Re: [DNSOP] [dnsext] DNS vulnerabilities

[bmanning]

 its hard to distinguish an implementation error and a DNS protocol error, so 
yes, it might
be a very good idea to triage your failures properly.

/bill


On Sat, Oct 26, 2013 at 01:28:10AM +0200, Hosnieh Rafiee wrote:
 Hi Bill,
 
 Thanks for your message.
 
  are your new collection, DNS vulnerabilities, configuration mistakes, or
  implementation faults?
 
 Currently I collected some information regarding DNS vulnerabilities and
 some about configuration mistakes. But I haven't included anything regarding
 implementation faults yet. I guess it is also good to have a section about
 this. 
 Any thought?
 
 
 
 ---smile--
 Hosnieh
 . success is a journey, not a destination..
 You cannot change your destination overnight, but you can change your
 direction ... Focus on the journey
 
 
 
 
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dnsext] DNS vulnerabilities

[bmanning]

are your new collection, DNS vulnerabilities, configuration mistakes, or 
implementation faults?

/bill



On Sat, Oct 26, 2013 at 01:16:29AM +0200, Hosnieh Rafiee wrote:
 Hello,
 
 I have gathered some vulnerabilities in the current DNS security approaches
 such as DNSSEC and etc.  We think it is useful to have a survey of existing
 vulnerabilities or any new vulnerabilities so that we can address those
 issues in other standard RFC.  This is why we plan to write a new
 informational draft.  
 
 
 There is currently one old RFC that address the DNS vulnerabilities:
 http://tools.ietf.org/html/rfc3833 
 
 So, we welcome any ideas about this work.
 
 Thanks,
 Best,
 Hosnieh
 
 
 
 ___
 dnsext mailing list
 dns...@ietf.org
 https://www.ietf.org/mailman/listinfo/dnsext
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dnsext] timekeeping and DNSSEC

[bmanning]

On Sat, Oct 26, 2013 at 01:11:26PM +0100, Jim Reid wrote:
 On 26 Oct 2013, at 12:59, Masataka Ohta mo...@necom830.hpcl.titech.ac.jp 
 wrote:
 
  a serious vulnerability of, so called, DNSSEC is lack of secure time.
  some security novices innocently believed GPS time were automagically 
  secure.
  That is, so far, there is no way to have really secure DNSSEC.
 
 Rubbish!
 
 If good timekeeping matters so much to DNSSEC, there are plenty of sources of 
 reliable time. For most people, NTP will be good enough. The paranoid might 
 choose Secure NTP. The really paranoid will have multiple time sources other 
 than GPS: eg the radio clocks operated by many national standards institutes 
 and/or the EU, Russian and Chinese(?) equivalents of GPS. The really, really 
 paranoid will operate their own atomic clocks.
 

In Ohta-sans world, secure hinges on being idempotent from the silicon,
the assembler, compiler, binaries and data.  If any of these attributes
is or can be compromised - its not secure.

DNSSEC depends on time e.g. not idempotent == not secure.

What really is happening is that DNSSEC is a risk management tool.
DNSSEC can measureably reduce the risk of bad data.  It does introduce
new risk, in the form of timeing attacks, but the tradeoffs generally 
are presented as acceptable to most folk.

/bill
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [I-D Action: draft-rssac-dnsop-rfc2870bis-04.txt]

[bmanning]

On Mon, Feb 13, 2012 at 09:33:05AM +0100, Stephane Bortzmeyer wrote:
 On Mon, Feb 06, 2012 at 07:12:56PM +,
  bmann...@vacation.karoshi.com bmann...@vacation.karoshi.com wrote 
  a message of 49 lines which said:
 
  A New Internet-Draft is available from the on-line Internet-Drafts 
  directories.
  
  Title   : Root Name Server Operational Requirements
  Author(s)   : Root Server System Advisory Committee
  Filename: draft-rssac-dnsop-rfc2870bis-04.txt
 
 Section 3.2.1 : I do not understand why you need synced time for
 DNSSEC. The root name servers do not generate signatures.

but they do use TSIG.  And historically, channel protection via
TSIG or SIG(0) was considered part of the DNSSEC tool box.  Granted that
DNSSEC perception has changed over the years. but the need for sync'ed 
clocks
is becuase of TSIG.

 Section 3.2.1 : Several root name servers, such as B, reply to ICMP
 echo requests, which I think is a good thing, but it seems disallowed
 in your document.

-I- think its a good idea, but others would prefer less transparency

 Section 4.2 : This advice directly contradicts RFC 6382. Do you plan
 to reclassify it as Historic?

It meaning RFC 6382?  Not really.  The draft was an attempt to
document current practice - with some leanings toward future directions.

 Section 5.1 : Announcement of planned outages also keeps other
 operators from investigated a scheduled maintenance window. My
 english parser broke here. Should I upgrade it or should you rewrite
 the sentence?

investigated should be investigating.  e.g. if you don't tell anyone
you are doing maintance work, observers will presume the worst and 
start 
to debug why  the L root has gone offline.

 (For the record, I agree with most of Joe Abley's remarks on
 high-level issues with this document.)

