On Mon, Mar 20, 2017 at 09:06:40PM -0400, Ted Lemon wrote:
> On Mar 20, 2017, at 8:48 PM, Viktor Dukhovni <ietf-d...@dukhovni.org> wrote:
> > FWIW, when adding DANE support to Postfix,
>
> The homenet use case is completely different. Here we are talking about
> dev
On Mon, Mar 20, 2017 at 05:44:27PM -0400, Steve Crocker wrote:
> > You should bear in mind that homenet is assuming the Internet of maybe
> > five years from now, more so than the Internet of now, although obviously
> > we'd like to get done sooner than that. So you should assume that stub
> >
On Sun, Mar 12, 2017 at 04:38:20PM -0700, Dave Crocker wrote:
> On 3/12/2017 4:23 PM, Paul Wouters wrote:
> > I do not want to adopt it unmodified
> > as informational RFC for running existing code.
>
> You do not want the IETF to document existing practice?
In general, yes. However, in this
> On Feb 20, 2017, at 4:19 PM, dnsop-requ...@ietf.org wrote:
>
> Accept that TLSA is dead. Don't tilt at windmills with yet more discovery
> schemes.
There at least ~2400 MX hosts with published TLSA records for SMTP serving over
100k domains and growing. In addition to Postfix and Exim,
On Fri, Feb 10, 2017 at 01:12:28PM +, Edward Lewis wrote:
> I have a fundamental problem with that, meaning that a document within
> DNSOP is defining domain names. Work I did to write (the still in progress)
> draft on Domain Names has led me to believe that domain names are a concept
>
> On Jan 23, 2017, at 3:00 PM, dnsop-requ...@ietf.org wrote:
>
> I've been following this discussion and have taken a few weeks to think
> about the comments rendered here in some depth. I find that I most agree
> with this statement:
>
> On Tue, Dec 20, 2016 at 10:53:39PM +, Warren Kumari
On Mon, Jan 09, 2017 at 03:51:31PM +, Vernon Schryver wrote:
> Note that the vast majority of clients of RPZ rewriting resolvers are
> stubs that don't do validation
So far, and at present, correct. Validating resolvers (unbound
and the like) are seeing deployment on servers first,
On Thu, Dec 29, 2016 at 05:45:59AM -, John Levine wrote:
> >I'm seeing how it really helps governments cheaply create and enforce
> >the creation of national internets -- especially with the walled garden
> >features. Are those the good guys to you, or are there other benefits?
>
> Please
On Wed, Dec 21, 2016 at 12:39:55PM -0500, Matthew Pounsett wrote:
> RPZ is not the ideal, but it works, and goes beyond being deployable–it is
> deployed.
I am curious to understand how RPZ zone transfers are (intended to
be) secured. It sounds like the reason for standardizing RPZ is
to allow
On Tue, Oct 11, 2016 at 01:56:42AM +1100, Mark Andrews wrote:
> If the IETF was setting servers that went and checked DNS servers
> and informed the operators then the IETF would be in the business
> of enforcing protocols. At this stage I don't see the IETF doing
> that nor is this document
On Thu, Sep 29, 2016 at 09:03:33AM -0400, Robert Edmonds wrote:
> > Very good question but, IMHO, it is thread-stealing (hence changing
> > the subject, and removing thread headers).
>
> I think there was already a thread on this topic recently on this list
> ("Order of CNAME and A in
On Wed, Sep 28, 2016 at 09:26:38PM +, Stephane Bortzmeyer wrote:
> On Mon, Sep 26, 2016 at 12:33:39PM +0100,
> Ólafur Guðmundsson wrote
> a message of 148 lines which said:
>
> > The RCODE applies to the RRSET pointed to by the last CNAME in answer
> > section (or
On Wed, Sep 28, 2016 at 11:27:20PM -, John Levine wrote:
> The codes AA, QM-QZ, XA-XZ, and ZZ are "user assigned" and will never
> be used for countries. Last year Ed Lewis wrote an I-D proposing that
> XA-XZ be made private use and the rest future use, but as far as I can
> tell it never
On Fri, Sep 23, 2016 at 10:22:32AM +0200, Stephane Bortzmeyer wrote:
> On Tue, Sep 20, 2016 at 06:13:50PM +0200,
> Stephane Bortzmeyer wrote
> a message of 68 lines which said:
>
> > This issue was spotted by Peter van Dijk. It is about
> >
On Thu, Aug 18, 2016 at 02:34:54PM +, Edward Lewis wrote:
> ##1. Introduction
> ##
> ## The DNS [RFC1034], [RFC1035] is a query / response protocol. Failure
> ## to respond to queries or to respond incorrectly causes both immediate
> ## operational problems and long term problems with
On Thu, Dec 10, 2015 at 09:56:26PM +0100, Hosnieh Rafiee wrote:
> > Second, from the quick description, I don't quite understand what you want
> > to solve. Not complaining, but in preparing to ask for a new type, the
> > use case might need to be clearer.
