Re: [DNSOP] New Version Notification for draft-jabley-dnsop-refuse-any-00.txt

A couple of quick observations: * The draft says that the answer in a signed zone MAY be unsigned. Since this will ultimately cause a SERVFAIL for validating resolvers, it is not really acceptable. * The draft does not describe at all what the proper behaviour is for an owner name that has

Re: [DNSOP] New Version Notification for draft-jabley-dnsop-refuse-any-00.txt

On Sun, Oct 4, 2015 at 7:32 AM, Dave Lawrence wrote: > A couple of quick observations: > > * The draft says that the answer in a signed zone MAY be unsigned. > Since this will ultimately cause a SERVFAIL for validating > resolvers, it is not really acceptable. > You and Evan,

Re: [DNSOP] New Version Notification for draft-jabley-dnsop-refuse-any-00.txt

On 2015-10-01 12:13+0100 Dick Franks wrote: > Dick Franks > > > > On 1 October 2015 at 11:12, Shane Kerr wrote: > > > > > In the case where people just want to reduce the damage of ANY queries > > in reflection attacks, I

Re: [DNSOP] New Version Notification for draft-jabley-dnsop-refuse-any-00.txt

Dick Franks On 1 October 2015 at 11:12, Shane Kerr wrote: > > In the case where people just want to reduce the damage of ANY queries > in reflection attacks, I quite like the PowerDNS option of forcing ANY > queries to TCP via truncation. I'm

Re: [DNSOP] New Version Notification for draft-jabley-dnsop-refuse-any-00.txt

Shane Kerr wrote: > > > In the case where people just want to reduce the damage of ANY queries > in reflection attacks, I quite like the PowerDNS option of forcing ANY > queries to TCP via truncation. I'm not sure if this has been documented > in any RFC, but if not then perhaps it bears

Re: [DNSOP] New Version Notification for draft-jabley-dnsop-refuse-any-00.txt

On Wed, Sep 30, 2015 at 10:08 PM, Evan Hunt wrote: > On Wed, Sep 30, 2015 at 11:28:45PM -0400, Joe Abley wrote: > > 1. Return an unsigned response. This will be marked as bogus, and > > trigger a QTYPE=HINFO re-query that will either return an actual signed > > HINFO from the zone

Re: [DNSOP] New Version Notification for draft-jabley-dnsop-refuse-any-00.txt

On 1 Oct 2015, at 1:08, Evan Hunt wrote: The disadvantages of pick-one-RRset that I can see are 1) more information leaked (but nothing that couldn't be obtained by sending queries for individual qtypes anyway), and 2) modestly larger response size (but still a lot better than unminimized ANY

Re: [DNSOP] New Version Notification for draft-jabley-dnsop-refuse-any-00.txt

On Thu, Oct 01, 2015 at 09:02:09AM -0700, Ólafur Guðmundsson wrote: > Only validating resolver will send follow up query, Correct, but it would send them to every name server until it got a non-bogus reply. This is unnecessary collateral damage. > Here is the deal there are 3 sources of ANY

Re: [DNSOP] New Version Notification for draft-jabley-dnsop-refuse-any-00.txt

On 30 Sep 2015, at 22:58, Evan Hunt wrote: The new proposal to return an empty HINFO record has the advantage of a smaller response, but will be inconvenient for DNSSEC-signed zones, unless the server has access to the signing key and can generate a covering RRSIG. This should be mentioned in

Re: [DNSOP] New Version Notification for draft-jabley-dnsop-refuse-any-00.txt

On Wed, Sep 30, 2015 at 11:28:45PM -0400, Joe Abley wrote: > 1. Return an unsigned response. This will be marked as bogus, and > trigger a QTYPE=HINFO re-query that will either return an actual signed > HINFO from the zone or a signed proof of non-existence. We think. I > haven't actually