[DNSOP] draft-ietf-dnsop-refuse-any

draft-ietf-dnsop-refuse-any Didnt this reach the end of WGLC ? The draft expired. Don't we all really still want this? Paul ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] draft-ietf-dnsop-refuse-any

Hi Paul, This draft is waiting for me to commit changes to and submit a revised draft. My co-author and our esteemed chairs have been badgering me with full efficiency, and the delay is all my fault. I have some time this weekend so long as I don't have to deal with another metre of snow, and I

Re: [DNSOP] draft-ietf-dnsop-refuse-any

> On Feb 9, 2018, at 20:22, Joe Abley wrote: > > Hi Paul, > > This draft is waiting for me to commit changes to and submit a revised draft. > > I aim to get it done before next week. Awesome! Thanks! Paul ___ DNSOP mailing list DNSOP@ietf.org h

Re: [DNSOP] draft-ietf-dnsop-refuse-any

Paul Wouters wrote: > > On Feb 9, 2018, at 20:22, Joe Abley wrote: > > > > I aim to get it done before next week. > > Awesome! Thanks! And from me too - I was wondering about this draft the other day, so thanks Paul for prodding before I got a round tuit. Tony. -- f.anthony.n.finchhttp://

Re: [DNSOP] draft-ietf-dnsop-refuse-any

On 12 Feb 2018, at 06:30, Tony Finch wrote: > Paul Wouters wrote: >>> On Feb 9, 2018, at 20:22, Joe Abley wrote: >>> >>> I aim to get it done before next week. >> >> Awesome! Thanks! > > And from me too - I was wondering about this draft the other day, > so thanks Paul for prodding before I

Re: [DNSOP] draft-ietf-dnsop-refuse-any

The Badgering will continue! We're waiting because the chairs feel we can do a short WGLC and have this ready to go before London. Thank you all for adding pressure. Tim On Mon, Feb 12, 2018 at 10:41 AM, Joe Abley wrote: > On 12 Feb 2018, at 06:30, Tony Finch wrote: > > > Paul Wouters wrote

[DNSOP] draft-ietf-dnsop-refuse-any and QTYPE=RRSIG

Last weekend one of our authoritative name servers (authdns1.csx.cam.ac.uk) suffered a series of DoS attacks which made it rather unhappy. Over the last week I have developed a patch for BIND to implement draft-ietf-dnsop-refuse-any which should allow us to handle ANY flood attacks better. http://f

[DNSOP] draft-ietf-dnsop-refuse-any - why not NOTIMP?

Having looked at this a few months ago when one of our partners was (briefly) returning NOTIMP for ANY queries, I find myself wondering why this isn't discussed in the draft? The draft does talk about *new* RCODEs, but not existing ones. My reading of RFC 1035 is that it would be a perfectly appr

Re: [DNSOP] draft-ietf-dnsop-refuse-any and QTYPE=RRSIG

In message , Tony Fi nch writes: > Last weekend one of our authoritative name servers > (authdns1.csx.cam.ac.uk) suffered a series of DoS attacks which made it > rather unhappy. Over the last week I have developed a patch for BIND to > implement draft-ietf-dnsop-refuse-any which should allow us to

Re: [DNSOP] draft-ietf-dnsop-refuse-any and QTYPE=RRSIG

Mark Andrews wrote: > In message , Tony > Fi > nch writes: > > > > Would it be reasonable as an alternative to follow the refuse-any > > approach and just return the RRSIG(s) for one RRset? If so, I think > > this suggestion should be included in the draft. > > Yes, for both SIG and RRSIG. Thank

Re: [DNSOP] draft-ietf-dnsop-refuse-any and QTYPE=RRSIG

On Fri, Feb 5, 2016 at 10:10 PM, Tony Finch wrote: > Last weekend one of our authoritative name servers > (authdns1.csx.cam.ac.uk) suffered a series of DoS attacks which made it > rather unhappy. Over the last week I have developed a patch for BIND to > implement draft-ietf-dnsop-refuse-any which

Re: [DNSOP] draft-ietf-dnsop-refuse-any and DO=0

Another question: In order to minimize responses even further, I have made my code omit or include signature records depending on whether DO=0 or DO=1. That is, and ANY query with DO=0 gets one arbitrary unsigned RRset in response, and an ANY query with DO=1 gets one arbitrary signed RRset. Is th

Re: [DNSOP] draft-ietf-dnsop-refuse-any and QTYPE=RRSIG

Ólafur Guðmundsson wrote: > > For all you care you an even return a forged RRSIG/SIG i.e. one that is > made up on the fly just make sure it covers a non existing TYPE :-) Make it an RRSIG covering an RRSIG with a private algorithm and you don't even need to do any crypto :-) (Not entirely seriou

