Re: [DNSOP] Fwd: I-D Action: draft-toorop-dnsop-ranking-dns-data-00.txt
Ray Bellis writes: > I get the impression with DELEG on the horizon that there's a shift > towards the parent side data being considered more "authoritative" even > though in protocol terms it explicitly isn't. Yes and no; there's a bit of nuance to ferret out here. This is part of the original sin of parent/child NS. There is no child-side DELEG for parent-side DELEG to be considered more authoritative about. It is just authoritative in the parent in the same way that DS is, which incidentally is also more authoritative than if you put a DS in the apex. Your general observation is, of course, correct that yes, this shift takes a clearer parent-centric view of the perennial parent-centric / child-centric debate. In practical terms, operations have largely been parent-centric anyway. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Fwd: I-D Action: draft-toorop-dnsop-ranking-dns-data-00.txt
Willem Toorop writes: > Should RFC 8767 stale data be ranked differently than fresh data? > Should EDNS Client Subnet play into ranking? > > I like your thinking! Yes, fresh data should replace stale data in > resolver caches It's basically A- in your draft's hierarchy, I think, though the current structure gives each letter grade only one type of data for it and there's already an A-. However, I am also wondering about the A- as described, because it seems to suggest that an SOA in auth is less trustworthy than an SOA in ans. (Also, A and A- differ in "authoritative reply" vs "authoritative answer" which are seemingly describing the same thing.) I get that you're trying to indicate that NS in auth is lower than (correctly scoped) NS in ans, but it needs a little finagling, maybe just to call out explicitly NS rather than generalized data. ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Fwd: I-D Action: draft-toorop-dnsop-ranking-dns-data-00.txt
I think this document gives an opportunity to explicitly clarify expectations regarding the NS records either side of the zone cut. I get the impression with DELEG on the horizon that there's a shift towards the parent side data being considered more "authoritative" even though in protocol terms it explicitly isn't. Even if that's not the case, discussion of when child-side NS records should be purged and then re-learned by following the parent-side delegation would be useful. I also idly wonder what would happen if one were able to incorrectly put the DS records for a zone into the child zone... cheers, Ray ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Fwd: I-D Action: draft-toorop-dnsop-ranking-dns-data-00.txt
Op 06-03-2024 om 22:06 schreef Wessels, Duane: Hi, some initial thoughts: RFC 2181 says "Data from a zone transfer, other than glue” but this draft doesn’t make any exceptions for glue or non-authoritative data from a zone transfer. Is that intentional? Well, RFC 2181 had a uniquely broad definition of glue (see also the terminology draft: https://www.ietf.org/archive/id/draft-ietf-dnsop-rfc8499bis-10.html#section-7-2.29), so I came up with "other than occluded data" to be more generic, but I suppose that wouldn't include the delegation NS records themselves, so that won't work either. I'll try to come up with something better... Should RFC 8767 stale data be ranked differently than fresh data? Should EDNS Client Subnet play into ranking? I like your thinking! Yes, fresh data should replace stale data in resolver caches, and yes a more specific ECS prefix answer is preferable over a less specific ECS prefix. The draft is intended to start re-evaluation and re-thinking of that ranking. The authors are planning to discuss this extensively at the hackathon preceding IETF 119. This is already very good input! So, Thanks! -- Willem DW On Mar 4, 2024, at 6:37 PM, Benno Overeinder wrote: Caution: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Forwarded Message Subject: I-D Action: draft-toorop-dnsop-ranking-dns-data-00.txt Date: Mon, 04 Mar 2024 13:12:26 -0800 From: internet-dra...