Re: [DNSOP] EDNS checksumming (was EDNS reply option to list unsupported options from query)

2015-09-29 Thread Mukund Sivaraman
Hi Shane On Tue, Sep 29, 2015 at 12:02:19PM +, Shane Kerr wrote: > If a checksum is added it will probably show up in the final fragment. > An attacker now needs to insure that the final fragment shows up before > the final fragment from the real authority server. This is not too > difficult,

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-edns-client-subnet

2015-09-29 Thread Wilmer van der Gaast
On 23 September 2015 at 21:40, Dave Lawrence wrote: > Ted Lemon writes: >> It would be helpful if the authors could explain why the REFUSED >> response is being used here. > > Not to be glib, but because that's what Wilmer originally specified. > That's thus what got implemented by

Re: [DNSOP] Fw: New Version Notification for draft-yao-dnsop-root-cache-00.txt

2015-09-29 Thread Shane Kerr
Jiankang Yao, I think a simpler approach that works in general is the "HAMMER" approach proposed by Warren Kumari, Roy Arends, and Suzanne Woolf a couple of years ago: https://tools.ietf.org/html/draft-wkumari-dnsop-hammer Basically the idea is that if a query is made for a RRSET that is near

Re: [DNSOP] Fwd: Expiration impending:

2015-09-29 Thread Shane Kerr
All, On Mon, 28 Sep 2015 16:53:25 +0100 Andras Salamon wrote: > On Mon, Sep 28, 2015 at 07:59:00AM -0400, Joe Abley wrote: > >This document describes existing practice, and provides guidance for > >people who need to bootstrap a validator using the mechanisms provided > >by

[DNSOP] EDNS checksumming (was EDNS reply option to list unsupported options from query)

2015-09-29 Thread Shane Kerr
Paul(s) & all, tl;dr a checksum adds some small benefit for a moderate cost... worth it? On Mon, 28 Sep 2015 10:21:54 -0700 Paul Vixie wrote: > Paul Hoffman wrote: > > Paul's "no" (which I agree with) shows what might be a fatal flaw in > >

Re: [DNSOP] New Version Notification for draft-yao-dnsop-root-cache-00.txt

2015-09-29 Thread Paul Hoffman
On 29 Sep 2015, at 2:20, Shane Kerr wrote: Jiankang Yao, I think a simpler approach that works in general is the "HAMMER" approach proposed by Warren Kumari, Roy Arends, and Suzanne Woolf a couple of years ago: https://tools.ietf.org/html/draft-wkumari-dnsop-hammer A huge +1 to this. The

Re: [DNSOP] New Version Notification for draft-yao-dnsop-root-cache-00.txt

2015-09-29 Thread Joe Abley
Hi Jiankang, What reason do you have to think that response latency from root servers has any measurable impact on end-user experience? Queries to root servers from individual clients are sent very infrequently, in my experience; the TTLs are not short. The probability that any client of a

Re: [DNSOP] New Version Notification for draft-muks-dnsop-dns-message-checksums-00.txt

2015-09-29 Thread Tony Finch
Joe Abley wrote: > > +---+---+-+ > | Value | Type | Status, Remarks | > +---+---+-+ > | 0 | EMPTY | Empty digest| > | 1

Re: [DNSOP] Terry Manderson's No Objection on draft-ietf-dnsop-root-loopback-04: (with COMMENT)

2015-09-29 Thread Paul Hoffman
On 26 Sep 2015, at 2:55, Terry Manderson wrote: Thank you for writing this document and describing how it is done and also the risks of doing this, and most importantly why it should not be done on a whim or by default. I concur that this is not a new idea. In fact I implemented a similar

Re: [DNSOP] Benoit Claise's No Objection on draft-ietf-dnsop-root-loopback-04: (with COMMENT)

2015-09-29 Thread Paul Hoffman
On 28 Sep 2015, at 6:53, Benoit Claise wrote: -- COMMENT: -- Malicious third parties might be able to observe that traffic on the network between the

Re: [DNSOP] New Version Notification for draft-muks-dnsop-dns-message-checksums-00.txt

2015-09-29 Thread Mukund Sivaraman
Hi Joe Thank you for this review. See comments below: On Mon, Sep 28, 2015 at 07:53:10PM -0400, Joe Abley wrote: > > > On 28 Sep 2015, at 11:51, Mukund Sivaraman wrote: > > > o draft-muks-dnsop-dns-message-checksums-00 > >Initial draft (renamed version). Removed the NONCE-COPY field as

Re: [DNSOP] New Version Notification for draft-yao-dnsop-root-cache-00.txt

2015-09-29 Thread Jiankang Yao
From: Joe Abley Date: 2015-09-29 23:00 To: yaojk CC: dnsop Subject: Re: [DNSOP] New Version Notification for draft-yao-dnsop-root-cache-00.txt >Hi Jiankang, >What reason do you have to think that response latency from root servers >has any measurable impact on end-user experience? > I think

Re: [DNSOP] Expiration impending:

2015-09-29 Thread David Conrad
On Sep 29, 2015, at 2:53 AM, Shane Kerr wrote: >> On Mon, Sep 28, 2015 at 07:59:00AM -0400, Joe Abley wrote: >>> This document describes existing practice, and provides guidance for >>> people who need to bootstrap a validator using the mechanisms provided >>> by ICANN

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-edns-client-subnet

2015-09-29 Thread Dave Lawrence
David Dagon writes: > I have some concerns, which I describe below. [...] David, Thank you very much for your thoughtful comments. Broadly speaking, I very much agree with the bulk of them. Yet my current reaction is not to make any more alterations to the existing document. It describes the