Re: [DNSOP] draft-ietf-dnsop-refuse-any and DO=0

On Sun, Feb 07, 2016 at 02:16:15PM +, Tony Finch wrote: > Is this sensible, and if do should it be suggested by the draft? Yes. I haven't looked in the draft recently, but I thought I mentioned that when I originally described this trick. Choose an arbitrary (preferably determinate) rrset to

Re: [DNSOP] draft-ietf-dnsop-refuse-any and DO=0

Evan Hunt wrote: > > Choose an arbitrary (preferably determinate) rrset to return, and > include its covering signature if it exists and DO=1 so the response can > validate. Right. My code currently just picks the first RRtype it gets from the backend data store (or the type covered if the first

Re: [DNSOP] draft-ietf-dnsop-refuse-any and DO=0

> On Feb 8, 2016, at 10:33 AM, Tony Finch wrote: > > Doing anything more determinate would require an extra loop over the data > to choose, before the loop that builds the response. (Actually I can > probably avoid two loops if I'm clever.) I didn't think I cared enough to > do that. However som

Re: [DNSOP] draft-ietf-dnsop-refuse-any and DO=0

On Sun, Feb 7, 2016 at 2:16 PM, Tony Finch wrote: > Another question: > > In order to minimize responses even further, I have made my code omit or > include signature records depending on whether DO=0 or DO=1. That is, and > ANY query with DO=0 gets one arbitrary unsigned RRset in response, and a

Re: [DNSOP] draft-ietf-dnsop-refuse-any and DO=0

Ólafur Guðmundsson wrote: > Tony: the draft says right now: [...] > > Is that not sufficient ? The most relevant bit in the current draft is: If the DNS query includes DO=1 and the QNAME corresponds to a zone that is known by the responder to be signed, a valid RRSIG for the RRSets in

Re: [DNSOP] draft-ietf-dnsop-refuse-any and DO=0

On Mon, Feb 08, 2016 at 10:37:09AM -0500, Jared Mauch wrote: > Or just having the TCP implementation in BIND get improved as it’s clear there > are some more people pushing in this direction. I’m looking at just putting > something like DNSDIST on my hosts to process TCP and balance it across > mu

Re: [DNSOP] draft-ietf-dnsop-refuse-any and DO=0

Bert, At 2016-02-08 22:55:44 +0100 bert hubert wrote: > On Mon, Feb 08, 2016 at 10:37:09AM -0500, Jared Mauch wrote: > > Or just having the TCP implementation in BIND get improved as it’s clear > > there > > are some more people pushing in this direction. I’m looking at just putting > > someth

Re: [DNSOP] draft-ietf-dnsop-refuse-any and DO=0

On Mon, Feb 08, 2016 at 10:37:09AM -0500, Jared Mauch wrote: > Or just having the TCP implementation in BIND get improved as it’s clear there > are some more people pushing in this direction. I’m looking at just putting > something like DNSDIST on my hosts to process TCP and balance it across > mu

[DNSOP] draft-ietf-dnsop-refuse-any: points from Richard Gibson

Hi Richard, all, I foolishly allowed Tim to pay for lunch and therefore have been tricked into doing actual work. There are a couple more of these inbound to the list, one for each of the e-mails containing points that were found not to have been addressed in -04. My goal is to identify some ki

[DNSOP] draft-ietf-dnsop-refuse-any: points from Stephane Bortzmeyer

Salut Stephane, tout le monde, With reference to: https://mailarchive.ietf.org/arch/msg/dnsop/wwQV0yUMdx1mwO8ig9UyNbMMMWI > My personal nits, only editorial: > > > "ANY Query" refers to a DNS meta-query > > meta-query is not defined in this document, in RFC 1034, 1035 or > 7719. Opinion: jus

[DNSOP] draft-ietf-dnsop-refuse-any: points from Petr Špaček

Hi Petr, all, With reference to: https://mailarchive.ietf.org/arch/msg/dnsop/lZDnD1kCZQ1Zvm0YF6wbWtg > 1. The casse QTYPE=RRSIG should be made more prominent so it is > understood and not misused as ANY. There are implementations like Knot > Resolver which are work around missing RRSIG rec

Re: [DNSOP] draft-ietf-dnsop-refuse-any - why not NOTIMP?

This was the original proposal, the drawback is that resolvers to not cache the answer, and to make things worse they ask ALL NS addresses for listed domain thus it acts as a DDoS against the domain in question. Olafur On Mon, Aug 7, 2017 at 7:14 AM, Ray Bellis wrote: > Having looked at this a

Re: [DNSOP] draft-ietf-dnsop-refuse-any - why not NOTIMP?

