Re: [DNSOP] DNS versioning, was The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"

> -Original Message- > From: DNSOP [mailto:dnsop-boun...@ietf.org] On Behalf Of John Levine > > I realize that my biggest problem with this draft is not that > I don't think that it's useful -- we have lots of RFCs that > turned out to be useless but harmless. It's that it breaks the > DNS

Re: [DNSOP] The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"

> -Original Message- > From: Jim Reid [mailto:j...@rfc1035.com] > > What value has each IPv6 address? Or a name like > host-2001-67c-1232-144-21f-5bff-fec3-ab9d.example.com? Please > enlighten me. > Hi Jim, I guess beauty (or value) is in the eye of the beholder :) Although in practice t

Re: [DNSOP] The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"

> -Original Message- > From: DNSOP [mailto:dnsop-boun...@ietf.org] On Behalf Of Tony Finch > > Can you provide a technical reason for per-address IPv6 reverse DNS? > Hi Tony, The main reason I can think of is compatibility. This (BULK-like functionality) is actually happening today. In

Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use

At Tue, 18 Jul 2017 18:20:56 +0530, Mukund Sivaraman wrote: > Dealing with water torture and some other attacks have had several > band-aid approaches that don't always work well in practice. The most > promising (and what feels correct) is > draft-ietf-dnsop-nsec-aggressiveuse, but it doesn't wo

Re: [DNSOP] draft-ietf-dnsop-dns-rpz

In article <4b2b2d27-7e24-41bc-93b7-d33faf783...@vpnc.org> you write: >If the WG still gets to freely edit the document while adhering to >"describes an existing and widely deployed method", this seems like a >good way forwards. Text can change, bits can't. OK with me. R's, John _

Re: [DNSOP] DNS versioning, was The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"

In article you write: >We are adding something to DNS that's not just a new RRTYPE. It requires >code changes and has a deployment and long tail. ... I realize that my biggest problem with this draft is not that I don't think that it's useful -- we have lots of RFCs that turned out to be useless

Re: [DNSOP] The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"

sth...@nethelp.no wrote: Can you provide a technical reason for per-address IPv6 reverse DNS? Where I work, we bulk populate reverse v4 DHCP pools just so we know that they are pools. We aren't going to bother doing that with v6 because everything is a pool, except for a relatively small numbe

Re: [DNSOP] [Ext] comments on draft-mglt-dnsop-dnssec-validator-requirements-05

On 7/19/17, 08:49, "DNSOP on behalf of Rose, Scott (Fed)" wrote: >I think this draft is a good idea and should be adopted, but needs some >improvements first. > Thanks for the review, the current version has items needing wider discussion. I'll pick some items to respond to now: >2. REQ2:

Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00.txt

Stephane Bortzmeyer wrote: > > Cute trick. I love it. :-) > But it modifies the rules for response credibility (the most credible > response is in the additionnal section, not in the answer section). > Should we update RFC 2181, section 5.4.1?> I tend to think that the A > record, in that exampl

Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00.txt

On Tue, Jul 18, 2017 at 05:09:00PM +0100, Tony Finch wrote a message of 80 lines which said: > A client queries its resolver for dotat.at A, but chiark has > renumbered, so the client gets a response from the ANAME-aware > resolver like below. A validating ANAME-aware client can see it > shoul

Re: [DNSOP] I-D Action: draft-ietf-dnsop-session-signal-03.txt

On 19.7.2017 05:15, Mark Andrews wrote: > In message <77d0bc67-d6c3-de37-e88b-6b3612cf3...@nic.cz>, > =?UTF-8?B?UGV0ciDFoHBhxI1law==?= writes: >> On 11.7.2017 13:23, Ted Lemon wrote: >>> On Jul 11, 2017, at 3:17 AM, Petr paek >> > wrote: I feel that implications fro

[DNSOP] comments on draft-mglt-dnsop-dnssec-validator-requirements-05

I think this draft is a good idea and should be adopted, but needs some improvements first. 1. In Section 4: "unsecure" should be "insecure". 2. REQ2: What should happen when there are multiple trust anchors, but only one failed to validate? E.g. a validator has both the root and .exampleTLD

Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

On Wed, Jul 19, 2017 at 10:49 AM, Stephane Bortzmeyer wrote: > On Tue, Jul 04, 2017 at 11:42:56AM -0400, > Shumon Huque wrote > a message of 108 lines which said: > > > We've posted a new draft on algorithm negotiation which we're hoping to > > discuss at IETF99 > > For the discussion on thurs

Re: [DNSOP] The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"

> Can you provide a technical reason for per-address IPv6 reverse DNS? > > Where I work, we bulk populate reverse v4 DHCP pools just so we know that > they are pools. We aren't going to bother doing that with v6 because > everything is a pool, except for a relatively small number of statically > c

Re: [DNSOP] The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"

> On 19 Jul 2017, at 11:34, Woodworth, John R > wrote: > > Think of this as your property (e.g. your yard). Each IP address > in itself is small but without the sum of each, what do you have? > > Suddenly, each blade of grass has value. What value has each IPv6 address? Or a name like host-

Re: [DNSOP] The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"

Woodworth, John R wrote: > > For IPv4 I can't see what advantage BULK has over $GENERATE > > or similar back-end provisioning scripts. > > Really? If you're proposing a forklift upgrade of the DNS then I think you need to make the advantages clear, rather than expecting me to guess. > In the IP

Re: [DNSOP] The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"

> Paul Wouters wrote: > > > > I would feel much better if there would be some real use > > csases to justify adding special code to DNS that will > > instantly become obsolete. > > Yes. > Hi Tony, Thanks for the feedback! > > For IPv4 I can't see what advantage BULK has over $GENERATE > or simi

Re: [DNSOP] The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"

> -Original Message- > From: DNSOP [mailto:dnsop-boun...@ietf.org] On Behalf Of Paul Wouters > > I kind of disagree. > Hi Paul, Thanks for the feedback! > > We are adding something to DNS that's not just a new RRTYPE. It > requires code changes and has a deployment and long tail. If the

Re: [DNSOP] I-D Action: draft-ietf-dnsop-aname-00.txt

Op 18-07-17 om 18:09 schreef Tony Finch: > The other kind of DNS server that might be able to do something useful > with ANAME is a recursive server, so it could co-operate nicely with > authoritative servers that are playing clever tricks. But the rDNS will > have to be careful about not breaking

Re: [DNSOP] The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"

> On 19 Jul 2017, at 10:37, Tony Finch wrote: > > BULK seems like far too much cleverness applied to far too small a problem. +1. I'm not convinced there is a problem here that needs fixing. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/

Re: [DNSOP] The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"

Paul Wouters wrote: > > I would feel much better if there would be some real use csases to > justify adding special code to DNS that will instantly become obsolete. Yes. For IPv4 I can't see what advantage BULK has over $GENERATE or similar back-end provisioning scripts. For IPv6, if we have an

Re: [DNSOP] NSEC/NSEC3 for unsigned zones and aggressive use

In your previous mail you wrote: > NSEC needs no keys, only their RRSIGs would which wouldn't exist in > unsigned zones. In this case the unsigned NSEC would also not be part of > the zone (it would have to be synthesized and maintained outside the > zone). => but it is created by an authori

[DNSOP] Draft Minutes from DNSOP Session I

Thanks to Paul Hoffman for capturing the conversations during this session. Please take a look and if you spot any errors please get in touch with the chairs: https://www.ietf.org/proceedings/99/minutes/minutes-99-dnsop-02.txt thanks tim/suzanne dnsop-ietf99-minutes-1.txt DNSOP WG Tuesday

Re: [DNSOP] New draft: Algorithm Negotiation in DNSSEC

On Tue, Jul 04, 2017 at 11:42:56AM -0400, Shumon Huque wrote a message of 108 lines which said: > We've posted a new draft on algorithm negotiation which we're hoping to > discuss at IETF99 For the discussion on thursday: > In contrast, many other security protocols, like TLS, IKE, SSH and >

Re: [DNSOP] requesting WGLC for 5011-security-considerations

On date time vs intervals - I finally realized why Wes and I are somewhat disconnected on this. 5011 was written as the protocol for the resolver and is totally interval driven. (E.g. query and retry timers are set and fire based on when the resolver performs an action). This document is b

Re: [DNSOP] draft-ietf-dnsop-dns-rpz

Hello Suzanne, On 18 Jul 2017, at 14:13, Suzanne Woolf wrote: If this is acceptable to the WG, we’ll keep the new draft with these changes as a WG draft. Yes please! Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ ___ D

Re: [DNSOP] The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"

On Wed, 19 Jul 2017, George Michaelson wrote: Read, support. This is a useful addition to document how to do something. Now, the 'outer' question of the value of reverse-DNS label binding, thats a different conversation. I can well imagine a bunch of bikeshed-painting, but lets focus on this as

[DNSOP] Ordering requirement in draft-dnsop-session-signal

I was about to send this in a private message to Tom and Stuart on this topic, but I think it's actually the discussion that the working group needs to have about this, so I'm sending it here instead. The proposal we were discussing was whether to just drop the ordering requirement. I think that

Re: [DNSOP] The DNSOP WG has placed draft-woodworth-bulk-rr in state "Candidate for WG Adoption"

Read, support. This is a useful addition to document how to do something. Now, the 'outer' question of the value of reverse-DNS label binding, thats a different conversation. I can well imagine a bunch of bikeshed-painting, but lets focus on this as a technique for specifying programmatic populati