On 28/03/2017 16:02, Dave Lawrence wrote:
> Understandable. I honestly have similar reservations.
>
> One thing that clouds this a little, as far as our draft is concerned,
> is that the ISP's CPE already knows this information so in a sense it
> isn't that a different party is being
> -Original Message-
> From: DNSOP [mailto:dnsop-boun...@ietf.org] On Behalf Of Evan Hunt
>
> On Tue, Mar 28, 2017 at 10:47:02PM -0500, John R Levine wrote:
> > That's exactly the problem -- a server that doesn't handle BULK will
> > return the wrong answer. It might return the BULK
> -Original Message-
> From: DNSOP [mailto:dnsop-boun...@ietf.org] On Behalf Of John R Levine
>
> > But if you have a primary that supports BULK and a secondary
> > that doesn't, then you have two authoritative servers for the same
> > domain with the same serial number but one of is
On Tue, Mar 28, 2017 at 10:47:02PM -0500, John R Levine wrote:
> That's exactly the problem -- a server that doesn't handle BULK will
> return the wrong answer. It might return the BULK record itself or
> NXDOMAIN for an address that BULK would synthesize.
And, if the zone is signed, it'll be
But if you have a primary that supports BULK and a secondary that doesn't,
then you have two authoritative servers for the same domain with the same
serial number but one of is saying NXDOMAIN when the other one returns a
positive answer. This is a significant problem, and the draft ought to
> -Original Message-
> From: Evan Hunt [mailto:e...@isc.org]
>
> On Wed, Mar 29, 2017 at 12:41:26AM +, Woodworth, John R wrote:
> > I believe this would ultimately be less efficient than generating
> > the records on the fly.
>
> Unquestionably. This clearly wouldn't be the preferred
BULK actually does _not_ use regex for its syntax.
It does, however, "borrow" from regex in the way it identifies
backreferences. The similarities are intentional as to "feel"
familiar and be simple to grasp. This familiarity is likely
the cause of this misconception. Another is likely the use
On Wed, Mar 29, 2017 at 12:41:26AM +, Woodworth, John R wrote:
> I believe this would ultimately be less efficient than generating
> the records on the fly.
Unquestionably. This clearly wouldn't be the preferred behavior.
If the slave does understand BULK records, you'd just transfer
those.
On Tue, Mar 28, 2017 at 1:28 PM, Paul Hoffman wrote:
[...]
> - White Lies can be done with NSEC, not just with NSEC3. RFC 7129 calls
> these "minimally covering NSEC records". I would think that doing NSEC
> White Lies would require less CPU than doing NSEC3 White Lies
On Tue, Mar 28, 2017 at 12:20 PM, Paul Vixie wrote:
>
> since it allocates no code point and the method requires no interop,
> this draft feels a bit like resimprove, which died on the vine for no
> reason i can now recall. it's harmless as an FYI, but does not belong on
> the
> -Original Message-
> From: DNSOP [mailto:dnsop-boun...@ietf.org] On Behalf Of Evan Hunt
>
> On Tue, Mar 28, 2017 at 06:31:56PM -, John Levine wrote:
> > What if such a server receives BULK by AXFR? By IXFR?
>
> I agree these scenarios in particular need to be specified.
>
Hi Evan,
generally, we have not worried about versioning or capability
negotiation among axfr/ixfr partners. a zone administrator can simply
choose primary and secondary servers on the basis of advertised
capabilities, and remove any who can't conform.
last time we had this discussion, it emerged that
> -Original Message-
> From: DNSOP [mailto:dnsop-boun...@ietf.org] On Behalf Of John Levine
>
> At yesterday's session, Tale confirmed that since BULK adds so much
> new special purpose complexity to DNS servers, the plan is that
> support for it will be optional.
>
> An optional RRTYPE
Wouldn't a BULK RR ignorant DNS server just store the BULK RR as opaque data?
