On Mon, May 07, 2018 at 07:07:05PM +0000, Job Snijders wrote:
> 3/ Section 3 states: "The responses received from queries to resolve
> each of these names would allow us to infer a trust key state of the
> resolution environment.".
> From what I understand, in today's DNS world we can only reasonably
> expect to do one query per packet. It is well understood that many
> operators use BGP-4 anycasting (ECMP), the likes of dnsdist, and/or
> simple UDP loadbalancers. I think it may be good to document that
> running 3 queries (in essence 3 independent experiments) may not
> generate sufficient data to properly infer the state (or any state) of
> the resolution environment. Each query (as part of a single sentinel
> data gathering session) may be handled by an entirely different resolver
> with different keys, contaminating any lookup in the proposed truth
> tables. Section 4 covers a number of cases where the results are
> indeterminate. It maybe should be added to Section 4 that the client has
> no awareness of how the resolver environment is constructed, and thus
> requiring multiple independent queries to infer state has its downsides.

Do the authors agree with the above observation? If so, we can work to
produce text.

Kind regards,


DNSOP mailing list

Reply via email to