Moin!
On Fri, Mar 06, 2015 at 01:51:53PM -0800, Paul Vixie wrote:
> that's a big "if". here's another: if your diagnostic tools can use some
> method other than "dig" to do your debugging for you, then, again, you
> don't need ANY. those are two very big "if"'s.
I can answer them with yes, so I think I'm good. I do need dig for lots
of stuff, but not to find out what records at a give node my resolver
has.
> > I would like to see it deprecated to
> > the level that no one relies on the query being answered with a record.
>
> me too. that's why i'm saying, ACL, default "nobody".
ACL is something application specific. There may be applications that
may want to have a default behavior, thus we should not put ACL in the
draft. The only thing to define in the draft is to what a requester
can expect when issuing a ANY query.
> > So even the resolver can answer with NOTIMP.
>
> any RCODE other than 0 or 3 will cause spectacularly bad storms. i
> prefer RCODE=0/ANCOUNT=0 to refuse "ANY".
That would look confusing to me as it looks like an valid answer.
NOTIMP looks clearer to me. What do you think this will cause given
that we want to get people of off it?
> i heard several people enumerate the TCP initiators they could think of,
> when arguing about whether to change the client's behaviour to
> "keepopen". as i said there-- our ability to enumerate means precisely
> nothing: if someone somewhere coded a reasonable expectation based on
> RFC text and tested to work, then we have to act as if there are an
> unknown, and treat as unknowable, but real and relevant set of users of
> that encoding.
I really could not parse or understand this. After reading it a couple of
times I think that I say:
There is no reason to use RRSIG queries in a validator
and you say:
It is not forbidden to use RRSIG queries in a validator
both are true. We can't stop people from doing unreasonable things.
> if you want to change how DNSSEC works, i'll listen. but there's no
> reasonable interpretation of past or current specifications by which
> QTYPE=RRSIG can be categorized a "meta-query". (unlike
> QTYPE=ANY/IXFR/AXFR, or RD=0 when speaking to a recursive-only server.)
I never said that RRSIG is a meta query. I said that implementing RRSIG
is as hard as implementing ANY with regard to the aspect that you have
to use/look for more than one query type, which is different from
all other query types.
> you could multiply all those numbers by six trillion, and they would
> still not be relevant to the standard of care by which the DNS
> specification must evolve.
Yeah I noticed over the years that people were very concerned on even
minor changes. Yet when I look at all the things that implementations
of DNS servers did that were against the specs and others had to work
around, maybe sometimes a disruptive change is good. One of the point
of the numbers was to show that so far people have been reasonable
about RRSIG.
So long
-Ralf
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