Thanks,
Donald
===
Donald E. Eastlake 3rd +1-508-333-2270 (cell)
155 Beaver Street, Milford, MA 01757 USA
d3e...@gmail.com
On Tue, Mar 28, 2017 at 2:31 PM, John Levine
Paul Vixie writes:
> speaking of resimprove, i hope you'll include in this draft the idea of
> using delegation-TTL as a delegation-recheck interval, and using an
> authoritative NXDOMAIN from the delegator as proof that you need to run
> an "rm -rf" in your cache.
I definitely like the latter
Peter van Dijk writes:
> On 28 Mar 2017, at 16:35, Dave Lawrence wrote:
> > I grant that there is reason for pause because both Nominum and
> > OpenDNS have squatted code points which have duplicate functionality.
>
> Should this squatting perhaps be documented in the style of RFC 8093 to
>
That doesn't work -- this is intended to generate rDNS for IPv6 and other
places where you can't possibly store the full expansion.
It doesn't work for that particular use case, no, but there are other
benefits to BULK (the draft specifically mentions "the ability to transfer
BULK RR intentions
Ray Bellis writes:
> I'm somewhat philosophically opposed to anything that injects client
> related information such that it's shared between different parties.
Understandable. I honestly have similar reservations.
One thing that clouds this a little, as far as our draft is concerned,
is that
Earlier today Petr Špaček sent me an off-list comment that he intended
to be on-list, and I want to promote it:
On Tue, Mar 28, 2017 at 05:20:52PM +0200, Petr Špaček wrote:
> Here I have to agree with enforcing "MUST NOT". MD5 is a risk even on
> the validating side. It might provide attacker
One possible solution would be an EDNS signal indicating whether or not the
secondary server implements BULK. If not, the primary would have to expand
the BULK data during transfer, same as BIND expands $GENERATE.
That doesn't work -- this is intended to generate rDNS for IPv6 and other
places
On 2/29/2016 5:32 PM, joel jaeggli wrote:
On 2/29/16 3:12 PM, Warren Kumari wrote:
Per [RFC2434], IANA is requested to establish a DNS Underscore Name
Registry, for DNS node names that begin with the underscore character
(_) and have been specified in any published RFC, or are documented
On Tue, Mar 28, 2017 at 06:31:56PM -, John Levine wrote:
> What if such a server receives BULK by AXFR? By IXFR?
I agree these scenarios in particular need to be specified.
One possible solution would be an EDNS signal indicating whether or not the
secondary server implements BULK. If not,
All
We know we ran out of time, which is a regular problem for us. A
combination of being too optimistic in our scheduling and too many people
with interesting things to discuss. In the past we've tried to ask for
multiple sessions, but with the pressure on slots we've always backed
down. We
On 3/28/2017 2:37 PM, Paul Vixie wrote:
if someone wants a new _ name entered into a registry, and if they plan
to use it in a way that creates a sub-hierarchy, they should be advised
not to follow SRV's example, and in my opinion, the example that ought
to be set for them would be what SRV (and
The DNSOP WG has placed draft-kristoff-dnsop-dns-tcp-requirements in
state
Candidate for WG Adoption (entered by Tim Wicinski)
The document is available at
https://datatracker.ietf.org/doc/draft-kristoff-dnsop-dns-tcp-requirements/
___
DNSOP mailing
> On Mar 28, 2017, at 12:31 PM, Peter van Dijk
> wrote:
>
> Please note that neither draft handles the use case of also passing the port
> number, which in a world of growing CGN deployment, may soon prove quite
> important.
Can you elaborate?
John R Levine wrote:
>>> ... It's not offering advice that
>>> underscore names are wonderful, it's recognizing the ones that are in
>>> use now.
>>
>> as you wrote above, it's also saying "how to add new names". i'd like
>> our advice in this regard to be considered excellent.
>
> It's only
Dave Crocker wrote:
> On 3/28/2017 12:46 PM, Paul Vixie wrote:
>> i don't think it's wise to estimate damage by observed complain level.
>> if _ is now in world wide use for all kinds of stuff, you can still say
>> that SRV got it wrong, and that the recommended way to do this kind of
>> thing
... It's not offering advice that
underscore names are wonderful, it's recognizing the ones that are in
use now.
as you wrote above, it's also saying "how to add new names". i'd like
our advice in this regard to be considered excellent.
