Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

Vernon Schryver wrote: By "signed" I guess you mean signed by the resolver itself with some sort of public key ... If so, I agree that works, yes. but I still don't see how that is as good as two dig's with one to a resolver trusted to give the truth. there will in my model be only one

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

Yes, I agree, in fact the *online cache rate* is small (0.12% queries), LRU & TTL works fine. SWILD not save many online cache size, because of the queries rate. And Temporary Domain Names/ All Names: 41.7% for 7 days statistics, the rate can be about 10% for 1 day statistics. Because temporary

Re: [DNSOP] fragile dnssec, was Fwd: New Version

In message <20170816230917.4475.qm...@ary.lan>, "John Levine" writes: > In article <20170816071920.ba2c98287...@rock.dv.isc.org> you write: > >> A colleague says "If TLDs allowed UPDATE messages to be processed most > >> of the issues with DNSSEC would go away. At the moment we have a whole > >>

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

> From: Paul Vixie > > A network that routes requests to 8.8.8.8 to inject DNS lies will also > > arrange to ignore or pervert any DNS-in-band tell-the-truth signaling. > > Without access to a trustworthy resolver, tell-the-truth signaling is > > useless because you can't trust

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

Vernon Schryver wrote: A network that routes requests to 8.8.8.8 to inject DNS lies will also arrange to ignore or pervert any DNS-in-band tell-the-truth signaling. Without access to a trustworthy resolver, tell-the-truth signaling is useless because you can't trust it. i would like to be

Re: [DNSOP] fragile dnssec, was Fwd: New Version

In article <20170816071920.ba2c98287...@rock.dv.isc.org> you write: >> A colleague says "If TLDs allowed UPDATE messages to be processed most >> of the issues with DNSSEC would go away. At the moment we have a whole >> series of kludges because people are scared of signed update messages."

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

> From: Paul Vixie > well, yes, but a directive in /etc/resolv.conf saying what lies to > trust, or whether to trust all of them, or whether to trust none of > them, would be a way for a system operator or owner to set response > policy for all applications. > if an

Re: [DNSOP] opportunistic refresh and Happy Eyeballs

On Wed, Aug 16, 2017 at 4:05 AM, Ralf Weber wrote: > Moin! > > On 16 Aug 2017, at 2:44, Warren Kumari wrote: >>> If it's a commonly-used name, I suspect the more straightforward >>> "prefetching" should suffice in practice: >>>

Re: [DNSOP] Status of "let localhost be localhost"?

On Wed, Aug 2, 2017 at 2:02 PM, Robert Edmonds wrote: > Ted Lemon wrote: >> But we are arguing that "localhost" should be treated specially by every >> piece of software that looks at it, when its default meaning is "look up >> localhost in the DNS and connect to one of the

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

Vernon Schryver wrote: From: Paul Vixie some time before bad people get around to using dnssec to bypass rpz, the spec will have to evolve to allow new signalling ("i want to hear both the truth and the lie, and please sign the lie with our shared key so i'll know it's

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

Davey Song wrote: If any operator would like to implement SWILD without DNSSEC or NAT44 without IPv6, It's OK. It maybe a good solution in their network for their custormer. I do know many people and solutions walk around DNSSEC, IPv6 (due to IPsec) and TLS for surveillance issues. But IETF as

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

> From: Paul Vixie > some time before bad people get around to using dnssec to bypass rpz, > the spec will have to evolve to allow new signalling ("i want to hear > both the truth and the lie, and please sign the lie with our shared key > so i'll know it's from you"). I

Re: [DNSOP] Status of "let localhost be localhost"?

El 16 ag 2017, a les 6:17, Mike West va escriure: > In the commit linked above, I've adopted the second and third paragraphs with > minor wording changes. It's not really clear to me where the crux of the > first paragraph lies. IMO, malware is pretty clearly out of scope for

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

El 16 ag 2017, a les 0:19, Lanlan Pan va escriure: > We analyzed our recursive query log, about 18.6 billion queries from > 12/01/2015 to 12/07/2015. > We found about 4.7 Million temporary domains occupy the recursive's cache, > which are subdomain wildcards from Skype, QQ,

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

On Wed, 16 Aug 2017, Davey Song wrote: Accroding to your description, I feel that IPv6 has better chance to win than its "brother" DNSSEC. LoL Currently they're both winning, and in kind of the same fashion. https://www.google.com/intl/en/ipv6/statistics.html Clients are sitting behind

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

Accroding to your description, I feel that IPv6 has better chance to win than its "brother" DNSSEC. LoL On 16 August 2017 at 14:48, Mukund Sivaraman wrote: > On Wed, Aug 16, 2017 at 08:21:37AM +0200, Mikael Abrahamsson wrote: > > On Wed, 16 Aug 2017, Mukund Sivaraman wrote: > > >

Re: [DNSOP] New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

Ralf Weber 于2017年8月16日周三 下午4:22写道： > Moin! > > On 16 Aug 2017, at 6:19, Lanlan Pan wrote: > > > We analyzed our recursive query log, about 18.6 billion queries from > > 12/01/2015 to 12/07/2015. > > > > We found about 4.7 Million temporary domains occupy the recursive's > > cache,

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

On 12 August 2017 at 23:42, Paul Vixie wrote: > > > failing that level of commitment, the IETF ought to kill DNSSEC altogether. > > this is very similar to the "shall we had IPv6's features to IPv4, since > V6 is > taking so long to deploy, and these features are badly needed?"

