Re: [DNSOP] Suggestion for "any" - TCP only

> Paul Wouters > Monday, March 09, 2015 10:02 PM > On Sun, 8 Mar 2015, Paul Vixie wrote: > >>> So why are we proposing to ACL the ANY queries again? >> >> because people like me with dig-based diagnostic tools want to be able >> to run ANY queries against our own servers,

Re: [DNSOP] Definition of "validating resolver"

In message <54fdb221.8020...@nlnetlabs.nl>, Willem Toorop writes: > I'd like to maintain the term exactly as specified in RFC4033 > (understanding DNSSEC but not validating), because it comes in use when > talking about validating stubs. > > Some network operators don't know or care about DNSSEC

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

My 2 cents... It is commonplace, these days, to clearly enumerate "MANDATORY TO IMPLEMENT" elements of a protocol specification. But, this was not the typical practice at the time RFCs 1034/1035 was written, and I don't think we can apply modern standards-parlance retroactively. RFC 1034/1035 c

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

Edward Lewis writes: > Operators are not bound to comply with what the IETF documents. As I said before, this is making a mockery of the IETF standardization process. Instead of * obeying the existing mandatory standards, * giving due respect to the installed base relying on the standards,

[DNSOP] Fwd: New Version Notification for draft-ogud-dnsop-acl-metaqueries-00.txt

updated based on feedback from the mailing list File name changed at WG secretary request Olafur (for editors) -- Forwarded message -- From: Date: Mon, Mar 9, 2015 at 6:25 PM Subject: New Version Notification for draft-ogud-dnsop-acl-metaqueries-00.txt To: Olafur Gudmundsson , J

[DNSOP] I-D Action: draft-ietf-dnsop-resolver-priming-05.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations Working Group of the IETF. Title : Initializing a DNS Resolver with Priming Queries Authors : Peter Koch

Re: [DNSOP] Why no more meta-queries? (Was: More work for DNSOP :-)

On Mon, Mar 9, 2015 at 2:55 PM, Shumon Huque wrote: > On Mon, Mar 9, 2015 at 2:45 PM, Robert Edmonds wrote: > >> Shumon Huque wrote: >> > PS. regarding Paul Vixie's recent suggestion of adding an or A >> record >> > set in the additional section for a corresponding A or query, I >> jus

Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-chain-query-02.txt

On Mon, 9 Mar 2015, Tony Finch wrote: The justification in the introduction is misleading: This document specifies an EDNS0 extension that allows a validating Resolver running as a Forwarder to open a TCP connection to another Resolver and request a DNS chain answer using one DNS query/an

Re: [DNSOP] Why no more meta-queries? (Was: More work for DNSOP :-)

On Mon, Mar 9, 2015 at 2:45 PM, Robert Edmonds wrote: > Shumon Huque wrote: > > PS. regarding Paul Vixie's recent suggestion of adding an or A > record > > set in the additional section for a corresponding A or query, I just > > learned today that Unbound already does this. Not sure if

Re: [DNSOP] I-D Action: draft-ietf-dnsop-edns-chain-query-02.txt

The justification in the introduction is misleading: This document specifies an EDNS0 extension that allows a validating Resolver running as a Forwarder to open a TCP connection to another Resolver and request a DNS chain answer using one DNS query/answer pair. This reduces the number

Re: [DNSOP] Why no more meta-queries? (Was: More work for DNSOP :-)

Shumon Huque wrote: > PS. regarding Paul Vixie's recent suggestion of adding an or A record > set in the additional section for a corresponding A or query, I just > learned today that Unbound already does this. Not sure if there are any DNS > client APIs that can successfully make use of

[DNSOP] I-D Action: draft-ietf-dnsop-edns-chain-query-02.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations Working Group of the IETF. Title : Chain Query requests in DNS Author : Paul Wouters Filename: draft-

Re: [DNSOP] I-D Action: draft-ietf-dnsop-qname-minimisation-02.txt

On Mon, Mar 09, 2015 at 11:22:41AM -0400, Rose, Scott W. wrote: > The usual phrasing in the sentence would be "less than" or "fewer than". Suggested alternate wording: Thus, in some cases, a resolver using qname minimisation could send counter-ituitively fewer upstream queries than a tradit

Re: [DNSOP] Why no more meta-queries? (Was: More work for DNSOP :-)

On Mon, Mar 9, 2015 at 12:05 PM, Ray Bellis wrote: > > > On 9 Mar 2015, at 14:28, Stephane Bortzmeyer wrote: > > > > On Fri, Mar 06, 2015 at 08:59:20PM +, > > Evan Hunt wrote > > a message of 28 lines which said: > > > >> (As an aside: I've often wondered why the DNS doesn't have *more* > >

