Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

>And isn't there some danger that this "parallel" root becomes an >attractive target for those who want things to be different than >what's in the "official" root? That is, in effect, isn't this a plain >old alternative root? I would assume the plan is that the clients use DNSSEC to validate the

Re: [DNSOP] Draft Reverse DNS in IPv6 for Internet Service Providers

>And if I used a generation method for v6 that exactly matched v4, I'd >just get caught in exactly the same filters, right? No. There are a zillion formats for generic v4 rDNS names. Most of them embed some version of four octets of the IP address, so for v6 it would of necessity be different.

Re: [DNSOP] Draft Reverse DNS in IPv6 for Internet Service Providers

> vixie> Indeed not. We currently have to maintain a large and complex > vixie> distributed registry of ipv4 ptr patterns which are meaningless > vixie> and must therefore be filtered out before making policy decisions > vixie> about the presence/absence and match/doesn't of a ptr record and > vixi

Re: [DNSOP] Draft Reverse DNS in IPv6 for Internet Service Providers

sthaug> If you assume that IPv6 mail servers have static PTRs, there is sthaug> zero added value (and a bit of work) in creating/synthesizing sthaug> IPv6 PTRs for residential customers. Much better to simply not sthaug> do it in the first place. I'm in agreement that "legitimate", well run mail

Re: [DNSOP] Draft Reverse DNS in IPv6 for Internet Service Providers

ebersman> It's a nice thought. But considering how little we've ebersman> converged on SLAAC vs DHCPv6, random assignment vs eui-64 vs ebersman> static for host ID, RFC 6106 vs DHCPv6 DNS, etc. (and I won't ebersman> even start on how many IPv6 transition techs there are), any ebersman> consensus

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

> On Nov 10, 2014, at 12:13 AM, John Levine wrote: > >> And isn't there some danger that this "parallel" root becomes an >> attractive target for those who want things to be different than >> what's in the "official" root? That is, in effect, isn't this a plain >> old alternative root? > > I w

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

Nicholas Weaver wrote: > > This happens in China (on CERNET I believe): there are a set of root > mirrors that hijack most (but not all) of the root IPs. As far as we > can tell, the servers are legitimate, returning the proper responses, > except that the mirror servers don't support DNSSEC. Th

Re: [DNSOP] Draft Reverse DNS in IPv6 for Internet Service Providers

On Nov 9, 2014, at 11:31 PM, Paul Ebersman wrote: > My concern is random folks who currently accept any v4 PTR regardless of > format (but caring if there is no PTR at all) will do something equally > bad in v6. i.e. NYT web content and similar pointless cruft. Putting in > an auto-gen'ed v6 PTR w

Re: [DNSOP] Draft Reverse DNS in IPv6 for Internet Service Providers

On Nov 9, 2014, at 11:57 PM, Paul Ebersman wrote: Sorry, I replied to a message prior to your reply to me, and so I sort of answered these points, but just to clarify: > - service providers who want a way to avoid breaking things for >customers while not being operationally complicated/ins

Re: [DNSOP] A Preliminary Test for Loopback Server

On Mon, Nov 10, 2014 at 07:03:40PM +0800, Davey Song wrote: > There is a test we have done to implement and verify the idea of Loopback > server according to the draft (draft-wkumari-dnsop-root-loopback-00). There > are some findings and questions which you guys can help us to address. Your implem

Re: [DNSOP] A Preliminary Test for Loopback Server

On Mon, Nov 10, 2014 at 05:27:08PM +, Evan Hunt wrote: > Attached is a sample named.conf configuration which implements this using a > "root" view for the root zone slave, and a "recursive" view for recursion. > DNSSEC validation works correctly and the root zone will sync correctly. One of th

Re: [DNSOP] A Preliminary Test for Loopback Server

sent from Google nexus 4 kindly excuse brevity and typos. On 10 Nov 2014 18:37, "Evan Hunt" wrote: > > On Mon, Nov 10, 2014 at 05:27:08PM +, Evan Hunt wrote: > > Attached is a sample named.conf configuration which implements this using a > > "root" view for the root zone slave, and a "recursiv

Re: [DNSOP] Draft Reverse DNS in IPv6 for Internet Service Providers

ebersman> My concern is random folks who currently accept any v4 PTR ebersman> regardless of format (but caring if there is no PTR at all) ebersman> will do something equally bad in v6. i.e. NYT web content and ebersman> similar pointless cruft. Putting in an auto-gen'ed v6 PTR ebersman> would sat

Re: [DNSOP] A Preliminary Test for Loopback Server

On 11/10/14 9:28 AM, Evan Hunt wrote: One of these days I want to write a mail client that checks for the word "attached" and refuses to let me hit send until I attach something. Well the obvious solution is to attach the item first, then write the message. :) ... and FWIW, Thunderbird will

