> | Value | Type | Status, Remarks |
> +---+---+-+
> | 0 | EMPTY | Empty digest|
> | 1 | SHA-1 | Mandato
Hi Jiankang,
What reason do you have to think that response latency from root servers
has any measurable impact on end-user experience?
Queries to root servers from individual clients are sent very
infrequently, in my experience; the TTLs are not short. The probability
that any client of a r
On Sep 29, 2015, at 2:53 AM, Shane Kerr wrote:
>> On Mon, Sep 28, 2015 at 07:59:00AM -0400, Joe Abley wrote:
>>> This document describes existing practice, and provides guidance for
>>> people who need to bootstrap a validator using the mechanisms provided
>>> by ICANN back in 2009/2010 when the r
David Dagon writes:
> I have some concerns, which I describe below. [...]
David,
Thank you very much for your thoughtful comments. Broadly speaking, I
very much agree with the bulk of them. Yet my current reaction is not
to make any more alterations to the existing document. It describes
the d
On 26 Sep 2015, at 2:55, Terry Manderson wrote:
Thank you for writing this document and describing how it is done and
also the risks of doing this, and most importantly why it should not
be
done on a whim or by default.
I concur that this is not a new idea. In fact I implemented a similar
th
On 28 Sep 2015, at 6:53, Benoit Claise wrote:
--
COMMENT:
--
Malicious third
parties might be able to observe that traffic on the network between
the recurs
From: Joe Abley
Date: 2015-09-29 23:00
To: yaojk
CC: dnsop
Subject: Re: [DNSOP] New Version Notification for
draft-yao-dnsop-root-cache-00.txt
>Hi Jiankang,
>What reason do you have to think that response latency from root servers
>has any measurable impact on end-user experience?
>
I think
Hi Joe
Thank you for this review. See comments below:
On Mon, Sep 28, 2015 at 07:53:10PM -0400, Joe Abley wrote:
>
>
> On 28 Sep 2015, at 11:51, Mukund Sivaraman wrote:
>
> > o draft-muks-dnsop-dns-message-checksums-00
> >Initial draft (renamed version). Removed the NONCE-COPY field as
>
14 matches
Mail list logo