On 07/08/2017 16:44, Ólafur Guðmundsson wrote: > This was the original proposal, > the drawback is that resolvers to not cache the answer, and to make > things worse they ask ALL NS addresses for listed domain > thus it acts as a DDoS against the domain in question. Indeed - I've since conf

Re: [DNSOP] draft-ietf-dnsop-refuse-any - why not NOTIMP?

Ray Bellis wrote: ... returning NOTIMP for ANY queries, ... ... My reading of RFC 1035 is that it would be a perfectly appropriate response from a server that doesn't support ANY. the RFC was treated as a general guideline by most implementers, and once the code for some client or server a

Re: [DNSOP] draft-ietf-dnsop-refuse-any - why not NOTIMP?

Ray Bellis wrote: ... returning NOTIMP for ANY queries, ... ... My reading of RFC 1035 is that it would be a perfectly appropriate response from a server that doesn't support ANY. the RFC was treated as a general guideline by most implementers, and once the code for some client or server a

Re: [DNSOP] draft-ietf-dnsop-refuse-any: points from Petr Špaček

Joe Abley wrote: > > If anybody else here has thoughts about specific text or violent > objections to including QTYPE=RRSIG in general, please let me know (I > looked in the mail archive but couldn't find any there). I think it's helpful to mention RRSIG explicitly since it isn't immediately obvi

Re: [DNSOP] draft-ietf-dnsop-refuse-any: points from Richard Gibson

On Tue, Jul 25, 2017 at 4:52 PM, Joe Abley wrote: > >- There is no mechanism for signaling section 4.1/ section 4.3 > "partial > >response" behavior to clients (e.g., a new OPT record EDNS header flag > >bit > > dns-parameters.xhtm

Re: [DNSOP] draft-ietf-dnsop-refuse-any: points from Richard Gibson

On 26 Jul 2017, at 13:28, Richard Gibson wrote: > The need for such a signal also came up recently in > https://tools.ietf.org/html/draft-wkumari-dnsop-multiple-responses-05#section-10 > . But in this case particularly, middleboxes should be a complete > non-issue... anyone expecting QTYPE=AN

Re: [DNSOP] draft-ietf-dnsop-refuse-any: points from Richard Gibson

On Wed, Jul 26, 2017 at 2:24 PM, Joe Abley wrote: > > On 26 Jul 2017, at 13:28, Richard Gibson wrote: > > > The need for such a signal also came up recently in > https://tools.ietf.org/html/draft-wkumari-dnsop-multiple- > responses-05#section-10 . But in this case particularly, middleboxes > sho

Re: [DNSOP] draft-ietf-dnsop-refuse-any: points from Richard Gibson

On 26 Jul 2017, at 14:50, Richard Gibson wrote: > Yes, color me corrected on vocabulary but unconvinced on interference... > those slides seem to mostly demonstrate noncompliance by name servers > theirselves with respect to EDNS data in queries, whereas the data I'm > suggesting would only a

Re: [DNSOP] draft-ietf-dnsop-refuse-any: points from Richard Gibson

Joe Abley wrote: > On 26 Jul 2017, at 13:28, Richard Gibson wrote: > > > > I remain concerned about issuing incomplete responses to ANY queries > > without indication of such, and predict that it will hinder > > operational problem investigation and remediation (especially > > pertaining to IPv4/

Re: [DNSOP] draft-ietf-dnsop-refuse-any: points from Petr Špaček

On 26.7.2017 12:56, Tony Finch wrote: > Joe Abley wrote: >> >> If anybody else here has thoughts about specific text or violent >> objections to including QTYPE=RRSIG in general, please let me know (I >> looked in the mail archive but couldn't find any there). > > I think it's helpful to mentio

[DNSOP] draft-ietf-dnsop-refuse-any: points from 神明達哉

JINMEI-san, all, With reference to: https://mailarchive.ietf.org/arch/msg/dnsop/zy86pvg139PaKFXo-BO6SPUfh3k > I've reviewed the 04 version. I still do not think it's ready to move > forward as it still abuses HINFO. I understand some other people > don't care about this point, and some other

Re: [DNSOP] draft-ietf-dnsop-refuse-any: points from 神明達哉

Hi, sorry for the delayed response. At Tue, 25 Jul 2017 16:53:12 -0400, Joe Abley wrote: > https://mailarchive.ietf.org/arch/msg/dnsop/zy86pvg139PaKFXo-BO6SPUfh3k > > > I've reviewed the 04 version. I still do not think it's ready to move > > forward as it still abuses HINFO. I understand so