>The next step is experimentation, we wanted to see if the community thought
>this was a stupid idea before going forward.
I certainly don't think it's stupid.
>There are 3 possible outcomes when a DNS querier gets an aswer like this
>#1 It accepts everything from authority section
>#2 It tosses
On Fri, Mar 25, 2016 at 10:51 PM, John Levine wrote:
> >As I think many here know, I am not of the get-off-my-lawn persuasion
> >for DNS innovations. I don't think it's a bad idea in principle. I'm
> >just aware that we have this long history, and that history was based
> >on
On Fri, Mar 25, 2016 at 7:51 PM, John Levine wrote:
> >As I think many here know, I am not of the get-off-my-lawn persuasion
> >for DNS innovations. I don't think it's a bad idea in principle. I'm
> >just aware that we have this long history, and that history was based
> >on a
>As I think many here know, I am not of the get-off-my-lawn persuasion
>for DNS innovations. I don't think it's a bad idea in principle. I'm
>just aware that we have this long history, and that history was based
>on a certain kind of conservatism that is arguably appropriate to a
>technology
On Thu, Mar 24, 2016 at 08:33:28AM +1000, George Michaelson wrote:
> Very strong +1. The % of incoming query with DO set is far, far higher
> than the % of incoming query seen at authority who subsequently ask
> for DS/DNSKEY at zone and parent. There is a good, strong indication
> that resolvers
On Thu, Mar 24, 2016 at 7:10 AM, Florian Weimer wrote:
> DO was used initially for SIG and kept for RRSIG. For an early DNSSEC
> implementation, RRSIG was just another unsolicited RR type because it
> could only know about SIG. This suggests (to me at least) that
>
On 03/23/2016 09:03 PM, Andrew Sullivan wrote:
> I don't understand how it's a way to evaluate this claim. DNSSEC
> includes a bit (DO) that says you're prepared to handle the additional
> data in the answer section. Indeed, the unpreparedness of people for
> this data was just exactly the
Hi,
On Wed, Mar 23, 2016 at 09:37:57AM -0700, Marek Vavruša wrote:
> > 1. We had no idea what resolvers who weren't expecting the
> > in the Answer section would do. This draft says what is "more
> > likely", but I have no way of evaluating that claim. Without an
> > EDNS0
On 03/22/2016 12:45 AM, Marek Vavruša wrote:
> there was an interest in reducing latency for address record lookups.
> Me and Olafur wrote a draft on adding records to A answers and
> treating them as authoritative. This fixes latency issues with NS
> A/ discovery in resolvers and
On 03/22/2016 01:15 AM, Paul Vixie wrote:
>
>
> Marek Vavruša wrote:
>> ...
>>
>> https://datatracker.ietf.org/doc/draft-vavrusa-dnsop--for-free/
>
> +1. we ought to have done this from the get-go.
It did not work back then because unexpected RRsets in the answer broke
resolvers. This is
In one of the experiments we are conducting we stuff the response with other
QTYPE data and this seems to not interfere with resolver behaviour (unless we
trigger it). So #3 doesn’t seem to be a common case (we could look in the
fringes for this behaviour).
Towards the resolver’s clients, all
On Tue, Mar 22, 2016 at 6:11 PM, Mark Andrews wrote:
>
> In message <2016030345.29993...@pallas.home.time-travellers.org>,
> Shane Kerr writes:
> > Maybe we just need a new RTYPE. It would be awesome if CloudFlare
> > killed ANY and then gave us ANYA ("any address"). ;)
>
>
>We have a way of measuring DNSSEC algorithms penetration, QNAME
>minimisation-enabled resolvers etc., thus also a way to evaluate this
>claim. I'm setting up a special domain using this I-D and then we can use
>RIPE Atlas or 1x1 test, should Google or someone be interested in testing
>this.
The
Hi Andrew, first of all - thanks for being constructive.
On Wed, Mar 23, 2016 at 6:07 AM, Andrew Sullivan
wrote:
> Hi,
>
> On Mon, Mar 21, 2016 at 04:45:51PM -0700, Marek Vavruša wrote:
> > Me and Olafur wrote a draft on adding records to A answers and
> > treating
Andrew Sullivan wrote:
> On Mon, Mar 21, 2016 at 04:45:51PM -0700, Marek Vavruša wrote:
> > Me and Olafur wrote a draft on adding records to A answers and
> > treating them as authoritative.
>
> The last time this was proposed, in DNSEXT when Olafur was co-chair,
>
On Mon, Mar 21, 2016 at 06:55:00PM -0700, Paul Vixie wrote:
> i think we have to start planning for a world in which EDNS0 never reaches
> 75% penetration due to middleboxes having the high ground.
Well, you could get most of the way there for this proposal by having
just recursives do it. End
Hi,
On Mon, Mar 21, 2016 at 04:45:51PM -0700, Marek Vavruša wrote:
> Me and Olafur wrote a draft on adding records to A answers and
> treating them as authoritative.
The last time this was proposed, in DNSEXT when Olafur was co-chair,
the proposal was rejected on the following grounds:
Marek Vavruša wrote:
>
> 1. No signalling to client when is unavailable
>
> I didn't want to include it in the beginning but I see it has a merit.
