>>> I think this is another point in favor of doing QNAME minimization.
>>> RFC7816 (technically experimental, but recommended.)
>>>
>>> It kind of makes the query order moot; the resolver looks up the shorter
>>> name first even while resolving the longer name.
>>>
>>
>> Is there any data or even
On Tue, 6 Apr 2021, Andrew Sullivan wrote:
In a somewhat different world where we used RRTYPEs rather than _tag names,
we could do tree walks a lot more efficiently.
I guess we're now in the world-record running for "somewhat" doing the most
amount of work in a sentence?
Hey, I'm the guy
On Tue, Apr 06, 2021 at 05:41:10PM -0400, John Levine wrote:
In a somewhat different world where we used RRTYPEs rather than _tag names, we
could do tree walks a lot more efficiently.
I guess we're now in the world-record running for "somewhat" doing the most amount of
work in a sentence?
_dmarc.newjersey.sales.bigcorp.wtf
_dmarc.sales.bigcorp.wtf
_dmarc.bigcorp.wtf
Sure, but if I query "_dmarc.newjersey.sales.bigcorp.wtf" and I get back an
NXDOMAIN for "sales.bigcorp.wtf", I can eliminate at least one query,
But you won't, you'll get back an answer for the name you looked
On Tue, Apr 6, 2021 at 2:41 PM John Levine wrote:
> In this application, no, because it's not doing a strict tree walk:
>
> _dmarc.newjersey.sales.bigcorp.wtf
> _dmarc.sales.bigcorp.wtf
> _dmarc.bigcorp.wtf
>
> The _dmarc tag means that none of the names is an ancestor of any of
> the others. It
On Tue, Apr 6, 2021 at 12:51 PM Shumon Huque wrote:
>
> On Tue, Apr 6, 2021 at 3:03 PM Murray S. Kucherawy
> wrote:
>>
>> On Tue, Apr 6, 2021 at 11:48 AM Shumon Huque wrote:
>>>
>>> Without DNSSEC, there is no current way to provide an indication about the
>>> longest ancestor of the name
It appears that Murray S. Kucherawy said:
>-=-=-=-=-=-
>
>I'm wondering something about tree walks, which John Levine asked about in
>November, as it's a topic of interest to the evolution of DMARC.
>
>I've read RFC 8020 which says an NXDOMAIN cached for "foo.example" also
>covers later queries
On Tue, Apr 6, 2021 at 5:16 PM Murray S. Kucherawy
wrote:
> On Tue, Apr 6, 2021 at 12:56 PM Brian Dickson <
> brian.peter.dick...@gmail.com> wrote:
>
>> I think this is another point in favor of doing QNAME minimization.
>> RFC7816 (technically experimental, but recommended.)
>>
>> It kind of
On Tue, Apr 6, 2021 at 12:56 PM Brian Dickson
wrote:
> I think this is another point in favor of doing QNAME minimization.
> RFC7816 (technically experimental, but recommended.)
>
> It kind of makes the query order moot; the resolver looks up the shorter
> name first even while resolving the
On Tue, Apr 6, 2021 at 11:11 AM Murray S. Kucherawy
wrote:
> I'm wondering something about tree walks, which John Levine asked about in
> November, as it's a topic of interest to the evolution of DMARC.
>
> I've read RFC 8020 which says an NXDOMAIN cached for "foo.example" also
> covers later
On Tue, Apr 6, 2021 at 3:03 PM Murray S. Kucherawy
wrote:
> On Tue, Apr 6, 2021 at 11:48 AM Shumon Huque wrote:
>
>> Without DNSSEC, there is no current way to provide an indication about
>> the longest ancestor of the name that did exist. With DNSSEC, the NSEC or
>> NSEC3 records in the
On Tue, Apr 6, 2021 at 11:48 AM Shumon Huque wrote:
> Without DNSSEC, there is no current way to provide an indication about the
> longest ancestor of the name that did exist. With DNSSEC, the NSEC or NSEC3
> records in the response can do this (as well as providing cryptographic
> proof of this
On Tue, Apr 6, 2021 at 2:11 PM Murray S. Kucherawy
wrote:
> I'm wondering something about tree walks, which John Levine asked about in
> November, as it's a topic of interest to the evolution of DMARC.
>
> I've read RFC 8020 which says an NXDOMAIN cached for "foo.example" also
> covers later
And the 'go read this' reference is https://tools.ietf.org/html/rfc8198
On Tue, 2021-04-06 at 20:29 +0200, libor.peltan wrote:
> Hi Murray,
> if foo.example does not exist and DNSSEC is in place, than the resolver
> actually, even with the queries "in reverse order", obtains and NSEC(3),
>
Hi Murray,
if foo.example does not exist and DNSSEC is in place, than the resolver
actually, even with the queries "in reverse order", obtains and NSEC(3),
proving non-existence for much more.
For example, the query is bar.foo.example, and the authoritative returns
an NSEC proving that
I'm wondering something about tree walks, which John Levine asked about in
November, as it's a topic of interest to the evolution of DMARC.
I've read RFC 8020 which says an NXDOMAIN cached for "foo.example" also
covers later queries for "bar.foo.example". Makes sense.
Can this be used (or maybe
16 matches
Mail list logo