It's only providing the mechanics to add a name to the
On 3/28/2017 12:46 PM, Paul Vixie wrote:
i don't think it's wise to estimate damage by observed complain level.
if _ is now in world wide use for all kinds of stuff, you can still say
that SRV got it wrong, and that the recommended way to do this kind of
thing is different from what SRV did. you
John Levine wrote:
>> i don't think it's wise to estimate damage by observed complain level.
>> if _ is now in world wide use for all kinds of stuff, you can still say
>> that SRV got it wrong, and that the recommended way to do this kind of
>> thing is different from what SRV did.
>
> I don't
>i don't think it's wise to estimate damage by observed complain level.
>if _ is now in world wide use for all kinds of stuff, you can still say
>that SRV got it wrong, and that the recommended way to do this kind of
>thing is different from what SRV did.
I don't see how this is relevant to
At yesterday's session, Tale confirmed that since BULK adds so much
new special purpose complexity to DNS servers, the plan is that
support for it will be optional.
An optional RRTYPE with extra semantics introduces some new
compatibility problems. What happens if a server that doesn't support
During the mic discussions of NSEC5 yesterday, some speakers conflated a
few things.
- NSEC3 with a good dictionary allows a fair amount of zone enumeration,
but NSEC3 White Lies does not. Sharon did a good job of differentiating
this in her slides, but people talking about the need for NSEC5
In article you write:
>NAPTR very cunningly avoids this trap (IIRC) by constraining the rewrites
>to be on a strictly monotonically reducing suffix of the input.
Also, NAPTR does all of the complex stuff in the client applications.
All the
Paul Vixie wrote:
> i got underscores wrong in SRV. it may be that we should not follow that
> track at all.
>
> ...
this reminds me of the following related topic.
had SRV done underscores correctly, then the placement of DS would have
been more obvious. right now it's at the delegation
Dave Crocker wrote:
> There is already massive use of underscore names.
>
> Deep aesthetic pain notwithstanding, there hasn't been a groundswell of
> operational complaints that would be needed to reverse this many years
> and such widespread use of the convention.
i don't think it's wise to
at DNSOP yesterday i asked that anyone who thought zone enumeration was
a risk and that any crypto change (such as NSEC5) could manage that risk
should please accept a free demonstration of passive dns.
i realized that i could offer this more broadly. here is *.vix.su, one
of my vanity domains.
Dear HOMENET and DNSOP WG(s),
Wearing the INT AD hat.
Firstly, thank you to the DNSOP WG for the deep review, thoughts, and
considered responses to my request for review.
Secondly, my apologies for not sharing my throughs before the HOMENET session.
It would have been impractical to do so as
Hello,
On 28 Mar 2017, at 0:49, Dave Lawrence wrote:
Speaking of Ray's draft, our proposal is able to handle his use case
but unfortunately our use cases are not achievable in his. I'd
welcome joining up.
Please note that neither draft handles the use case of also passing the
port number,
Hello,
On 28 Mar 2017, at 16:35, Dave Lawrence wrote:
I grant that there is reason for pause because both Nominum and
OpenDNS have squatted code points which have duplicate functionality.
Should this squatting perhaps be documented in the style of RFC 8093 to
avoid future surprises?
Kind
Hi Philip,
On 28 Mar 2017, at 12:37, Philip Homburg wrote:
So if would be best if a validator that implements MD5 would still
return
NXDOMAIN is validation fails, but would keep the AD-bit clear even if
validation
passes for a domain signed using MD5.
In the interest of nitpick
On 3/28/2017 12:03 PM, Paul Vixie wrote:
if this is what we should have done, then it may be that the best thing
to do at this stage is, that. as in, declare the SRV got it wrong, and
note that _tcp and _udp have been camped upon by SRV, wrongly. all of
the service protocol names (_telnet, etc)
Warren Kumari wrote:
> ... I think
> that the actual algorithm specified is a secondary consideration --
> first we need to agree on if the concept / idea is good for general
> use.
that will depend on the algorithm. for example if it's only stretchy for
timeouts and servfail, but nxdomain is
Hello Shumon,
On 28 Mar 2017, at 14:08, Shumon Huque wrote:
OpenDNS also has had a similar feature (exact protocol unpublished
AFAICT)
for a while now (Smartcache, ~ 2009 I think).
