On Mon, May 07, 2018 at 07:07:05PM +0000, Job Snijders wrote: > 3/ Section 3 states: "The responses received from queries to resolve > each of these names would allow us to infer a trust key state of the > resolution environment.". > From what I understand, in today's DNS world we can only reasonably > expect to do one query per packet. It is well understood that many > operators use BGP-4 anycasting (ECMP), the likes of dnsdist, and/or > simple UDP loadbalancers. I think it may be good to document that > running 3 queries (in essence 3 independent experiments) may not > generate sufficient data to properly infer the state (or any state) of > the resolution environment. Each query (as part of a single sentinel > data gathering session) may be handled by an entirely different resolver > with different keys, contaminating any lookup in the proposed truth > tables. Section 4 covers a number of cases where the results are > indeterminate. It maybe should be added to Section 4 that the client has > no awareness of how the resolver environment is constructed, and thus > requiring multiple independent queries to infer state has its downsides.
Do the authors agree with the above observation? If so, we can work to produce text. Kind regards, Job _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop