Re: [DNSOP] WG review of draft-ietf-homenet-dot-03

On Mon, Mar 20, 2017 at 09:06:40PM -0400, Ted Lemon wrote: > On Mar 20, 2017, at 8:48 PM, Viktor Dukhovni <ietf-d...@dukhovni.org> wrote: > > FWIW, when adding DANE support to Postfix, > > The homenet use case is completely different. Here we are talking about > dev

Re: [DNSOP] WG review of draft-ietf-homenet-dot-03

On Mon, Mar 20, 2017 at 05:44:27PM -0400, Steve Crocker wrote: > > You should bear in mind that homenet is assuming the Internet of maybe > > five years from now, more so than the Internet of now, although obviously > > we'd like to get done sooner than that. So you should assume that stub > >

Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

On Sun, Mar 12, 2017 at 04:38:20PM -0700, Dave Crocker wrote: > On 3/12/2017 4:23 PM, Paul Wouters wrote: > > I do not want to adopt it unmodified > > as informational RFC for running existing code. > > You do not want the IETF to document existing practice? In general, yes. However, in this

Re: [DNSOP] DNSOP Digest, Vol 123, Issue 70

> On Feb 20, 2017, at 4:19 PM, dnsop-requ...@ietf.org wrote: > > Accept that TLSA is dead. Don't tilt at windmills with yet more discovery > schemes. There at least ~2400 MX hosts with published TLSA records for SMTP serving over 100k domains and growing. In addition to Postfix and Exim,

Re: [DNSOP] [Ext] A nudge on the new terms in draft-ietf-dnsop-terminology-bis

On Fri, Feb 10, 2017 at 01:12:28PM +, Edward Lewis wrote: > I have a fundamental problem with that, meaning that a document within > DNSOP is defining domain names. Work I did to write (the still in progress) > draft on Domain Names has led me to believe that domain names are a concept >

Re: [DNSOP] DNSOP Digest, Vol 122, Issue 24

> On Jan 23, 2017, at 3:00 PM, dnsop-requ...@ietf.org wrote: > > I've been following this discussion and have taken a few weeks to think > about the comments rendered here in some depth. I find that I most agree > with this statement: > > On Tue, Dec 20, 2016 at 10:53:39PM +, Warren Kumari

Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

On Mon, Jan 09, 2017 at 03:51:31PM +, Vernon Schryver wrote: > Note that the vast majority of clients of RPZ rewriting resolvers are > stubs that don't do validation So far, and at present, correct. Validating resolvers (unbound and the like) are seeing deployment on servers first,

Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

On Thu, Dec 29, 2016 at 05:45:59AM -, John Levine wrote: > >I'm seeing how it really helps governments cheaply create and enforce > >the creation of national internets -- especially with the walled garden > >features. Are those the good guys to you, or are there other benefits? > > Please

Re: [DNSOP] DNSOP Call for Adoption draft-vixie-dns-rpz

On Wed, Dec 21, 2016 at 12:39:55PM -0500, Matthew Pounsett wrote: > RPZ is not the ideal, but it works, and goes beyond being deployable–it is > deployed. I am curious to understand how RPZ zone transfers are (intended to be) secured. It sounds like the reason for standardizing RPZ is to allow

Re: [DNSOP] review of draft-ietf-dnsop-no-response-issue-05

On Tue, Oct 11, 2016 at 01:56:42AM +1100, Mark Andrews wrote: > If the IETF was setting servers that went and checked DNS servers > and informed the operators then the IETF would be in the business > of enforcing protocols. At this stage I don't see the IETF doing > that nor is this document

Re: [DNSOP] Mandated order of CNAME records in a CNAME chain?

On Thu, Sep 29, 2016 at 09:03:33AM -0400, Robert Edmonds wrote: > > Very good question but, IMHO, it is thread-stealing (hence changing > > the subject, and removing thread headers). > > I think there was already a thread on this topic recently on this list > ("Order of CNAME and A in

Re: [DNSOP] Where in a CNAME chain is the QNAME?

On Wed, Sep 28, 2016 at 09:26:38PM +, Stephane Bortzmeyer wrote: > On Mon, Sep 26, 2016 at 12:33:39PM +0100, > Ólafur Guðmundsson wrote > a message of 148 lines which said: > > > The RCODE applies to the RRSET pointed to by the last CNAME in answer > > section (or

Re: [DNSOP] Tell me about the ISO 3166 user assigned two-letter codes and TLDs

On Wed, Sep 28, 2016 at 11:27:20PM -, John Levine wrote: > The codes AA, QM-QZ, XA-XZ, and ZZ are "user assigned" and will never > be used for countries. Last year Ed Lewis wrote an I-D proposing that > XA-XZ be made private use and the rest future use, but as far as I can > tell it never

Re: [DNSOP] Where in a CNAME chain is the QNAME?

On Fri, Sep 23, 2016 at 10:22:32AM +0200, Stephane Bortzmeyer wrote: > On Tue, Sep 20, 2016 at 06:13:50PM +0200, > Stephane Bortzmeyer wrote > a message of 68 lines which said: > > > This issue was spotted by Peter van Dijk. It is about > >

Re: [DNSOP] draft-ietf-dnsop-no-response-issue-03

On Thu, Aug 18, 2016 at 02:34:54PM +, Edward Lewis wrote: > ##1. Introduction > ## > ## The DNS [RFC1034], [RFC1035] is a query / response protocol. Failure > ## to respond to queries or to respond incorrectly causes both immediate > ## operational problems and long term problems with

Re: [DNSOP] new Resource record?

On Thu, Dec 10, 2015 at 09:56:26PM +0100, Hosnieh Rafiee wrote: > > Second, from the quick description, I don't quite understand what you want > > to solve. Not complaining, but in preparing to ask for a new type, the > > use case might need to be clearer. > > Authentication and authorization

Re: [DNSOP] The DNSOP WG has placed draft-andrews-dns-no-response-issue in state "Candidate for WG Adoption"

On Fri, Nov 27, 2015 at 05:20:05PM +, Warren Kumari wrote: > On Wed, Nov 25, 2015 at 5:51 PM Roy Arends wrote: > > > I support the general concept (responsive servers are often better > > netizens) and will review the draft, so I support this draft for WG > > adoption. > >

Re: [DNSOP] Asking TLD's to perform checks.

On Wed, Nov 11, 2015 at 07:53:25AM +0100, Patrik Fältström wrote: > > It may not be possible for everyone to agree on a comprehensive > > set of 'wrongs' with no omissions, but it should be possible to > > get consensus on a core set of 'wrongs' that are not controversial. > > Yes and no. I

Re: [DNSOP] Asking TLD's to perform checks.

On Wed, Nov 11, 2015 at 12:22:05PM +, Lawrence Conroy wrote: > ISTM that the IETF isn't in a position to force its suggestions through > the 'industry'. Who said anything about "forcing", I thought this was intended to be a BCP. As for whether the checks are done by registries or

Re: [DNSOP] Asking TLD's to perform checks.

On Wed, Nov 11, 2015 at 07:25:39AM +0100, Patrik Fältström wrote: > Everything has so far collapsed into collision between tech people not > agreeing on what is right and wrong. It also collapses into clashes between > registry policy and the tests made. I.e. just the registration policy is >

Re: [DNSOP] Asking TLD's to perform checks.

On Wed, Nov 11, 2015 at 07:43:30AM +1100, Mark Andrews wrote: > Perhaps we should be getting Jari, Suzanne and Andrew to push this > at IGF meetings. Not knowing what IGF meetings are, I can't comment on this specific point. > So we don't say what's right because you fear that not everybody >

Re: [DNSOP] Working Group Last Call for draft-ietf-dnsop-edns-chain-query

On Tue, Nov 10, 2015 at 09:29:30PM +, Tony Finch wrote: > Paul Hoffman wrote: > > > > With the current DNS protocol, a stub resolver can get all the records it > > > needs to validate a response in 1RTT, by sending multiple concurrent > > > queries for all the

Re: [DNSOP] Asking TLD's to perform checks.

On Fri, Nov 06, 2015 at 10:54:02AM +1100, Mark Andrews wrote: > I keep getting told the IETF can't tell people what to do > but that is *exactly* what we do do when we issue a BCP. > We tell people what best current practice is and ask them > to follow it. > > Today

Re: [DNSOP] draft-fujiwara-dnsop-nsec-aggressiveuse-01.txt

On Sun, Oct 25, 2015 at 11:39:25PM -0700, Paul Vixie wrote: > sanity check, someone? Yes, you're quite sane. :-) > I believe that in dnssec, an empty non-terminal has a proof that the name > exists, and a proof that there are no RR's. thus, vastly different from the > signaling for NXDOMAIN.

Re: [DNSOP] Open Aggregated Datasets and stats on DNS (.NL ccTLD)

On Mon, Sep 21, 2015 at 02:23:15PM +0200, Giovane C. M. Moura wrote: > > I'd be curious to know what you're seeing for the dominant "_" > >> number in the observed TLSA queries, and whether any particular > >> resolvers are responsible for the bulk of the "_25" queries. > > Now I see you meant

Re: [DNSOP] Fwd: New Version Notification for draft-sury-dnskey-ed25519-03.txt

On Wed, Sep 09, 2015 at 09:44:23PM -0400, Paul Wouters wrote: > >>Once the CFRG algorithms are done, I would also publish an updated > >>list of MTI algorithms for DNSSEC that would consist of: > >> > >>8, 12 and both of the CFRG algorithms. > > You listed 12 as both deprecate and MTI ?

Re: [DNSOP] Fwd: New Version Notification for draft-sury-dnskey-ed25519-03.txt

On Tue, Sep 08, 2015 at 11:19:13AM +0200, Ondřej Surý wrote: > Dear DNS colleagues, > > this might be of some interest to you. > Thanks. Shouldn't this wait for the CFRG to finalize the new EC signature schemes? We already have too many DNSSEC algorithm ids, and are likely to add very

Re: [DNSOP] Fwd: New Version Notification for draft-sury-dnskey-ed25519-03.txt

On Wed, Sep 09, 2015 at 08:12:41PM +0200, Ondřej Surý wrote: > Yes, we are waiting exactly for the cfrg to finish the signature schemas. > But the rest can get a review early. f.e. it's evident now, we have to > add more material about motivation to add new curves into the draft(s). Great. My

Re: [DNSOP] Open Aggregated Datasets and stats on DNS (.NL ccTLD)

On Thu, Sep 03, 2015 at 03:32:12PM +0200, Giovane C. M. Moura wrote: > https://stats.sidnlabs.nl/ Quick question/observation about the TLSA query portion of the data-set. At least for SMTP, the query pattern is: ; sent to .nl authoritative servers when cache is cold ; Q:

Re: [DNSOP] Order of CNAME and A in Authoritative Reply.

On Wed, Aug 12, 2015 at 01:59:55PM -0400, Andrew Sullivan wrote: The question, for the purposes of the protocol definition, is whether a message section (or maybe just the answer section) is an ordered set of unordered RRsets. If so, we probably ought to write that down somewhere, and

[DNSOP] Heads up: DANE TLSA lookup issues with some nameservers.

With draft-ietf-dane-ops and draft-ietf-dane-smtp-with-dane both now in the RFC editor queue, I'd like to bring to your attention important related considerations for DNS operators. When opportunistic DANE TLS clients try to determine whether TLSA records exist for peers whose address records are

<    1   2   3