@ietf.org To: i-d-annou...@ietf.org Internet-Draft draft-toorop-dnsop-ranking-dns-data-00.txt is now available. Title: Ranking Domain Name System data Authors: Paul Hoffman Shumon Huque Willem Toorop Name: draft-toorop-dnsop-ranking-dns-data-00.txt Pages: 4 Dates: 2024-03-04 Abstract: This document extends the list ranking the trustworthiness of domain name system (DNS) data (see Section 5.4.1 of [RFC2181]). The list is extended with entries for root server names and addresses built-in resolvers, and provided via a root hints file with the lowest trustworthiness, as wel as an entry for data which is verifiable DNSSEC secure with the highest trustworthiness. This document furthermore assigns ranked values to the positions of the list for easier reference and comparison of trustworthiness of DNS data. The IETF datatracker status page for this Internet-Draft is: https://secure-web.cisco.com/1-KFlj_oYrZOH-5BhyKqBeDYA57SqQxpkiil5nsPhQR9QBqNk5C1dftYIqaAaBo55ch7u5zlzSyavgTQh3U4JVQSRVGLu4rDLk6FjqWp5kurgOW2oqCka2YyZ9SzqiOfjQbUP2XEQi9izTnWo90VgorxeKRntDUgxyVOYihvFygAM6nuXgV8jBlXpMb2pxDPAfbX70Wv0uqDcZiq1A979EWVqSt9MCvNxQr2kerBKq7OAzltfygzvl6X_KUg8Hoq1R3TOzWDL9uJCJdiWawGKtp80A9QP2MuAXF70_-cRUAI/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-toorop-dnsop-ranking-dns-data%2F There is also an HTMLized version available at: https://secure-web.cisco.com/1MS_L_uLvJbHCh42n3cgkh_vZRkcg-dAAs_ThN8dzzEXCzyNrE60Pow2LR2HWuKjY1rtp9zIXQPO9QWmDyKZ3drYTqpRRPAhOG408US3yeZ_ybTUwx5ZmGVFIDhhZCDyIuP4Rg_kj_e4KE4mxsKgzgEfIQdwq7bK01e2Edkb4wSY0JIrc-Hzwsw6uz-xNn84Qrb8f3ltQ4Ei9RGjHCnWzJ4NFCNmChSwQ7D9QkgFVPeZKGEVSEIwpohbW91IyDYpcHAs4A1RD-dezuELyugLuLafMYiooQeTs6JwhnK9UPXc/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-toorop-dnsop-ranking-dns-data-00 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://secure-web.cisco.com/1tsEMQC3Zecz5o61auTq0E97pflQrX3OHLUXtw4gyrJms3GEbkEmq1XikMPMvYLfFtsbpF0ywAkAOP674RMmrkeAJCnXXx9NyLN0KU9uKmvS3lhZ4ste6C9PM-fjBLzZQeg8oaUexDd7FDoDEkx6l4vrXi5QadmS-ZydnLgKxJsLB2arRZlHXiMm_UXCLHZWYGwTlCYoxupX1buUc3jOw3QN7hp6TmPsUEaNJUIJoiustJUfO4pppH1yzrjf_B9-bnwZJBnApnH_AL9Dep-ELQxFrkCKXZONXLa_VZgKV50M/https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fdnsop ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop OpenPGP_0xE5F8F8212F77A498_and_old_rev.asc Description: OpenPGP public key OpenPGP_signature.asc Description: OpenPGP digital signature ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
Re: [DNSOP] Fwd: I-D Action: draft-toorop-dnsop-ranking-dns-data-00.txt
Hi, some initial thoughts: RFC 2181 says "Data from a zone transfer, other than glue” but this draft doesn’t make any exceptions for glue or non-authoritative data from a zone transfer. Is that intentional? Should RFC 8767 stale data be ranked differently than fresh data? Should EDNS Client Subnet play into ranking? DW > On Mar 4, 2024, at 6:37 PM, Benno Overeinder wrote: > > Caution: This email originated from outside the organization. Do not click > links or open attachments unless you recognize the sender and know the > content is safe. > Forwarded Message > Subject: I-D Action: draft-toorop-dnsop-ranking-dns-data-00.txt > Date: Mon, 04 Mar 2024 13:12:26 -0800 > From: internet-dra...@ietf.org > To: i-d-annou...