Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

> On 22 Jun 2018, at 1:55 am, Wessels, Duane > wrote: > > >> On Jun 20, 2018, at 11:19 PM, Petr Špaček wrote: >> >>> >>> Longer term, perhaps the best solution will end up being XFR using DNS over >>> TLS (or HTTPS) with server authentication. Yes, I realize that authoritative >>> servers

Re: [DNSOP] DNS cookies and multi-vendor anycast incompatibility

> On 22 Jun 2018, at 1:19 am, Warren Kumari wrote: > > > > On Thu, Jun 21, 2018 at 10:36 AM Mark Andrews wrote: > > > On 21 Jun 2018, at 12:25 am, Petr Špaček wrote: > > > > On 20.6.2018 16:10, Paul Wouters wrote: > >> On Wed, 20 Jun 2018, Petr Špaček wrote: > >> > >>> it seems that curre

Re: [DNSOP] DNS cookies and multi-vendor anycast incompatibility

> On 22 Jun 2018, at 1:48 am, Mukund Sivaraman wrote: > > On Fri, Jun 22, 2018 at 01:09:14AM +1000, Mark Andrews wrote: >>> So how should the DNS cookies be implemented? IMHO if one server uses >>> https://tools.ietf.org/html/rfc7873#appendix-B.1 >>> and another server uses https://tools.ietf.

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

On 22:09 21/06, Shane Kerr wrote: > > Dne 1.6.2018 v 12:51 Shane Kerr napsal(a): > > > > Hmm, can you share some details about your experience? > > Did you find out when the data corruption took place? > > a) network transfer > > b) implementation bugs (e.g. incorrectly received IXFR) > > c) on di

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

Petr, Petr Špaček: Dne 1.6.2018 v 12:51 Shane Kerr napsal(a): Wessels, Duane: On May 25, 2018, at 11:33 AM, 神明達哉 wrote: At Wed, 23 May 2018 15:32:11 +, "Weinberg, Matt" wrote: We’ve posted a new version of draft-wessels-dns-zone-digest.  Of note, this -01 version includes the follo

Re: [DNSOP] SIG(0) useful (and used?)

> On Jun 21, 2018, at 1:40 PM, Shumon Huque wrote: > > On Thu, Jun 21, 2018 at 8:05 AM Tom Pusateri > wrote: >> On Jun 21, 2018, at 12:19 AM, Vladimír Čunát > > wrote: >> >> On 06/20/2018 04:59 PM, Tom Pusateri wrote: >>> DNSSEC wi

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

On 21 Jun 2018, at 9:40, Shumon Huque wrote: My goal is to ensure that when you receive a zone file -- however you receive it (DNS, HTTPS, P2P file sharing, Avian Carrier) -- you get the data that the zone publisher actually published. I can't argue with that goal (and yes, you should proba

Re: [DNSOP] SIG(0) useful (and used?)

On Thu, Jun 21, 2018 at 8:05 AM Tom Pusateri wrote: > On Jun 21, 2018, at 12:19 AM, Vladimír Čunát > wrote: > > On 06/20/2018 04:59 PM, Tom Pusateri wrote: > > DNSSEC will tell you the answer you get is correct but it could be a > to > a different question or be incomplete. > > Can you elaborate

Re: [DNSOP] SIG(0) useful (and used?)

On Thu, Jun 21, 2018 at 9:55 AM Warren Kumari wrote: > > I think that 95% of the issue is on the stub side. > > Paul's https://github.com/BII-Lab/DNSoverHTTP and Stubby both come fairly > close to solving this. The more I think about it, DPRIVE and DoH are > driving towards what I want. > > Yeah,

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

On Thu, Jun 21, 2018 at 2:19 AM Petr Špaček wrote: > > HTTPS over TLS is what we did for root zone import into Knot Resolver's > cache (from version 2.3 onwards but beware, there are little bugs which > were fixed in 2.4 - to be released soon). > Out of curiosity, which HTTPS source are you usin

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

On Thu, Jun 21, 2018 at 11:56 AM Wessels, Duane wrote: > > The problem I'm seeking to solve is somewhat different, and its probably > not clearly stated in the draft so I will add some text to rectify that. > > I'm not trying to solve the problem that SIG(0), SIG(AXFR), or TLS > addresses > -- th

Re: [DNSOP] New Version Notification for draft-wessels-dns-zone-digest-01.txt

> On Jun 20, 2018, at 11:19 PM, Petr Špaček wrote: > >> >> Longer term, perhaps the best solution will end up being XFR using DNS over >> TLS (or HTTPS) with server authentication. Yes, I realize that authoritative >> servers are not yet the targets of those protocols, but it's probably >> onl

Re: [DNSOP] DNS cookies and multi-vendor anycast incompatibility

On Fri, Jun 22, 2018 at 01:09:14AM +1000, Mark Andrews wrote: > > So how should the DNS cookies be implemented? IMHO if one server uses > > https://tools.ietf.org/html/rfc7873#appendix-B.1 > > and another server uses https://tools.ietf.org/html/rfc7873#appendix-B.2, > > then it's not interoperabl

Re: [DNSOP] SIG(0) useful (and used?)

> On 21 Jun 2018, at 00:13, Paul Vixie wrote: > > ... >> So, SIG(0) could be many nice things, but without more implementations >> is is hobbled... > > i'd love to see it implemented. I would also add my voice to those who would love to see this implemented. I have looked at using SIG(0) ma

Re: [DNSOP] DNS cookies and multi-vendor anycast incompatibility

On Thu, Jun 21, 2018 at 10:36 AM Mark Andrews wrote: > > > On 21 Jun 2018, at 12:25 am, Petr Špaček wrote: > > > > On 20.6.2018 16:10, Paul Wouters wrote: > >> On Wed, 20 Jun 2018, Petr Špaček wrote: > >> > >>> it seems that current specification of DNS cookies in RFC 7873 is not > >>> detailed

Re: [DNSOP] DNS cookies and multi-vendor anycast incompatibility

> On 21 Jun 2018, at 5:21 pm, Daniel Salzman wrote: > > Hello Mark, > > On 06/20/2018 11:01 PM, Mark Andrews wrote: >> >>> On 21 Jun 2018, at 12:25 am, Petr Špaček wrote: >>> >>> On 20.6.2018 16:10, Paul Wouters wrote: On Wed, 20 Jun 2018, Petr Špaček wrote: > it seems that cu

Re: [DNSOP] DNS cookies and multi-vendor anycast incompatibility

> On 21 Jun 2018, at 5:24 pm, Petr Špaček wrote: > > On 20.6.2018 23:01, Mark Andrews wrote: >>> On 21 Jun 2018, at 12:25 am, Petr Špaček wrote: >>> >>> On 20.6.2018 16:10, Paul Wouters wrote: On Wed, 20 Jun 2018, Petr Špaček wrote: > it seems that current specification of DNS c

Re: [DNSOP] DNS cookies and multi-vendor anycast incompatibility

> On 21 Jun 2018, at 12:25 am, Petr Špaček wrote: > > On 20.6.2018 16:10, Paul Wouters wrote: >> On Wed, 20 Jun 2018, Petr Špaček wrote: >> >>> it seems that current specification of DNS cookies in RFC 7873 is not >>> detailed enough to allow deployment of DNS cookies in multi-vendor >>> anycas

Re: [DNSOP] SIG(0) useful (and used?)

On Thu, Jun 21, 2018 at 4:52 AM Joe Abley wrote: > On Jun 20, 2018, at 21:05, Shumon Huque wrote: > > > On Wed, Jun 20, 2018 at 7:30 PM Joe Abley wrote: > >> On Jun 20, 2018, at 19:07, Warren Kumari wrote: >> >> ​... what I'd alway wanted[0] was to be able to setup my own recursive >> name ser

Re: [DNSOP] DNS cookies and multi-vendor anycast incompatibility

On 21.6.2018 14:38, Donald Eastlake wrote: > Hi, > > As the first author of the DNS Cookies RFC, I would be happy to generate > a draft to standardize this to improve inter vendor interoperability for > anycast servers. Good! Where do we start? Right now I'm aware of couple requirements: 1. it h

Re: [DNSOP] DNS cookies and multi-vendor anycast incompatibility

Hi, As the first author of the DNS Cookies RFC, I would be happy to generate a draft to standardize this to improve inter vendor interoperability for anycast servers. Thanks, Donald On Thu, Jun 21, 2018 at 03:54 Ondřej Surý wrote: > > On 21 Jun 2018, at 09:24, Petr Špaček wrote: > > So let me

Re: [DNSOP] SIG(0) useful (and used?)

> On Jun 21, 2018, at 12:19 AM, Vladimír Čunát > wrote: > > On 06/20/2018 04:59 PM, Tom Pusateri wrote: >> DNSSEC will tell you the answer you get is correct but it could be a > to a >> different question or be incomplete. > Can you elaborate on that point. I believe in signed zones you are

Re: [DNSOP] SIG(0) useful (and used?)

On Jun 20, 2018, at 21:05, Shumon Huque wrote: On Wed, Jun 20, 2018 at 7:30 PM Joe Abley wrote: > On Jun 20, 2018, at 19:07, Warren Kumari wrote: > > ​... what I'd alway wanted[0] was to be able to setup my own recursive > name server somewhere on the Internet, and then only allow myself (and

Re: [DNSOP] DNS cookies and multi-vendor anycast incompatibility

> On 21 Jun 2018, at 09:24, Petr Špaček wrote: > So let me ask again: > Are other vendors willing to work on sufficiently detailed > specification? If not just say it! +1 from ISC. I believe that we need to improve interoperability between the implementation or people will not be willing to deplo

Re: [DNSOP] DNS cookies and multi-vendor anycast incompatibility

On 20.6.2018 23:01, Mark Andrews wrote: >> On 21 Jun 2018, at 12:25 am, Petr Špaček wrote: >> >> On 20.6.2018 16:10, Paul Wouters wrote: >>> On Wed, 20 Jun 2018, Petr Špaček wrote: >>> it seems that current specification of DNS cookies in RFC 7873 is not detailed enough to allow deployme