[DNSOP] clarification on DNSOP charter Re: [dns-operations] dnsop-any-notimp violates the DNS standards

Hi, (chair hat on) To the question of what's on charter for DNSOP: On Mar 9, 2015, at 7:08 AM, D. J. Bernstein wrote: > My understanding is that dnsop@ietf.org is not chartered to make DNS > protocol changes, so any discussion here will have to be repeated in an > appropriate working group Fr

Re: [DNSOP] [TCP] Review of draft-ietf-dnsop-5966bis-00.txt

> On 9 Mar 2015, at 16:32, Stephane Bortzmeyer wrote: > > I re-send here two questions that have apparently not been addressed > in -01 > > On Sun, Jan 04, 2015 at 06:42:26PM +0100, > Stephane Bortzmeyer wrote > a message of 37 lines which said: > >> Section 3, "some network devices delibera

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

On 3/9/15, 11:36, "Jared Mauch" wrote: >I would be interested in hearing the results you had from disabling ANY >queries, or anyone else results. We got a few complaints to the help desk. To quiet this, we resumed answering with a mind to stopping again in the future. The next was to take on m

Re: [DNSOP] dnsop-any-notimp violates the DNS standards

In article <20150309110803.4516.qm...@cr.yp.to> you write: >My "qmail" software is very widely deployed (on roughly 1 million SMTP >server IP addresses) and, by default, relies upon ANY queries in a way >that is guaranteed to work by the mandatory DNS standards. All the qmail installations I know

Re: [DNSOP] [TCP] Review of draft-ietf-dnsop-5966bis-00.txt

I re-send here two questions that have apparently not been addressed in -01 On Sun, Jan 04, 2015 at 06:42:26PM +0100, Stephane Bortzmeyer wrote a message of 37 lines which said: > Section 3, "some network devices deliberately refuse to handle DNS > packets containing EDNS0 options" Isn't it t

Re: [DNSOP] More work for DNSOP :-)

Happy to pick a less offensive file name :-) will discuss with co-editors (Joe Abley is also helping) Olafur -Original Message- From: "Paul Hoffman" Sent: Monday, 9 March, 2015 11:51 To: "Olafur Gudmundsson" Cc: "IETF DNSOP WG" Subject: Re: [DNSOP] More work for DNSOP :-) On Mar 8

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

RFC 1035 explicitly allows for a server to indicate that a kind of query is not implemented. Whether it is a good idea to respond to ANY this way is a separate argument that is worth having. You just won't win on the foundation that it is a violation of the standard.

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

bert hubert wrote: > On Mon, Mar 09, 2015 at 11:08:03AM -, D. J. Bernstein wrote: > > My "qmail" software is very widely deployed (on roughly 1 million SMTP > > server IP addresses) and, by default, relies upon ANY queries in a way > > that is guaranteed to work by the mandatory DNS standards.

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

Jared Mauch wrote: > > Even ignoring if qmail is “broken”. (I would rather classify it as, could do > better) Yes. > dnsop-any-notimp violates the principle of least surprise in technology by > returning NOTIMP where Paul Vixie suggested NOERROR/ANCOUNT=0 would be more > appropriate with the ex

Re: [DNSOP] Why no more meta-queries? (Was: More work for DNSOP :-)

> On 9 Mar 2015, at 14:28, Stephane Bortzmeyer wrote: > > On Fri, Mar 06, 2015 at 08:59:20PM +, > Evan Hunt wrote > a message of 28 lines which said: > >> (As an aside: I've often wondered why the DNS doesn't have *more* >> meta-query types, less extensive than ANY, such as a single type

Re: [DNSOP] More work for DNSOP :-)

On Mar 8, 2015, at 6:23 PM, Olafur Gudmundsson wrote: > There is a new version in the works, expect it late tomorrow (monday) There are questions about whether NOTIMP is the correct response. Given that, please consider starting a new -00 without "notimp" in the filename. That will help make i

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

> On Mar 9, 2015, at 11:16 AM, Edward Lewis wrote: > > On 3/9/15, 7:08, "D. J. Bernstein" wrote: > >> The common theme of CNAME/MX/A and A/ is that there's widepread >> interest in being able to easily retrieve multiple record types. What >> I'm saying is not that query type ANY is the ult