@ietf.org > > Internet-Draft draft-toorop-dnsop-ranking-dns-data-00.txt is now available. > > Title: Ranking Domain Name System data > Authors: Paul Hoffman >Shumon Huque >Willem Toorop > Name:draft-toorop-dnsop-ranking-dns-data-00.txt > Pages: 4 > Dates: 2024-03-04 > > Abstract: > > This document extends the list ranking the trustworthiness of domain > name system (DNS) data (see Section 5.4.1 of [RFC2181]). The list is > extended with entries for root server names and addresses built-in > resolvers, and provided via a root hints file with the lowest > trustworthiness, as wel as an entry for data which is verifiable > DNSSEC secure with the highest trustworthiness. This document > furthermore assigns ranked values to the positions of the list for > easier reference and comparison of trustworthiness of DNS data. > > The IETF datatracker status page for this Internet-Draft is: > https://secure-web.cisco.com/1-KFlj_oYrZOH-5BhyKqBeDYA57SqQxpkiil5nsPhQR9QBqNk5C1dftYIqaAaBo55ch7u5zlzSyavgTQh3U4JVQSRVGLu4rDLk6FjqWp5kurgOW2oqCka2YyZ9SzqiOfjQbUP2XEQi9izTnWo90VgorxeKRntDUgxyVOYihvFygAM6nuXgV8jBlXpMb2pxDPAfbX70Wv0uqDcZiq1A979EWVqSt9MCvNxQr2kerBKq7OAzltfygzvl6X_KUg8Hoq1R3TOzWDL9uJCJdiWawGKtp80A9QP2MuAXF70_-cRUAI/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-toorop-dnsop-ranking-dns-data%2F > > There is also an HTMLized version available at: > https://secure-web.cisco.com/1MS_L_uLvJbHCh42n3cgkh_vZRkcg-dAAs_ThN8dzzEXCzyNrE60Pow2LR2HWuKjY1rtp9zIXQPO9QWmDyKZ3drYTqpRRPAhOG408US3yeZ_ybTUwx5ZmGVFIDhhZCDyIuP4Rg_kj_e4KE4mxsKgzgEfIQdwq7bK01e2Edkb4wSY0JIrc-Hzwsw6uz-xNn84Qrb8f3ltQ4Ei9RGjHCnWzJ4NFCNmChSwQ7D9QkgFVPeZKGEVSEIwpohbW91IyDYpcHAs4A1RD-dezuELyugLuLafMYiooQeTs6JwhnK9UPXc/https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-toorop-dnsop-ranking-dns-data-00 > > Internet-Drafts are also available by rsync at: > rsync.ietf.org::internet-drafts > > > ___ > DNSOP mailing list > DNSOP@ietf.org > https://secure-web.cisco.com/1tsEMQC3Zecz5o61auTq0E97pflQrX3OHLUXtw4gyrJms3GEbkEmq1XikMPMvYLfFtsbpF0ywAkAOP674RMmrkeAJCnXXx9NyLN0KU9uKmvS3lhZ4ste6C9PM-fjBLzZQeg8oaUexDd7FDoDEkx6l4vrXi5QadmS-ZydnLgKxJsLB2arRZlHXiMm_UXCLHZWYGwTlCYoxupX1buUc3jOw3QN7hp6TmPsUEaNJUIJoiustJUfO4pppH1yzrjf_B9-bnwZJBnApnH_AL9Dep-ELQxFrkCKXZONXLa_VZgKV50M/https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fdnsop > smime.p7s Description: S/MIME cryptographic signature ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
[DNSOP] Fwd: I-D Action: draft-toorop-dnsop-ranking-dns-data-00.txt
Forwarded Message Subject: I-D Action: draft-toorop-dnsop-ranking-dns-data-00.txt Date: Mon, 04 Mar 2024 13:12:26 -0800 From: internet-dra...@ietf.org To: i-d-annou...@ietf.org Internet-Draft draft-toorop-dnsop-ranking-dns-data-00.txt is now available. Title: Ranking Domain Name System data Authors: Paul Hoffman Shumon Huque Willem Toorop Name:draft-toorop-dnsop-ranking-dns-data-00.txt Pages: 4 Dates: 2024-03-04 Abstract: This document extends the list ranking the trustworthiness of domain name system (DNS) data (see Section 5.4.1 of [RFC2181]). The list is extended with entries for root server names and addresses built-in resolvers, and provided via a root hints file with the lowest trustworthiness, as wel as an entry for data which is verifiable DNSSEC secure with the highest trustworthiness. This document furthermore assigns ranked values to the positions of the list for easier reference and comparison of trustworthiness of DNS data. The IETF datatracker status page for this Internet-Draft is: https://datatracker.ietf.org/doc/draft-toorop-dnsop-ranking-dns-data/ There is also an HTMLized version available at: https://datatracker.ietf.org/doc/html/draft-toorop-dnsop-ranking-dns-data-00 Internet-Drafts are also available by rsync at: rsync.ietf.org::internet-drafts ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop