Olafur,
This is my first draft review so apologies if it seems harsh, I
really like the concept of this draft.
Comments:
--
Section 4.1 "Select one RRSet mode" -
The section including "...choose a small one(s) to..." seems
confusing, a single RRSet is expected why the possibility of
multiple R
Paul - I finished my review of the terminology doc; added 1 issue today.
- Ralph
> On Feb 8, 2017, at 4:31 PM, Paul Hoffman wrote:
>
> [[ Hopefully the WG can focus on multiple topics at once; this one has an
> effect on the upcoming interim WG meeting. ]]
>
> [[ We got a few responses to our
John,
Thanks for the review
you are spot on, I should not edit while watching a soccer game :-(
I will post an updated version in the next few days.
how about for section 4.1:
I was trying to cover the case where the RRSET selected has Multiple
RRSIG's not
About 4.2.
Implementation may choose t
On Thu, Feb 09, 2017 at 09:41:31AM +1100,
Mark Andrews wrote
a message of 38 lines which said:
> And only because people are too scared to ask for changes to the
> root zone to add a delegation.
Being afraid to ask ICANN to do something is not cowardice, it is
common sense :-)
__
On Wed, Feb 08, 2017 at 12:36:23PM -0800,
Brian Dickson wrote
a message of 258 lines which said:
> - upon startup, do a query for "onion" (the non-existent TLD), with DO=1.
> - cache the response, and as appropriate, re-query periodically.
> - If a query for .onion is received, reply with the
On Wed, Feb 08, 2017 at 11:40:16AM -0500,
John R Levine wrote
a message of 27 lines which said:
> > URL, please, with the expected behavior of the resolver when queried
> > for the domain.
>
> It's the IANA list of special use domains:
>
>
>http://www.iana.org/assignments/special-use-domain-
On Thu, 9 Feb 2017, Stephane Bortzmeyer wrote:
http://www.iana.org/assignments/special-use-domain-names/special-use-domain-names.xml
It is not complete. For instance, {in-addr,ip6}.arpa domains for the
documentation networks (e.g. 2.0.192.IN-ADDR.ARPA) are not present
(but they are in the other
In message <20170209163123.56hdbzaluekmv...@nic.fr>, Stephane Bortzmeyer writes
:
> On Wed, Feb 08, 2017 at 12:36:23PM -0800,
> Brian Dickson wrote
> a message of 258 lines which said:
>
> > - upon startup, do a query for "onion" (the non-existent TLD), with DO=1.
> > - cache the response, an
Maybe DNS authority server software could auto-generate TXT records for what
would otherwise be ENTs, or zone administrators could add them manually,
E.g. ent.example.com TXT "This object intentionally left blank."
This avoids the ENT issue.
I can't think of any way that would break anything. T
On Feb 9, 2017, at 1:40 PM, John R Levine wrote:
> That's an interesting observation. RFC 6761 imported the RFC 1918 zones from
> RFC 6303 section 4.1, but not the other zones from sections 4.2 through 4.6.
> Was that deliberate of an oversight?
RFC 6761 doesn't actually reference RFC6303.
In message <0394528c-99cd-41d4-9ab6-844d13182...@gmail.com>, Brian Dickson writ
es:
> Maybe DNS authority server software could auto-generate TXT records for what=
> would otherwise be ENTs, or zone administrators could add them manually,
>
> E.g. ent.example.com TXT "This object intentionally l
On Feb 9, 2017, at 3:45 PM, Mark Andrews wrote:
> At the moment we have Ted saying that if you want privacy you MUST
> also turn on DNSSEC validation and implement QNAME minimisation and
> implement agressive negative caching (still a I-D).
No, I am _not_ saying that. I am saying that an unsign
In message <12d7473b-3a22-4a8d-9c13-2aeedeabb...@fugue.com>, Ted Lemon writes:
>
> On Feb 9, 2017, at 3:45 PM, Mark Andrews wrote:
> > At the moment we have Ted saying that if you want privacy you MUST
> > also turn on DNSSEC validation and implement QNAME minimisation and
> > implement agressive
How does a query for, e.g., super-s3kr1t.alt leak if your caching resolver
is doing qname minimization?
