Re: [DNSOP] Last Call: (DNS query name minimisation to improve privacy) to Experimental RFC

On Wed, Nov 11, 2015 at 12:32:55PM +0100, Maarten Wullink wrote a message of 63 lines which said: > I just read you draft about qname minimisation again and i > discovered that besides limiting the number of labels the resolver > is sending to the authoritative it also proposes to replace the

[DNSOP] simple question

Hello, consider a nameserver ns.example.com serving example.com. There is a delegation from com. including glue. Now we add a childzone sub.example.com. served by the same nameserver ns.example.com. should I add a entry in example.com to delegate the subzone to myself? Thanks for opinions! An

Re: [DNSOP] simple question

On 13/11/2015 16:55, A. Schulze wrote: > should I add a entry in example.com to delegate the subzone to myself? Yes, you should. Ray ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] simple question

> consider a nameserver ns.example.com serving example.com. There is a > delegation from com. including glue. > Now we add a childzone sub.example.com. served by the same nameserver > ns.example.com. > > should I add a entry in example.com to delegate the subzone to myself? Generally, yes, althoug

Re: [DNSOP] simple question

On 13 Nov 2015, at 12:06, Havard Eidnes wrote: consider a nameserver ns.example.com serving example.com. There is a delegation from com. including glue. Now we add a childzone sub.example.com. served by the same nameserver ns.example.com. should I add a entry in example.com to delegate the su

[DNSOP] Registry of non-service _prefix names?

Over in the dbound working group we have some proposals that would use yet another underscore prefixed name to avoid name collisions. (It's not a substitute for a new RRTYPE; they need the prefix whether the data is TXT or a new type.) In the mail world we have _domainkey and _dmarc and likely o

Re: [DNSOP] Registry of non-service _prefix names?

Seems there's some hair-splitting here over the definition of the word "service". While RFC 6335 assumes, more than it defines, what a "service" encompasses, it offers the following "functional" definition of the kind of things which need and use "service name"s: Service names are the unique k

Re: [DNSOP] Registry of non-service _prefix names?

On 13 Nov 2015, at 19:00, John Levine wrote: > It's not a substitute for a > new RRTYPE; they need the prefix whether the data is TXT or a new type. Clarification, my english is not good enough... What you mean is that they believe they do need the prefix regardless of what RRType they will use

Re: [DNSOP] [internet-dra...@ietf.org: I-D Action: draft-bortzmeyer-dnsop-nxdomain-cut-00.txt]

On Wed, Nov 11, 2015 at 01:15:37AM +, Wessels, Duane wrote a message of 107 lines which said: > This updates RFC 2308 (Negative Caching of DNS Queries). This would > seem to be the key text from 2308 to update: Yes, good catch, added to the online copy

Re: [DNSOP] [internet-dra...@ietf.org: I-D Action: draft-bortzmeyer-dnsop-nxdomain-cut-00.txt]

On Thu, Nov 12, 2015 at 09:54:42AM -0800, Paul Hoffman wrote a message of 43 lines which said: > If the NXDOMAIN response is not signed, it allows an attacker to > block resolution of a name that was good, yes? I do not see why it's new: without DNSSEC, a resolver can be poisoned, "NXDOMAIN c

[DNSOP] Using the SOA in a NXDOMAIN response (Was: [internet-dra...@ietf.org: I-D Action: draft-bortzmeyer-dnsop-nxdomain-cut-00.txt]

On Thu, Nov 12, 2015 at 06:13:04PM +, Wessels, Duane wrote a message of 57 lines which said: > As Mark pointed out, we can't use the SOA to make NXDOMAIN more aggressive. > > For a name like foo.bar.example.com and an NXDOMAIN response from > example.com we can't assume that there would b

Re: [DNSOP] [internet-dra...@ietf.org: I-D Action: draft-bortzmeyer-dnsop-nxdomain-cut-00.txt]

On Thu, Nov 12, 2015 at 06:13:04PM +, Wessels, Duane wrote a message of 57 lines which said: > Perhaps a recursive might be designed to negatively cache an entire > zone (including TLD) but continue answering positively cached > answers in the zone until they expire normally. Clever algor

Re: [DNSOP] Registry of non-service _prefix names?

What you mean is that they believe they do need the prefix regardless of what RRType they will use, including TXT? Yes, the prefix is part of the design. See draft-levine-orgboundary-03 R's, John ___ DNSOP mailing list DNSOP@ietf.org https://www.ie

Re: [DNSOP] Registry of non-service _prefix names?

>why not just go ahead and register the names through >http://www.iana.org/form/ports-services? Don't be intimidated by all >of the references on the application form If people think that's OK, I'll send in registrations for _domainkey and all. R's, John

Re: [DNSOP] Using the SOA in a NXDOMAIN response (Was: [internet-dra...@ietf.org: I-D Action: draft-bortzmeyer-dnsop-nxdomain-cut-00.txt]

>It can mean only one thing, that bar.example does not exist. How could >it be different? My name server (running NSD) appears to disagree with you. This is real data, feel free to poke at it yourself. $ dig @sdn.iecc.com bogus.www.examp1e.com a ; <<>> DiG 9.8.3-P1 <<>> @sdn.iecc.com bogus.www

Re: [DNSOP] simple question

Am 13.11.2015 um 18:50 schrieb Joe Abley: As you say, best to install the delegation set in the parent zone even if the choice of nameservers for the parent and child means it will be obscured. thanks for the advise Andreas ___ DNSOP mailing list

Re: [DNSOP] Using the SOA in a NXDOMAIN response (Was: [internet-dra...@ietf.org: I-D Action: draft-bortzmeyer-dnsop-nxdomain-cut-00.txt]

> On Nov 13, 2015, at 11:50 AM, Stephane Bortzmeyer wrote: > > On Thu, Nov 12, 2015 at 06:13:04PM +, > Wessels, Duane wrote > a message of 57 lines which said: > >> As Mark pointed out, we can't use the SOA to make NXDOMAIN more aggressive. >> >> For a name like foo.bar.example.com and a

Re: [DNSOP] Registry of non-service _prefix names?

On 13/11/2015 18:00, John Levine wrote: Over in the dbound working group we have some proposals that would use yet another underscore prefixed name to avoid name collisions. (It's not a substitute for a new RRTYPE; they need the prefix whether the data is TXT or a new type.) In the mail worl