Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only

In article you write: >Seems like .org needs to update an 18+ year old operation policy, and >just to clarify that has nothing to do with this draft as .org already >has this problem. I believe that every public contracted TLD does the same sort of suspensions that .ORG does since they all have s

[DNSOP] IETF108 minutes uploaded

All The minutes for both sessions have been uploaded, with many thanks to Paul Hoffman. Please take a moment to look them over, and if you made a comment, that your comments were transcribed accurately. https://www.ietf.org/proceedings/108/minutes/minutes-108-dnsop-00.txt Please send any correc

Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only

On Thu, Jul 30, 2020 at 1:44 PM Joe Abley wrote: > > There are some 20,000 examples in the ORG zone, of which at least 7,000 > are due to the domain suspension mechanism I gave as an example. There are > lots of well-functioning domains that would fail if all of those A/ > records suddenly st

Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only

If there are RRSIG(A) records in .com and .net there must have been a policy change since 2010? Sorry, no, they're different. For all of the new TLDs they run they have some test delegations with name servers in the TLD: emt-ns1.emt-t-1113662392-1595861228527-2-sdojq.aol. 172800 in

Re: [DNSOP] I-D Action: draft-ietf-dnsop-avoid-fragmentation-01.txt

I've had a look through and I have a few comments. Regarding smallest MTUs, I understand from Geoff Huston that it's common for IPv6 breakage to start at 1281 bytes. I would find it easier to understand the recommendations if the requirements for responder and requester were separated. In particu

Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only

John Levine wrote: > Paul Wouters wrote: > > > > Has anybody done a survey to find out how many TLD zones actually > > fits the description of "delegation-only"? > > I did some greppage, and found that all of the domains run by Verisign > and Nominet have signed non-glue A records. I think there

Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only

On 30 Jul 2020, at 17:10, Paul Wouters wrote: > On Thu, 30 Jul 2020, Joe Abley wrote: > >> My sense is that this is a nice idea in theory but doesn't solve a problem >> that anybody actually has, and the camel is starting to look a little bit >> fraught. But I don't think any proposal shoul

Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only

On 30/07/2020 15:44, Brian Dickson wrote: On Thu, Jul 30, 2020 at 1:21 PM Joe Abley > wrote: $ORIGIN ORG. BADDOMAIN NS ... BADDOMAIN NS ... NS1.BADDOMAIN A 192.0.2.1 GOODDOMAIN NS NS1.BADDOMAIN.ORG . GOODDOMAIN NS

Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only

On 30/07/2020 15:46, Joe Abley wrote: On 30 Jul 2020, at 16:36, Paul Wouters wrote: Seems like .org needs to update an 18+ year old operation policy, and just to clarify that has nothing to do with this draft as .org already has this problem. Again, I'm not a lawyer, but I think what we are

Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only

On Thu, 30 Jul 2020, Joe Abley wrote: My sense is that this is a nice idea in theory but doesn't solve a problem that anybody actually has, and the camel is starting to look a little bit fraught. But I don't think any proposal should succeed or fail based on anybody's uninformed sense, hence

Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only

On 30 Jul 2020, at 16:36, Paul Wouters wrote: > Seems like .org needs to update an 18+ year old operation policy, and > just to clarify that has nothing to do with this draft as .org already > has this problem. Again, I'm not a lawyer, but I think what we are doing is a consequence of the contr

Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only

On Thu, Jul 30, 2020 at 1:21 PM Joe Abley wrote: > > $ORIGIN ORG. > > BADDOMAIN NS ... > BADDOMAIN NS ... > NS1.BADDOMAIN A 192.0.2.1 > > GOODDOMAIN NS NS1.BADDOMAIN.ORG. > GOODDOMAIN NS ... > > If BADDOMAIN.ORG is suspended (or if the domain is suppressed for some > equivalent reason) then the z

Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only

On 30 Jul 2020, at 16:36, Paul Wouters wrote: > On Thu, 30 Jul 2020, Joe Abley wrote: > >>> The .org is definately what I would call a >>> delegation-only domain. Now let's examine the corner case you have >>> and see if/what we can do. >> >> OK. Note that it's not a corner case, however; there

Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only

On Thu, 30 Jul 2020, Joe Abley wrote: The .org is definately what I would call a delegation-only domain. Now let's examine the corner case you have and see if/what we can do. OK. Note that it's not a corner case, however; there are many thousands of examples of this and although I haven't exa

Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only

Hi Paul, On 30 Jul 2020, at 16:28, Paul Wouters wrote: > On Thu, 30 Jul 2020, Ben Schwartz wrote: > >> I do not believe that is correct. The first and foremost purpose is for >> the bit to signal the parent zone's behaviour in a public way that >> prevents targeted / coerced atta

Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only

On Thu, 30 Jul 2020, Ben Schwartz wrote: I do not believe that is correct. The first and foremost purpose is for the bit to signal the parent zone's behaviour in a public way that prevents targeted / coerced attacks from the parent. I would love to see some more description of

Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only

Hi Paul, On 30 Jul 2020, at 15:43, Paul Wouters wrote: > You are mixing up the generic policy of delegation only with the exact > semantics of the bit. I don't think so, but I would definitely appreciate some clarification if you think that's happening. > The .org is definately what I would c

Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only

In article , Paul Wouters wrote: >> Has anybody done a survey to find out how many TLD zones actually fits the >> description of "delegation-only"? I did some greppage, and found that all of the domains run by Verisign and Nominet have signed non-glue A records. I think there are a lot of TLDs

Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only

On Thu, 30 Jul 2020, Joe Abley wrote: Has anybody done a survey to find out how many TLD zones actually fits the description of "delegation-only"? I know for a fact that ORG does not today and I would say is unlikely ever to. For example, any nameserver N that is subordinate to domain D and l

Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only

Hi Paul, On 30 Jul 2020, at 13:20, Paul Wouters wrote: > On Thu, 30 Jul 2020, Petr Špaček wrote: > >> It is hard to see what benefits draft-ietf-dnsop-delegation-only brings >> without having description of "DNSSEC Trasparency" mechanism available. > > I do not believe that is correct. The fi

Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only

On Thu, 30 Jul 2020, Petr Špaček wrote: It is hard to see what benefits draft-ietf-dnsop-delegation-only brings without having description of "DNSSEC Trasparency" mechanism available. I do not believe that is correct. The first and foremost purpose is for the bit to signal the parent zone's b

Re: [DNSOP] Questions on draft-ietf-dnsop-delegation-only

Hello, I'm going to generalize Ben's questions: It is hard to see what benefits draft-ietf-dnsop-delegation-only brings without having description of "DNSSEC Trasparency" mechanism available. Please describe intended usage of the proposed mechanism, at the moment it is hard to see all the deta