[DNSOP] dnsop-any-notimp violates the DNS standards

My "qmail" software is very widely deployed (on roughly 1 million SMTP server IP addresses) and, by default, relies upon ANY queries in a way that is guaranteed to work by the mandatory DNS standards. Specifically, query type ANY "matches all RR types" for that node on that server. There's an exam

[DNSOP] Suggestion for "any" and further

This issue and olafur's solution reflect the awkward relationship between the recursive and authoritative servers. About this issue, no matter what kind of meta-data should be ignored or what kind of policies are configured by the authoritative servers, it's necessary for the authoritative serv

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

> On Mar 9, 2015, at 10:54 AM, Tony Finch wrote: > > D. J. Bernstein wrote: > >> My "qmail" software is very widely deployed (on roughly 1 million SMTP >> server IP addresses) and, by default, relies upon ANY queries in a way >> that is guaranteed to work by the mandatory DNS standards. > > T

Re: [DNSOP] I-D Action: draft-ietf-dnsop-qname-minimisation-02.txt

According to my dictionary (as in, at least US english). The usual phrasing in the sentence would be "less than" or "fewer than". Scott On Mar 9, 2015, at 10:21 AM, Bob Harold wrote: > > On Mon, Mar 9, 2015 at 10:12 AM, Stephane Bortzmeyer > wrote: > On Wed, Mar 04, 2015 at 08:10:11AM -05

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

On Mon, Mar 09, 2015 at 11:08:03AM -, D. J. Bernstein wrote: > My "qmail" software is very widely deployed (on roughly 1 million SMTP > server IP addresses) and, by default, relies upon ANY queries in a way > that is guaranteed to work by the mandatory DNS standards. Hi Dan, The way I read RF

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

On 3/9/15, 7:08, "D. J. Bernstein" wrote: >The common theme of CNAME/MX/A and A/ is that there's widepread >interest in being able to easily retrieve multiple record types. What >I'm saying is not that query type ANY is the ultimate answer (clearly it >can be improved); what I'm saying is tha

Re: [DNSOP] dnsop-any-notimp violates the DNS standards

On Mon, Mar 09, 2015 at 11:08:03AM -, D. J. Bernstein wrote a message of 111 lines which said: >* First: The proposed protocol modification has to be taken to an > IETF working group chartered to modify the protocol, so that > stakeholders will have a proper chance to evaluat

Re: [DNSOP] I-D Action: draft-ietf-dnsop-qname-minimisation-02.txt

On Mon, 09 Mar 2015 14:21:48 +, Bob Harold wrote: > > On Mon, Mar 9, 2015 at 10:12 AM, Stephane Bortzmeyer > wrote: > > On Wed, Mar 04, 2015 at 08:10:11AM -0500, > Bob Harold wrote > a message of 218 lines which said: > > > I think the change in section 4 "Performance i

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

D. J. Bernstein wrote: > My "qmail" software is very widely deployed (on roughly 1 million SMTP > server IP addresses) and, by default, relies upon ANY queries in a way > that is guaranteed to work by the mandatory DNS standards. There are three bugs in the way qmail uses ANY queries. (1) qmail

Re: [DNSOP] [dns-operations] dnsop-any-notimp violates the DNS standards

On Mon, 9 Mar 2015, D. J. Bernstein wrote: My "qmail" software is very widely deployed (on roughly 1 million SMTP server IP addresses) and, by default, relies upon ANY queries in a way that is guaranteed to work by the mandatory DNS standards. And you've been told for two decades that this was

Re: [DNSOP] Definition of "validating resolver"

I'd like to maintain the term exactly as specified in RFC4033 (understanding DNSSEC but not validating), because it comes in use when talking about validating stubs. Some network operators don't know or care about DNSSEC and do not equip their network's resolver with a trust anchor. Such a resolv

Re: [DNSOP] review of qname-minimisation-01 draft

On Fri, Mar 06, 2015 at 04:12:38PM -0500, Rose, Scott W. wrote a message of 36 lines which said: > 1. Section 1. Introduction and background > s/etc/etc. (Depends on style guide used I guess) Yes. Deferred to when the RFC Editor will look at it. > 2. Section 3 > I would prefer

[DNSOP] Why no more meta-queries? (Was: More work for DNSOP :-)

On Fri, Mar 06, 2015 at 08:59:20PM +, Evan Hunt wrote a message of 28 lines which said: > (As an aside: I've often wondered why the DNS doesn't have *more* > meta-query types, less extensive than ANY, such as a single type > covering A and . Probably for the same reason that makes QTY

Re: [DNSOP] Definition of "validating resolver"

