Re: [DNSOP] questions about Signaling Cryptographic Algorithm Understanding (RFC 6975)

2020-06-04 Thread Brian Somers
On Jun 3, 2020, at 2:40 AM, Petr Špaček wrote: > > Hi dnsop, > > it seems that OpenDNS is the first to implement RFC 6975: > https://lists.dns-oarc.net/pipermail/dns-operations/2020-June/020219.html > > This reminded me of its existence so I looked at definition for validating > recursors: >

Re: [DNSOP] Validating responses when following unsigned CNAME chains...

2020-04-30 Thread Brian Somers
On Apr 30, 2020, at 8:17 AM, Ted Lemon wrote: > > On Apr 29, 2020, at 11:38 PM, Brian Somers wrote: >> Furthermore, the CNAME alias RRset must be validated unless the CD bit is >> set. >> A validating resolver MUST validate and can only return RRsets if they are &

Re: [DNSOP] Validating responses when following unsigned CNAME chains...

2020-04-29 Thread Brian Somers
On Apr 29, 2020, at 7:12 PM, Shumon Huque wrote: > Mike, perhaps there was some confusion on this point 12 years ago, but > deployed validator code all agree on what the state is. I encourage > implementers to confirm (or correct me if I misstate something). Absolutely. You only get the AD bit

Re: [DNSOP] Working Group Last Call: draft-ietf-dnsop-nxdomain-cut

2016-06-21 Thread Brian Somers
On Jun 21, 2016, at 1:34 PM, Tim Wicinski wrote: > > > All > > The WGLC last call ended on this awhile ago, and the authors addressed all > the comments that were raised during the WGLC process. > > I want to thank everyone for their work on this. We'll be moving this

[DNSOP] Root server tar pitting? Is there a better way?

2016-05-16 Thread Brian Somers
Hi folks, I work at OpenDNS. We saw a DoS attack in Miami on Friday night around 10-11:00pm PST, consisting of UDP DNS requests for AAA.BBB.CCC.DDD where each of AAA, BBB, CCC and DDD are three digit numbers not greater than 500. Each query was answered with an NXDOMAIN by the root servers,

Re: [DNSOP] prefetch (HAMMER_TIME) draft

2013-11-18 Thread Brian Somers
of resolver implementations, for example. I just wanted to clarify one minor detail. -- JINMEI, Tatuya -- Brian Somers bsom...@opendns.com smime.p7s Description: S/MIME cryptographic signature ___ DNSOP mailing list DNSOP@ietf.org https

[DNSOP] prefetch (HAMMER_TIME) draft

2013-11-06 Thread Brian Somers
for more than just cache lookups/updates is undesirable at higher loads. -- Brian Somers bsom...@opendns.com smime.p7s Description: S/MIME cryptographic signature ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] prefetch (HAMMER_TIME) draft

2013-11-06 Thread Brian Somers
this benefit? BR, Daniel On Wed, Nov 6, 2013 at 10:50 PM, Brian Somers bsom...@opendns.com wrote: Hi, I mentioned at the dnsop talk at IETF88 yesterday that I have some (hopefully) useful information regarding W.C.A. Wijngaards' prefetch work. At OpenDNS, we implemented the same thing