Re: [DNSOP] Draft Reverse DNS in IPv6 for Internet Service Providers

> TLemon> The status quo is that the ISP doesn't add a PTR record for a > TLemon> customer IPv6 address, nor delegate the zone. Lots of IPv6 > TLemon> users are getting by just fine right this very moment (including > TLemon> me) without this. So I think it's safe to say that we do not > TLemon>

Re: [DNSOP] Draft Reverse DNS in IPv6 for Internet Service Providers

sthaug> To me this is really simple: If many/most ISPs continue *not* sthaug> adding useless/artificial/synthesized PTRs, the content / server sthaug> people will have no choice - if they want their content to get sthaug> out and their services to be used by the large majority of IPv6 sthaug> user

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

This happens in China (on CERNET I believe): there are a set of root mirrors that hijack most (but not all) of the root IPs. As far as we can tell, the servers are legitimate, returning the proper responses, except that the mirror servers don't support DNSSEC. Those are unusual meanings for "le

[DNSOP] new drafts? (Was Draft Reverse DNS in IPv6 for Internet Service Providers)

I've come to the conclusion that this draft doesn't give me the data I need to choose when/where/how I might do v6 PTRs for my broadband customers. It is sufficient for servers, networking gear and business customers; just not for broadband. There are two things lacking that would be cleaner to t

Re: [DNSOP] new drafts? (Was Draft Reverse DNS in IPv6 for Internet Service Providers)

On Mon, Nov 10, 2014 at 10:59:31AM -1000, Paul Ebersman wrote: > Is there someone willing to drive the recommendations on what we should > be doing with v4/v6? "Should"? Absolutely not. There is not an answer for that, and the last time the WG tried to do that I think completely demonstrated th

Re: [DNSOP] Draft Reverse DNS in IPv6 for Internet Service Providers

On Nov 10, 2014, at 8:32 AM, Paul Ebersman wrote: > IPv6 is still in early adoption for broad general use and we don't know > what plans folks have for requiring PTRs. I apologize for picking and choosing from your response, but I think this sums it up perfectly: if we do not yet know what plans

Re: [DNSOP] Draft Reverse DNS in IPv6 for Internet Service Providers

ebersman> IPv6 is still in early adoption for broad general use and we ebersman> don't know what plans folks have for requiring PTRs. TLemon> I apologize for picking and choosing from your response, but I TLemon> think this sums it up perfectly: if we do not yet know what TLemon> plans they have,

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

Given the behaviour of unknown algorithm, if the anycast node signs with an algoritm they can guarantee you don't understand, how did you know DNSSEC was turned off silently? ie, downgrade silent response means that an anycast node can mask changes to the root, because you won't know DNSSEC was di

Re: [DNSOP] Draft Reverse DNS in IPv6 for Internet Service Providers

On Nov 10, 2014, at 11:10 AM, Paul Ebersman wrote: > If I wait until I have screaming customers, I have months and months of > hell before I have any solution. So deploy the solutions the IETF is already working on. You are proposing we do something bad to solve a problem that demonstrably doe

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

> Ralf Weber > Sunday, November 09, 2014 3:30 PM > Moin! > > They can do this with today with the current root zone. AXFR it from a > root server, serve it and point your root hints to it. Why do you want > to complicate this? because right now the people who do this have

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

> John R Levine > Sunday, November 09, 2014 3:50 PM > > ... > > It's still not clear to me what the practical advantage of this is > over my hack of networks inserting their own routes for one of the > existing servers, other than perhaps that it's easier to diagnose from

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

> Andrew Sullivan > Sunday, November 09, 2014 3:58 PM > Hi, > > > I didn't understand that, either; I thought what John said was what > you intended. > > Doesn't this suffer in terms of robustness? yes. parts of the 'net can be made root-serverless by accident th

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

> George Michaelson > Monday, November 10, 2014 1:02 PM > Given the behaviour of unknown algorithm, if the anycast node signs > with an algoritm they can guarantee you don't understand, how did you > know DNSSEC was turned off silently? > > ie, downgrade silent response

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

Paul Vixie wrote: > because right now the people who do this have to pirate the address space > of root name servers, and they have to do it for all of our addresses. > under this proposal, there would be no piracy required, and there would > only be two address blocks per stack (two for v4, two f

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

Moin! > On 10 Nov 2014, at 16:49, Brian Dickson wrote: > > The addresses associated with those names ( [a-m].root-servers.net ) are > replaceable in a way which is undetectable and unprotected by DNSSEC. > > Thus, there is no need to hijack BGP routes. There is not even a requirement > that 1

Re: [DNSOP] "Secure Unowned Hierarchical Anycast Root Name Service - And an Apologia" (circleid)

On Mon, Nov 10, 2014 at 7:16 PM, Ralf Weber wrote: > Moin! > > > On 10 Nov 2014, at 16:49, Brian Dickson > wrote: > > > > The addresses associated with those names ( [a-m].root-servers.net ) > are replaceable in a way which is undetectable and unprotected by DNSSEC. > > > > > With DNSSEC any mod