Re: [DNSOP] New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

Moin! On 16 Aug 2017, at 6:19, Lanlan Pan wrote: We analyzed our recursive query log, about 18.6 billion queries from 12/01/2015 to 12/07/2015. We found about 4.7 Million temporary domains occupy the recursive's cache, which are subdomain wildcards from Skype, QQ, Mcafee, Microsoft,

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

Mukund Sivaraman 于2017年8月16日周三 下午1:45写道： > On Fri, Aug 11, 2017 at 10:39:50AM -0400, Matthew Pounsett wrote: > > It sounds like you're assuming that SWILD would be supported by caching > > servers that do not support DNSSEC or NSEC aggressive use. Why do you > > expect implementers

Re: [DNSOP] opportunistic refresh and Happy Eyeballs

Moin! On 16 Aug 2017, at 2:44, Warren Kumari wrote: >> If it's a commonly-used name, I suspect the more straightforward >> "prefetching" should suffice in practice: >> https://datatracker.ietf.org/doc/draft-wkumari-dnsop-hammer/ >> Several popular recursive servers already implement the feature.

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

Lanlan Pan wrote: (Without commenting about SWILD) Is your RPZ a mixture ? no. Doesn't RPZ rewrite DNS answer, break DNSSEC validation ? the I-D advises against this. some implementations offer a switch to rewrite DNSSEC-signed results. i don't use this myself, and i recommend against

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

In message <20170816064855.GB16977@jurassic>, Mukund Sivaraman writes: > On Wed, Aug 16, 2017 at 08:21:37AM +0200, Mikael Abrahamsson wrote: > > On Wed, 16 Aug 2017, Mukund Sivaraman wrote: > > > > > 24 / 500 top domains (4.8%) > > > 20548 / 1 million top domains (2.05%) > > > > > > (12 years

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

Mukund Sivaraman wrote: DNSSEC is brittle. then let's fix it. or give up on it. -- P Vixie ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

(Without commenting about SWILD) Is your RPZ a mixture ? Doesn't RPZ rewrite DNS answer, break DNSSEC validation ? Should we give up , or we shouldn't ? Paul Vixie 于2017年8月16日周三 下午2:30写道： > > > Mukund Sivaraman wrote: > ... > > > > Alexa Top domains and DNSSEC: > > > > 24 /

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

Mukund Sivaraman wrote: On Tue, Aug 15, 2017 at 11:29:56PM -0700, Paul Vixie wrote: we should give up. or we shouldn't. not a mixture. I'm not saying we should give up.. but it's going to be a while before we get to an utopia of maximal DNSSEC deployment. In the meantime, there are

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

On Wed, 16 Aug 2017, Mukund Sivaraman wrote: The validating resolver is half of the system. DNSSEC is brittle. Absolutely. But before we were in a situation where people signed zones, screwed it up, and then the (sometime single) ISP running a validating resolver got the run-around "must

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

On Wed, Aug 16, 2017 at 08:21:37AM +0200, Mikael Abrahamsson wrote: > On Wed, 16 Aug 2017, Mukund Sivaraman wrote: > > > 24 / 500 top domains (4.8%) > > 20548 / 1 million top domains (2.05%) > > > > (12 years after introduction of 403{3,4,5}) > >

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

On Tue, Aug 15, 2017 at 11:29:56PM -0700, Paul Vixie wrote: > > > Mukund Sivaraman wrote: > ... > > > > Alexa Top domains and DNSSEC: > > > > 24 / 500 top domains (4.8%) > > 20548 / 1 million top domains (2.05%) > > > > (12 years after introduction of 403{3,4,5}) > > we should give up. > >

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

Mukund Sivaraman wrote: ... Alexa Top domains and DNSSEC: 24 / 500 top domains (4.8%) 20548 / 1 million top domains (2.05%) (12 years after introduction of 403{3,4,5}) we should give up. or we shouldn't. not a mixture. -- P Vixie ___ DNSOP

Re: [DNSOP] Fwd: New Version Notification for draft-pan-dnsop-swild-rr-type-00.txt

On Wed, 16 Aug 2017, Mukund Sivaraman wrote: 24 / 500 top domains (4.8%) 20548 / 1 million top domains (2.05%) (12 years after introduction of 403{3,4,5}) https://stats.labs.apnic.net/dnssec/XE?o=cXAw1x1g1r1 20% of European users is behind a validating resolver, in some countries it's 70%