Yep. Also, while improving this for direct address queries, it should also
be improved for additional data in MX, NS,
In message <2016030345.29993...@pallas.home.time-travellers.org>, Shane
Kerr writes:
> Maybe we just need a new RTYPE. It would be awesome if CloudFlare
> killed ANY and then gave us ANYA ("any address"). ;)
You would then need to do ANYA, A and queries or you have to
have signaling to
On Tue, Mar 22, 2016 at 2:03 PM, Shane Kerr
wrote:
> Marek,
>
> At 2016-03-22 12:12:08 -0700
> Marek Vavruša wrote:
>
> > 2. Behavior of stubs is not explicit in the draft
> >
> > I should have stated this explicitly, the draft doesn't update
On Tue, Mar 22, 2016 at 1:20 PM, Mark Andrews wrote:
>
> In message
Marek,
At 2016-03-22 12:12:08 -0700
Marek Vavruša wrote:
> 2. Behavior of stubs is not explicit in the draft
>
> I should have stated this explicitly, the draft doesn't update behaviour of
> stub resolvers. In my opinion, they should use the most basic form of DNS
>
In message
Thanks everybody for comments! It's a lot so I'll try to rephrase and
answer the questions below.
1. No signalling to client when is unavailable
I didn't want to include it in the beginning but I see it has a merit.
DNSSEC has means to provide authenticated non-existence for free, so I
On Tue, Mar 22, 2016 at 7:41 AM, Tony Finch wrote:
> Marek Vavruša wrote:
> >
> > there was an interest in reducing latency for address record lookups.
> > Me and Olafur wrote a draft on adding records to A answers and
> > treating them as
On Tue, Mar 22, 2016 at 7:41 AM, Tony Finch wrote:
> Marek Vavruša wrote:
> >
> > there was an interest in reducing latency for address record lookups.
> > Me and Olafur wrote a draft on adding records to A answers and
> > treating them as
Marek Vavruša wrote:
>
> there was an interest in reducing latency for address record lookups.
> Me and Olafur wrote a draft on adding records to A answers and
> treating them as authoritative. This fixes latency issues with NS
> A/ discovery in resolvers and
George Michaelson wrote:
What did I mis-understand? The APNIC 1x1 is a random sample over
users, and it sees significantly more than 75% EDNS0. More like 93%.
by query volume, or by rdns ip?
By query volume. And, we're at authority where I suspect you see the edge.
Once the query is
On Tue, Mar 22, 2016 at 12:07 PM, Paul Vixie wrote:
>
>
> George Michaelson wrote:
>>
>> I'm confused. DO bit implies EDNS0, and we think DO bit in the field
>> is north of 75%.
>>
>> What did I mis-understand? The APNIC 1x1 is a random sample over
>> users, and it sees
George Michaelson wrote:
I'm confused. DO bit implies EDNS0, and we think DO bit in the field
is north of 75%.
What did I mis-understand? The APNIC 1x1 is a random sample over
users, and it sees significantly more than 75% EDNS0. More like 93%.
by query volume, or by rdns ip?
--
P Vixie
I'm confused. DO bit implies EDNS0, and we think DO bit in the field
is north of 75%.
What did I mis-understand? The APNIC 1x1 is a random sample over
users, and it sees significantly more than 75% EDNS0. More like 93%.
-George
On Tue, Mar 22, 2016 at 11:55 AM, Paul Vixie
Mark Andrews wrote:
In
On Mon, 21 Mar 2016, Marek Vavruša wrote:
What happens with the Answer Count for QTYPE=A when there are no A
records and only records? And can the examples also clarify this?
That's an example 5.3
The use case is, but I still have no idea what the ANCOUNT should
be. Neither
In message
I see the point but I don't really want to go down the EDNS route.
So presuming that this draft catches on and Alexa 1M NSs publish at least
one record,
there would be no need for two queries in most cases and no need for
additional signalisation.
If they don't publish records, then the
On Mon, Mar 21, 2016 at 5:14 PM, Paul Wouters wrote:
> On Mon, 21 Mar 2016, Marek Vavruša wrote:
>
> there was an interest in reducing latency for address record lookups. Me
>> and Olafur wrote a draft on adding records to A answers and treating
>> them as authoritati
>> ve.
Or we could defined the "aaa" (A and ) {E}DNS bit where the
server guarantees that the response contains both the A and
answers for A or queries if aaa=1 in the response.
Recursive servers would lookup A/ records if cache is missing
them before returning a response.
If the A /
Who wants to get rid of A lookups? "A" is going to be here for a while and
using it as a generic mean to get all addresses of given protocol
(regardless of version) gives servers a way to smoothly transition over
versions.
If the A was updated to have a variable address length, then it could be
On Tue, 22 Mar 2016, Mark Andrews wrote:
Well we really want to get rid of A lookups. Why don't we just
recommend that we publish mapped A records in RRsets and have
master servers update RRsets if they are inconsitent with the
A RRsets.
We also need a way to signal that there are
On Mon, 21 Mar 2016, Marek Vavruša wrote:
there was an interest in reducing latency for address record lookups. Me and
Olafur wrote a draft on adding records to A answers and treating them as
authoritati
ve. This fixes latency issues with NS A/ discovery in resolvers and
improves
Marek Vavruša wrote:
...
https://datatracker.ietf.org/doc/draft-vavrusa-dnsop--for-free/
+1. we ought to have done this from the get-go.
--
P Vixie
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
Well we really want to get rid of A lookups. Why don't we just
recommend that we publish mapped A records in RRsets and have
master servers update RRsets if they are inconsitent with the
A RRsets.
We also need a way to signal that there are no A records in the
RRset.
42 matches
Mail list logo