On Mon, Jul 31, 2023 at 11:58 AM Edward Lewis
mailto:edward.le...@icann.org>> wrote:
>You've probably stumbled across Cloudflare's differential behavior for DO=0 vs
>DO=1 queries. With non-DNSSEC queries it provides a vanilla, unsigned
>NXDOMAIN response. With DNSSEC enabled queries, it provides t
>Compact DoE, and RFC4470 already appear to violate it for ENT responses. And
>it was (arguably) already violated by
>pre-computed NSEC3 (5155), where an empty non-terminal name (or rather the
>hash of it) does solely own an
>NSEC3 record.
NSEC3 is different. Because NSEC3 hashes the labels int
Hi DNSOP,
draft-ietf-dnsop-compact-denial-of-existence currently says the following about
RFC 4470:
The response for a non-existent name requires up to 2 signed NSEC
records or up to 3 signed NSEC3 records (and for online signers, the
associated cryptographic computation), to prove that
On Tue, 8 Aug 2023, Ben Schwartz wrote:
If this is correct, then I'm not sure the complexity of solving the ENT problem
is worthwhile.
At $dayjob, I had to add bogus TXT records to our zones because of ENT
issues with Amazon Route53, which Amazon knows about and has refused to
fix for years.
On Tue, Aug 8, 2023 at 9:21 AM Edward Lewis wrote:
> >Compact DoE, and RFC4470 already appear to violate it for ENT responses.
> And it was (arguably) already violated by
>
> >pre-computed NSEC3 (5155), where an empty non-terminal name (or rather
> the hash of it) does solely own an
>
> >NSEC3 re
On Wed, Jul 26, 2023 at 11:05 PM Edward Lewis
wrote:
> [...]
> In some sense, this proposal is establishing a (set of) wildcard(s)
> (source[s] of synthesis) that owns just an NSEC record when it applies to
> otherwise NXDOMAIN responses. Mulling this over, it becomes apparent that
> the next na
On Tue, Aug 8, 2023 at 10:45 AM Ben Schwartz wrote:
> Hi DNSOP,
>
> draft-ietf-dnsop-compact-denial-of-existence currently says the following
> about RFC 4470:
>
>The response for a non-existent name requires up to 2 signed NSEC
>records or up to 3 signed NSEC3 records (and for online sig
On Tue, Aug 8, 2023 at 11:50 AM Paul Wouters wrote:
> On Tue, 8 Aug 2023, Ben Schwartz wrote:
>
> > If this is correct, then I'm not sure the complexity of solving the ENT
> problem is worthwhile.
>
I'm not sure which "ENT" problem Ben is referring to solving here. The draft
proposes ways to pre
On Tue, Aug 8, 2023 at 9:13 AM Edward Lewis wrote:
> On Mon, Jul 31, 2023 at 11:58 AM Edward Lewis
> wrote:
>
> >You've probably stumbled across Cloudflare's differential behavior for
> DO=0 vs
>
> >DO=1 queries. With non-DNSSEC queries it provides a vanilla, unsigned
>
> >NXDOMAIN response. Wit
see inline.
Shumon Huque wrote on 2023-08-08 12:13:
At any rate, as I've remarked before, I'm not convinced that the
optimizations offered in Compact DoE were actually necessary as an
operational matter. But I'll leave it to our colleagues at Cloudflare to
argue that case. My interest in publi
10 matches
Mail list logo