On Thu, Feb 9, 2017 at 5:48 PM, Mark Andrews wrote:
>
> In message <12d7473b-3a22-4a8d-9c13-2aeedeabb...@fugue.com>, Ted Lemon
> writes:
> >
> > On Feb 9, 2017, at 3:45 PM, Mark Andrews wrote
On Thu, Feb 9, 2017 at 2:48 PM, Mark Andrews wrote:
>
> In message <12d7473b-3a22-4a8d-9c13-2aeedeabb...@fugue.com>, Ted Lemon
> writes:
> >
> > On Feb 9, 2017, at 3:45 PM, Mark Andrews wrote:
> > > At the moment we have Ted saying that if you want privacy you MUST
> > > also turn on DNSSEC vali
In message
, Ted Lemon writes:
> How does a query for, e.g., super-s3kr1t.alt leak if your caching resolver
> is doing qname minimization?
Because QNAME minimization does not stop on NXDOMAIN. Too much
broken stuff out there to stop on NXDOMAIN. The purpose of QNAME
minimization is prevent lea
In message
, Brian Dickson writes:
>
> On Thu, Feb 9, 2017 at 2:48 PM, Mark Andrews wrote:
>
> >
> > In message <12d7473b-3a22-4a8d-9c13-2aeedeabb...@fugue.com>, Ted Lemon
> > writes:
> > >
> > > On Feb 9, 2017, at 3:45 PM, Mark Andrews wrote:
> > > > At the moment we have Ted saying that if
On Feb 9, 2017, at 6:28 PM, Mark Andrews wrote:
> Because QNAME minimization does not stop on NXDOMAIN. Too much
> broken stuff out there to stop on NXDOMAIN. The purpose of QNAME
> minimization is prevent leaking too much information about the qname
> to the parent zone. It does nothing to pre
On Thu, Feb 9, 2017 at 3:47 PM, Mark Andrews wrote:
>
> In message 54s...@mail.gmail.com>
> , Brian Dickson writes:
>
> > Are you saying that leakage when the local namespace is non-existent, is
> > a/the issue?
>
> Because when TPB go on a witch hunt for all users of .alt we
> don't want th
In message , Ted Lemon writes:
>
> On Feb 9, 2017, at 6:28 PM, Mark Andrews wrote:
> > Because QNAME minimization does not stop on NXDOMAIN. Too much
> > broken stuff out there to stop on NXDOMAIN. The purpose of QNAME
> > minimization is prevent leaking too much information about the qname
> >
On Feb 9, 2017, at 7:48 PM, Mark Andrews wrote:
> 1) there is too much brokeness out there that returns NXDOMAIN instead of
> a NODATA for a ENT.
So you're saying that a root nameserver is going to return an incorrect result?
And what does this have to do with intelligent trees?_
In message <653a3403-dfc8-491a-b083-7873d1886...@fugue.com>, Ted Lemon writes:
>
> On Feb 9, 2017, at 7:48 PM, Mark Andrews wrote:
> > 1) there is too much brokeness out there that returns NXDOMAIN instead
> > of a NODATA for a ENT.
>
> So you're saying that a root nameserver is going to return
In message <20170210015725.bf777636c...@rock.dv.isc.org>, Mark Andrews writes:
>
> In message <653a3403-dfc8-491a-b083-7873d1886...@fugue.com>, Ted Lemon writes:
> >
> > On Feb 9, 2017, at 7:48 PM, Mark Andrews wrote:
> > > 1) there is too much brokeness out there that returns NXDOMAIN instead
>
On Feb 9, 2017, at 8:57 PM, Mark Andrews wrote:
> I'm developing software that will be run on private internets with
> various degrees of compentence from the adminitrators as well as
> the public Internet. That private internet may have a ENT for ALT
> that returns NXDOMAIN. The server has to w
With full realization that this is coming very late in the game, we had a
great deal of internal conversation within Dyn about implementing
refuse-any, and came away unsatisfied with both the "subset" and "HINFO"
approaches—the latter because of reasons that have already been covered,
and the forme
In message , Ted Lemon writes
:
>
> On Feb 9, 2017, at 8:57 PM, Mark Andrews wrote:
> > I'm developing software that will be run on private internets with
> > various degrees of compentence from the adminitrators as well as
> > the public Internet. That private internet may have a ENT for ALT
>
Could your concern be addressed with secure denial of existence plus the
right text about how to configure recursive resolvers?
On Feb 10, 2017 1:02 AM, "Mark Andrews" wrote:
>
> In message , Ted Lemon
> writes
> :
> >
> > On Feb 9, 2017, at 8:57 PM, Mark Andrews wrote:
> > > I'm developing sof
27 matches
Mail list logo