Paul Hoffman wrote: > On Mar 9, 2015, at 3:45 AM, Tony Finch wrote: > > > > Paul Hoffman wrote: > >> > >> My personal interpretation is that "validating resolver" is a synonym > >> for "security-aware resolver". Do others agree? If not, how would you > >> differentiate them? > > > > No, "securit

Re: [DNSOP] More work for DNSOP :-)

On Fri, Mar 06, 2015 at 11:42:08AM -0800, Paul Vixie wrote a message of 155 lines which said: > we're in a post-snowden era, and any information leaks (such as RD=0 > queries to recursive-only servers) have to be reconsidered on the > new risk:benefit model. Yes. This is mentioned in "DNS pri

Re: [DNSOP] I-D Action: draft-ietf-dnsop-qname-minimisation-02.txt

On Mon, Mar 9, 2015 at 10:12 AM, Stephane Bortzmeyer wrote: > On Wed, Mar 04, 2015 at 08:10:11AM -0500, > Bob Harold wrote > a message of 218 lines which said: > > > I think the change in section 4 "Performance implications" is incorrect: > > This was reported by a native english speaker and c

Re: [DNSOP] I-D Action: draft-ietf-dnsop-qname-minimisation-02.txt

On Wed, Mar 04, 2015 at 08:10:11AM -0500, Bob Harold wrote a message of 218 lines which said: > I think the change in section 4 "Performance implications" is incorrect: This was reported by a native english speaker and committed here

Re: [DNSOP] Suggestion for "any" - TCP only

On Sun, 8 Mar 2015, Paul Vixie wrote: So why are we proposing to ACL the ANY queries again? because people like me with dig-based diagnostic tools want to be able to run ANY queries against our own servers, from our NOC/SOC. Fair enough. Cloudfare is not doing this for privacy reasons. So

Re: [DNSOP] Definition of "validating resolver"

Thanks, but I'm having a hard time grokking this. It seems other on the list are as well. On Mar 9, 2015, at 3:45 AM, Tony Finch wrote: > > Paul Hoffman wrote: >> >> My personal interpretation is that "validating resolver" is a synonym >> for "security-aware resolver". Do others agree? If not

Re: [DNSOP] Definition of "validating resolver"

On Mar 8, 2015, at 6:31 PM, Ralf Weber wrote: > I was told that the difference is that a security aware resolver does > not validate, but instead relies on the "Validating Stub Resolver" to > protect the user. So it would handle all the DNSSEC processing to the > authoritative and would store the

Re: [DNSOP] Suffix? (Was: I-D Action: draft-hoffman-dns-terminology-01.txt

On Fri, Mar 06, 2015 at 10:53:36AM -0800, Paul Vixie wrote a message of 135 lines which said: > i object to the term "suffix", which sounds like a CP/M "file > extension", like TXT in "FOOBAR.TXT", I do not see the relationship. I was suggesting "public suffix" precisely to avoid the marketin

[DNSOP] I-D Action: draft-ietf-dnsop-5966bis-01.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain Name System Operations Working Group of the IETF. Title : DNS Transport over TCP - Implementation Requirements Authors : John Dickinson

Re: [DNSOP] Suggestion for "any" - TCP only

On Sun, Mar 08, 2015 at 10:27:11PM -0700, Paul Vixie wrote: > > > > Paul Wouters > > Sunday, March 08, 2015 9:03 PM > > On Sun, 8 Mar 2015, Paul Vixie wrote: > > > > > > So why are we proposing to ACL the ANY queries again? > > because people like me with dig-based diagno

Re: [DNSOP] Definition of "validating resolver"

Paul Hoffman wrote: > > My personal interpretation is that "validating resolver" is a synonym > for "security-aware resolver". Do others agree? If not, how would you > differentiate them? No, "security-aware" means that the doftware understands the special semantics of RRSIG, NSEC, DS, etc. but d

Re: [DNSOP] More work for DNSOP :-)

Olafur Gudmundsson wrote: > > It does not outlaw ANY per say, just says limit it to trusted parties. > It applies to all meta types, including RRSIG. I think you should suggest that implementations should have reasonably fine-grained ACLs, e.g. we currently have an ACL for AXFR+IXFR; this draft

Re: [DNSOP] More work for DNSOP :-)

Olafur Gudmundsson wrote: > There is a new version in the works, expect it late tomorrow (monday) > [...] > I tries to define that resolver treat NOTIMP as long term signal > that resolver should keep track of and not retry. That's a bad idea, IMO. When the resolver gets a NOTIMP response, it ha