FYI - Apologies if you have already seen this on other lists.
Sara Monteiro
Pedro Veiga wrote, On 12-01-2010 14:36:
Dear colleagues,
I'm glad to inform that we have signed the ccTLD .PT in the beginning of
2010 and the DNSSEC signed version of .pt is in production since 4th of
January.
Draft http://tools.ietf.org/html/draft-ietf-dnsop-resolver-priming-02
says
2.1. Parameters of a Priming Query
A priming query SHOULD use a QNAME of . and a QTYPE of NS. The
priming query MUST be sent over UDP (section 6.1.3.2 of [RFC1123]).
The UDP source port SHOULD be randomly
--On 13 January 2010 13:19:30 -0500 Olafur Gudmundsson o...@ogud.com
wrote:
Going forward I think this is a bad recommendation. I would like to
propose that the document take the plunge of recommending that
modern DNSSEC capable resolvers perform the priming query over TCP.
...
By making
On 13 Jan 2010, at 20:01, Alex Bligh wrote:
An EDNS0 ignorant resolver MUST issue the priming query over UDP.
I presume you mean DNSSEC ignorant.
That's implicit. The language was in Olafur's original text BTW...
If a resolver doesn't speak EDNS0, it can't set the DO bit. Which
means the
--On 13 January 2010 20:34:49 + Jim Reid j...@rfc1035.com wrote:
An EDNS0 ignorant resolver MUST issue the priming query over UDP.
I presume you mean DNSSEC ignorant.
That's implicit. The language was in Olafur's original text BTW...
If a resolver doesn't speak EDNS0, it can't set
I apologize for cross-posting due to topical overlap.
Please confine follow-up messages to the appropriate list.
In the message to DNSOP regarding draft-ietf-dnsop-resolver-priming-02
archived at
http://www.IETF.ORG/mail-archive/web/dnsop/current/msg07843.html,
Olafur Gudmundsson scratched at
--On 13 January 2010 21:16:49 + Jim Reid j...@rfc1035.com wrote:
On 13 Jan 2010, at 20:49, Alex Bligh wrote:
Current operational practice would result in DO clear packets
fitting within 4096 bytes, so no need for TCP when DO is clear.
I don't think that's always the case Alex. See the
--On 13 January 2010 21:35:48 + Alex Bligh a...@alex.org.uk wrote:
Sure, clients should as a general rule try getting UDP to work, but
I think preventing them falling back to UDP unless they are prepared
^^^ - TCP
to take the overhead of adding
On 13 Jan 2010, at 21:35, Alex Bligh wrote:
You've eliminated TCP fallback for non-DNSSEC supporting clients.
So add that to the list:
[6] TCP (no EDNS0) if [5] fails.
___
DNSOP mailing list
DNSOP@ietf.org
At 16:33 13/01/2010, Edward Lewis wrote:
At 13:19 -0500 1/13/10, Olafur Gudmundsson wrote:
The benefit is that a single query can retrieve the signed root NS set
and all the signed glue records.
I am not certain that the cost of doing TCP for this is worth the
benefit of getting a signed
What does a DNSSEC-protected priming query gain you?
I was about to ask the same question.
Accepting any old priming query and having a root SEP configured, if
the query is right all things work. If the query is wrong/forged you
won't get anywhere any how. (Without
At 16:16 13/01/2010, Jim Reid wrote:
On 13 Jan 2010, at 20:49, Alex Bligh wrote:
Current operational practice would result in DO clear packets
fitting within 4096 bytes, so no need for TCP when DO is clear.
I don't think that's always the case Alex. See the lengthy discussion
in this list
Well having TCP used for all priming queries would make me feel better
as TCP traffic is harder to forge.
So let's forget about dnssec an do everything over TCP?
But seriously DNSSEC signed and validated data should protect the
the resolver from going to the forged
On Jan 13, 2010, at 2:41 PM, Olafur Gudmundsson wrote:
At 16:16 13/01/2010, Jim Reid wrote:
On 13 Jan 2010, at 20:49, Alex Bligh wrote:
Current operational practice would result in DO clear packets
fitting within 4096 bytes, so no need for TCP when DO is clear.
I don't think that's
14 matches
Mail list logo
