Re: [DNSOP] I-D Action: draft-ietf-dnsop-avoid-fragmentation-11.txt

Mukund-san, Thanks very much. I updated my local version. http://member.wide.ad.jp/~fujiwara/avoid-fragmentation.html -- Kazunori Fujiwara, JPRS > From: Mukund Sivaraman > Fujiwara-san, Vixie-san, > > On Thu, Jan 19, 2023 at 12:13:02AM -0800, internet-dra...@ietf.org wrote: >> >> A New In

Re: [DNSOP] Implementor's status on draft-ietf-dnsop-avoid-fragmentation: PowerDNS

Thanks very much. I updated my local version. http://member.wide.ad.jp/~fujiwara/avoid-fragmentation.html -- Kazunori Fujiwara, JPRS > From: Peter van Dijk > PowerDNS Authoritative Server, PowerDNS Recursor, PowerDNS dnsdist: > > * IP_PMTUDISC_OMIT with fallback to IP_PMTUDISC_DONT > * defa

Re: [DNSOP] With multi-algo DS, what to do if an RRSIG is missing?

On Mon, Jul 03, 2023 at 08:25:08PM +0200, Peter Thomassen wrote: > Now, assume a multi-signer setup of, say, algorithms 7 and 13. This is > not an uncommon transition (ietf.org did it last month, except that > they went unsigned). In such a scenario, a resolver on Red Hat would > only consider the

Re: [DNSOP] With multi-algo DS, what to do if an RRSIG is missing?

> On 4 Jul 2023, at 04:25, Peter Thomassen wrote: > > Dear DNSOP, > > It's well-known that DNSSEC multi-signer setups are problematic when > providers want to sign with different algorithms. > > In a hypothetical scenario where signing requirements would be relaxed, I > have a very specific

Re: [DNSOP] With multi-algo DS, what to do if an RRSIG is missing?

The rules are there to ensure that if the resolver see an algorithm it supports then it can validate the response. If you fail to follow the rules answers won’t ALWAYS validate. If there is one level of validation happening the validator should recover by trying other servers. If you have chain

[DNSOP] With multi-algo DS, what to do if an RRSIG is missing?

Dear DNSOP, It's well-known that DNSSEC multi-signer setups are problematic when providers want to sign with different algorithms. In a hypothetical scenario where signing requirements would be relaxed, I have a very specific question about how resolvers should behave. Apologies for the lengt

Re: [DNSOP] Dnsdir last call review of draft-ietf-dnsop-caching-resolution-failures-03

Hello Duane & others, thank you for your response. Comments inline below. On Thu, 2023-06-29 at 23:58 +, Wessels, Duane wrote: > > > > > > ## 2.2 > > > > The first paragraph correctly mentions "policy reasons". The second > > paragraph > > correctly says "they are not authoritative". I

Re: [DNSOP] Dnsdir early review of draft-ietf-dnsop-structured-dns-error-03

Hi Med, Thanks for the responses, further comments in-line. On Fri, Jun 30, 2023 at 9:24 PM wrote: > > Hi Matt, > > Thank you for the review. > > Please see inline. I let my co-author further comment as appropriate. > > Cheers, > Med > > > -Message d'origine- > > De : Matt Brown via Data

Re: [DNSOP] Review of draft-ietf-dnsop-dnssec-validator-requirements-06

On 6/30/23 22:15, Paul Wouters wrote: Section 13: [...] an attacker being able to provide a rogue trust anchor is potentially This is not a very realistic attack. The same section says: On the other hand, mishandling Trust Anchor is likely resulting in a validator unable to