There is some background at https://www.youtube.com/watch?v=Gt9VUPDoZk0
starting at 14:33. Slides at
i got underscores wrong in SRV. it may be that we should not follow that
track at all.
in C at that time, we were renaming our externally reachable library
symbols to add _ on the front (#define foo _foo), so that a compilation
which did not import that library (#include ) would be able to
use
> -Original Message-
> From: Stephane Bortzmeyer [mailto:bortzme...@nic.fr]
>
> On Wed, Feb 15, 2017 at 10:33:50AM +, Woodworth, John R
> wrote a message of 121 lines which said:
>
> > We welcome _any_ feedback on the draft as we are hoping to have
>
On 27/03/2017 17:49, Dave Lawrence wrote:
> As Sara commented on Ray's draft that proposes a very similar option,
> draft-bellis-dnsop-xpf, this sort of thing clearly needs a close look
> at privacy, and I whole-heartedly agree. I've already been directly
> poking privacy-concerned individuals
> -Original Message-
> From: DNSOP [mailto:dnsop-boun...@ietf.org] On Behalf Of Tony Finch
>
> Woodworth, John R wrote:
>
> > Apologies but I did not hear the full question regarding BULK RR's and
> > the perl like back-references. If you could please
On Tue, Mar 28, 2017 at 11:19:10AM +0100,
Tony Finch wrote
a message of 33 lines which said:
> So my question is, how does the BULK rewriting system interact with DNS
> loops? Is there a CPU-eating tarpit in there?
Also, I find that the Security Considerations section of
I will be happy to take it over
Olafur
On Tue, Mar 28, 2017 at 12:03 PM, Stephane Bortzmeyer <
bortzmeyer+i...@nic.fr> wrote:
> On Sun, Mar 26, 2017 at 11:36:08AM -0700,
> RFC Errata System wrote
> a message of 42 lines which said:
>
> > The following errata
On Wed, Feb 15, 2017 at 10:33:50AM +,
Woodworth, John R wrote
a message of 121 lines which said:
> We welcome _any_ feedback on the draft as we are hoping to have it (or some
> incarnation) adopted by the WG soon and look to rally more interest around it.
On Sun, Mar 26, 2017 at 11:36:08AM -0700,
RFC Errata System wrote
a message of 42 lines which said:
> The following errata report has been verified for RFC8027,
OK, so, now, what do we do with this domain? Does anyone has a project
for it or should I let it expire?
So, now that this draft is re-activated, I'm perusing old postings
...
On 12/11/2015 12:46 PM, Bob Harold wrote:
_adsp. has trailing dot, none of the others do.
The current model is to ignore 'subordinate' underscore names, such as
_adsp and treat them as out of scope.
pgpkeys missing
On 28.3.2017 17:47, Paul Wouters wrote:
>> So again, MUST NOT is the right choice. I'm going to write tests for
>> Knot Resolver to ensure we never set AD bit for zones signed using MD5.
>> Right now.
>
> If you want to accomplish this, why not actually follow the MUST NOT and
> remove MD5
> So again, MUST NOT is the right choice. I'm going to write tests for
> Knot Resolver to ensure we never set AD bit for zones signed using MD5.
> Right now.
If you want to accomplish this, why not actually follow the MUST NOT and remove
MD5 support so it is treated as unsupported algorithm
On 28.3.2017 17:05, Evan Hunt wrote:
> On Tue, Mar 28, 2017 at 03:36:40PM +0100, Tony Finch wrote:
>> Chris Thompson just mentioned to me another reason for dropping support
>> for RSAMD5: it uses a different DNSKEY tag calculation, which implies that
>> dropping support should simplify validators
On Tue, Mar 28, 2017 at 6:20 AM, Pieter Lexis wrote:
> On Mon, 27 Mar 2017 18:19:09 -0400
> Jared Mauch wrote:
>
>> I will note there are other implementations out there as well, such as in
>> unbound. serve-expired configuration directive is
> On 28 Mar 2017, at 16:05, Evan Hunt wrote:
>
> My problem is with elevating "pointless" to the force of a "MUST NOT". I
> think it should be reduced in force to "OPTIONAL", "NOT RECOMMENDED", or
> even "SHOULD NOT". Kill it on the supply side.
