Re: [DNSOP] Question on interpretation of DO and CD

> On 7 Oct 2021, at 15:49, George Michaelson wrote: > >> First of all, it is apparent that if a resolver maintains a unified cache in >> which it has DNSSEC-aware and DNSSEC-oblivious data, things will definitely >> break. The general wisdom appears to be that you need to maintain two >> ca

Re: [DNSOP] Question on interpretation of DO and CD

> First of all, it is apparent that if a resolver maintains a unified cache in > which it has DNSSEC-aware and DNSSEC-oblivious data, things will definitely > break. The general wisdom appears to be that you need to maintain two > caches, and only answer DO-set queries with DO-set cache (or go

Re: [DNSOP] Question on interpretation of DO and CD

Hi, Disclaimer: I work for the Internet Society but am speaking for myself. On Wed, Oct 06, 2021 at 04:47:32PM -0700, Eric Rescorla wrote: Sorry if these are dumb questions. They are not dumb questions, unfortunately. Looking at things from the stub resolver's perspective, if the zone is si

Re: [DNSOP] Question on interpretation of DO and CD

You should also note that a validating stub resolver (or anything talking through a validating resolver) should be prepared to send *both* DO and DO+CD queries. There are different error conditions / threats that are mitigated by each of these settings and only by trying the other on error can you

Re: [DNSOP] Bailiwick discussion for draft-ietf-dnsop-rfc8499bis

It appears that Paul Wouters said: >The suggestion by Tony Finch: > > * Sibling zones: two zones whose delegations are in the same > parent zone. > > * Sibling glue: addresses of nameservers that are in a sibling zone. So far we agree (which when it's Paul and me, is really saying someth

Re: [DNSOP] Question on interpretation of DO and CD

Hi EKR  - Your table looks correct and hope. You may want to take a look at section 5.9 of RFC 6840, as well as appendix B as there's some implementation guidance with respect to the setting of the CD bit. Mike On 10/6/2021 7:47 PM, Eric Rescorla wrote: Hi folks, We've been trying to tak

[DNSOP] Question on interpretation of DO and CD

Hi folks, We've been trying to take some measurements of the success of endpoint DNSSEC validation and run into some confusion about the implications of the DO and CD bits. Sorry if these are dumb questions. In the section on stub resolvers RFC 4035 says: A validating security-aware stub reso

Re: [DNSOP] Bailiwick discussion for draft-ietf-dnsop-rfc8499bis

On Wed, Oct 6, 2021 at 12:05 PM Paul Wouters wrote: > On Wed, 6 Oct 2021, Paul Hoffman wrote: > > > Greetings again. I think that all of the issues from the WG on > draft-ietf-dnsop-rfc8499bis have been dealt with, except one significant > one. Almost a year ago, Tony Finch started a thread about

Re: [DNSOP] Bailiwick discussion for draft-ietf-dnsop-rfc8499bis

On Wed, 6 Oct 2021, Paul Hoffman wrote: Greetings again. I think that all of the issues from the WG on draft-ietf-dnsop-rfc8499bis have been dealt with, except one significant one. Almost a year ago, Tony Finch started a thread about 8499's definitions of bailiwick and sibling glue. The threa

Re: [DNSOP] Bailiwick discussion for draft-ietf-dnsop-rfc8499bis

Paul, Thanks for bringing this up. I feel this topic is also relevant to the draft-ietf-dnsop-glue-is-not-optional draft currently being worked on. While I am sure folks are aware of this, this is more of a note that having the definitions clarified will help us move this other draft forward. th

[DNSOP] Bailiwick discussion for draft-ietf-dnsop-rfc8499bis

Greetings again. I think that all of the issues from the WG on draft-ietf-dnsop-rfc8499bis have been dealt with, except one significant one. Almost a year ago, Tony Finch started a thread about 8499's definitions of bailiwick and sibling glue. The thread is

Re: [DNSOP] [Ext] Benjamin Kaduk's No Objection on draft-ietf-dnsop-dnssec-iana-cons-04: (with COMMENT)

On Oct 5, 2021, at 12:16 PM, Benjamin Kaduk via Datatracker wrote: > -- > COMMENT: > -- > > Thanks to Dan Harkins for the secdir review, and the authors for th