>
> Authentication and authorization
On Fri, Nov 27, 2015 at 05:20:05PM +, Warren Kumari wrote:
> On Wed, Nov 25, 2015 at 5:51 PM Roy Arends wrote:
>
> > I support the general concept (responsive servers are often better
> > netizens) and will review the draft, so I support this draft for WG
> > adoption.
>
>
On Wed, Nov 11, 2015 at 07:53:25AM +0100, Patrik Fältström wrote:
> > It may not be possible for everyone to agree on a comprehensive
> > set of 'wrongs' with no omissions, but it should be possible to
> > get consensus on a core set of 'wrongs' that are not controversial.
>
> Yes and no. I
On Wed, Nov 11, 2015 at 12:22:05PM +, Lawrence Conroy wrote:
> ISTM that the IETF isn't in a position to force its suggestions through
> the 'industry'.
Who said anything about "forcing", I thought this was intended to
be a BCP. As for whether the checks are done by registries or
On Wed, Nov 11, 2015 at 07:25:39AM +0100, Patrik Fältström wrote:
> Everything has so far collapsed into collision between tech people not
> agreeing on what is right and wrong. It also collapses into clashes between
> registry policy and the tests made. I.e. just the registration policy is
>
On Wed, Nov 11, 2015 at 07:43:30AM +1100, Mark Andrews wrote:
> Perhaps we should be getting Jari, Suzanne and Andrew to push this
> at IGF meetings.
Not knowing what IGF meetings are, I can't comment on this specific
point.
> So we don't say what's right because you fear that not everybody
>
On Tue, Nov 10, 2015 at 09:29:30PM +, Tony Finch wrote:
> Paul Hoffman wrote:
>
> > > With the current DNS protocol, a stub resolver can get all the records it
> > > needs to validate a response in 1RTT, by sending multiple concurrent
> > > queries for all the
On Fri, Nov 06, 2015 at 10:54:02AM +1100, Mark Andrews wrote:
> I keep getting told the IETF can't tell people what to do
> but that is *exactly* what we do do when we issue a BCP.
> We tell people what best current practice is and ask them
> to follow it.
>
> Today
On Sun, Oct 25, 2015 at 11:39:25PM -0700, Paul Vixie wrote:
> sanity check, someone?
Yes, you're quite sane. :-)
> I believe that in dnssec, an empty non-terminal has a proof that the name
> exists, and a proof that there are no RR's. thus, vastly different from the
> signaling for NXDOMAIN.
On Mon, Sep 21, 2015 at 02:23:15PM +0200, Giovane C. M. Moura wrote:
> > I'd be curious to know what you're seeing for the dominant "_"
> >> number in the observed TLSA queries, and whether any particular
> >> resolvers are responsible for the bulk of the "_25" queries.
>
> Now I see you meant
On Wed, Sep 09, 2015 at 09:44:23PM -0400, Paul Wouters wrote:
> >>Once the CFRG algorithms are done, I would also publish an updated
> >>list of MTI algorithms for DNSSEC that would consist of:
> >>
> >>8, 12 and both of the CFRG algorithms.
>
> You listed 12 as both deprecate and MTI ?
On Tue, Sep 08, 2015 at 11:19:13AM +0200, Ondřej Surý wrote:
> Dear DNS colleagues,
>
> this might be of some interest to you.
>
Thanks. Shouldn't this wait for the CFRG to finalize the new EC
signature schemes? We already have too many DNSSEC algorithm ids,
and are likely to add very
On Wed, Sep 09, 2015 at 08:12:41PM +0200, Ondřej Surý wrote:
> Yes, we are waiting exactly for the cfrg to finish the signature schemas.
> But the rest can get a review early. f.e. it's evident now, we have to
> add more material about motivation to add new curves into the draft(s).
Great. My
On Thu, Sep 03, 2015 at 03:32:12PM +0200, Giovane C. M. Moura wrote:
> https://stats.sidnlabs.nl/
Quick question/observation about the TLSA query portion of the
data-set. At least for SMTP, the query pattern is:
; sent to .nl authoritative servers when cache is cold
;
Q:
On Wed, Aug 12, 2015 at 01:59:55PM -0400, Andrew Sullivan wrote:
The question, for the purposes of the protocol definition, is whether
a message section (or maybe just the answer section) is an ordered set
of unordered RRsets. If so, we probably ought to write that down
somewhere, and
With draft-ietf-dane-ops and draft-ietf-dane-smtp-with-dane both
now in the RFC editor queue, I'd like to bring to your attention
important related considerations for DNS operators.
When opportunistic DANE TLS clients try to determine whether TLSA
records exist for peers whose address records are
201 - 231 of 231 matches
Mail list logo