A "MUST NOT" should kill it on
On Tue, Mar 28, 2017 at 03:36:40PM +0100, Tony Finch wrote:
> Chris Thompson just mentioned to me another reason for dropping support
> for RSAMD5: it uses a different DNSKEY tag calculation, which implies that
> dropping support should simplify validators more than dropping other
> algorithms.
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Domain Name System Operations of the IETF.
Title : DNS wire-format over HTTP
Authors : Linjian Song
Paul Vixie
On Thu, Mar 16, 2017 at 12:11 AM, tjw ietf wrote:
> During the first WGLC of draft-ietf-dnsop-refuse-any, several issues were
> raised by the working group that needed to be addressed. The Authors
> addressed the issues, but the changes are enough that there should be a
>
On Mon, Mar 13, 2017 at 08:59:32AM -0700,
internet-dra...@ietf.org wrote
a message of 45 lines which said:
> Title : DNS Terminology
> Authors : Paul Hoffman
> Andrew Sullivan
>
Pieter Lexis writes:
> I feel that the authors should attempt to describe the goal of the
> algorithm and suggest possible limits and describe pitfalls rather
> than describing the exact algorithm to use.
I confess I'm a bit flummoxed by this comment, as I believe the
document already does
Olafur Gudmundsson writes:
> Strictly speaking the draft was never formally submitted via IANA.
This is part of the problem with documentation. At least one natural
entry point for the process, the IANA assignments page, doesn't
indicate how to initiate expert review.
On 27 Mar 2017, at 21:41, Evan Hunt wrote:
On Mon, Mar 27, 2017 at 12:45:04PM -0700, Paul Vixie wrote:
also, a validator that outputs "secure" based on MD5 inputs is making
a
promise it can't keep.
MD5 is known to be breakable
Please: let's be careful with our wording here.
There are
On Mon, Mar 27, 2017 at 5:19 PM, Jared Mauch wrote:
> IOn Mar 27, 2017, at 5:59 PM, P Vix wrote:
> >
> > I agree to review and comment. Note that I am provisionally negative to
> the idea itself, and my review may reflect that. Vixie
>
>
> I will note
On Tue, Mar 28, 2017 at 4:41 AM, Evan Hunt wrote:
> We can and should kill MD5 key generation and signing (and I'll add this to
> the ticket about updating defaults in BIND) but I'm uncomfortable killing
> MD5 validation until I'm sure there aren't any legacy keys floating around.
Short history
On Mon, 27 Mar 2017 18:19:09 -0400
Jared Mauch wrote:
> I will note there are other implementations out there as well, such as in
> unbound. serve-expired configuration directive is available there as well.
I feel that the authors should attempt to describe the goal of
In your letter dated Tue, 28 Mar 2017 11:01:01 +0100 you wrote:
>Evan Hunt wrote:
>>
>> MD5 is known to be breakable, but it's not *as* breakable that hasn't been
>> signed, or a resolver that hasn't turned on validation.
>
>It features Postscript, PDF/JPEG, and GIF MD5 quines
Woodworth, John R wrote:
> Apologies but I did not hear the full question regarding BULK RR's and
> the perl like back-references. If you could please repeat the question
> we would be happy to comment.
I didn't ask the question, but based on a quick look at the
Evan Hunt wrote:
>
> MD5 is known to be breakable, but it's not *as* breakable that hasn't been
> signed, or a resolver that hasn't turned on validation.
If you haven't seen PoC||GTFO 0x14, run over to
https://www.alchemistowl.org/pocorgtfo/ and have a read.
It features
72 matches
Mail list logo