There are some strong argumetns for simply stating operational 
goals/principles
vs documenting practice.  I beleive that we are working on a mission 
statement

/bill
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [rssac] [I-D Action: draft-rssac-dnsop-rfc2870bis-04.txt]

[bmanning]

On Thu, Feb 09, 2012 at 01:17:52PM -0800, Joe Abley wrote:
 Hi Bill,
 
 On 2012-02-06, at 14:12, bmann...@vacation.karoshi.com 
 bmann...@vacation.karoshi.com wrote:
 
  Thanks to Warren, Ed, John D., David C. and Kato-san for their 
  comments/corrections.
  Any more? 
 
 I see you added some text based on our conversation in sunny Christchurch, 
 thanks for that. As promised, here's a summary of that conversation for the 
 list(s).
 
[elided]
 
 In summary, I think the document should be substantially reorganised. This 
 makes it difficult to provide a meaningful line-by-line critique. However, I 
 am very happy to put my money where my mouth is and copy-edit/reorganise 
 along the lines I'm thinking if that seems like a useful way to explain 
 myself. I don't think the -04 draft, even with copy-editing, is useful to 
 publish as-is.
 
 
 Joe

I had a similar conversation with Terry (check the thread archives).
Effectively what you propose is a clean slate instead of building
off existing work and actual practice.  I think that is a fabulou
idea but it has a couple of caveats:

) it will take considerable time to reach consensus within the operator 
community,
  let alone the large community.
) it will not reflect actual practice but an ideal to be achieved.

I think that starting work on such a draft is a great idea -BUT- in the 
mean time
do not let perfect get in the way of good enough. I beleive Terry 
agreed with 
that line of thnking.   Of the existing Operators, A, B, E, G, H, J, L, 
and M have 
made positive comments and worked on  upgrading this base text provided 
by one of 
the Operators.  Is your opinion / argument strong enough to stop work 
on this draft?

That said, I'd love to see a revamped version, if youhave the time to 
copy-edit/reorgnize
the document.


/bill

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Comments on draft-rssac-dnsop-rfc2870bis-04.txt

[bmanning]

 Hello Paul.

First off, this is an RSSAC document so it is not clear why you think someone 
from the root
opserator community should do the copy editing.

 The paragraph at the end of section 1 (the isn't really 2119 language text) 
 is quite cute and will cause you a world of pain and delay. You have 
 de-capped everything, so remove the paragraph. (Unless you're just trying to 
 make John Klensin even grumpier, which is also quite cute but will also cause 
 you a world of pain and delay).

IETF tools complains when that text is removed.  Will see if there is a clean 
way around it.


 The intro to section 3 says:
The servers need both physical and protocol security as well as
unambiguous authentication of their responses. Physical security focuses
on the machines and their locations, Protocol security and response 
authentication are covered by Internet Protocol standards.
 However, there are three subsections, the middle being network security. 
 Further, much of the protocol security is covered by by transport layer 
 security, not IP security. Proposed new wording:
The servers need to be protected by physical and protocol security for
their administration and communications. They also need to be protected
by network security to reduce their vulnerability to attack. Physical
security focuses on the machines and their locations, network security
focuses on the way that the root servers are connected to the Internet,
and protocol security focuses on administrative communication with the
servers as well as integrity protection for the messages from the
servers to the public.

Going back to the document to see which parts you quoted and which were your 
suggested 
changes.  Will fold in the intent of your suggestion.


 The text in 3.2.5 doesn't make sense. NTP can't be on the list if the 
 operator is expected to get time updates in as secure manner as possible. A 
 proposed rewording would be to just remove that phrase because you describe 
 what operationally is needed to use NTP in a non-crypto secure manner.

or ... update the text to describe secure NTP - which is not uniformly 
used.
or the use of local clocks.

 For the author reference, consider adding the URL 
 http://www.root-servers.org/, given that mail to the address listed will 
 often be automatically lost. (Bonus points for updating that page to 
 eliminate the decade-old presentations and just leave the news!)

again, this is an RSSAC work product, not just root-operators.  and the 
URL
listed is not uniformly used by all operators.  so will likely just 
leave
it as RSSAC. That said, if URLs are accepted in author references (and 
I have
to admit not seeing that used previously) then a link to the RSSAC page 
might
be in order.
 
 --Paul Hoffman
 
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Comments on draft-rssac-dnsop-rfc2870bis-04.txt

[bmanning]

On Mon, Feb 06, 2012 at 05:52:12PM -0500, Paul Hoffman wrote:
 On Feb 6, 2012, at 5:19 PM, bmann...@vacation.karoshi.com wrote:
 
  First off, this is an RSSAC document so it is not clear why you think 
  someone from the root
  opserator community should do the copy editing.
 
 There is a large/complete overlap between the RSSAC and the root server 
 operators. Many of the companies that operate root servers have staff doing 
 many things, such as technical writing. Some have copy editors. The fact that 
 ICANN has not done a copy edit pass on the document after five rounds says 
 that maybe you should look to others. Waiting for ICANN to do this might be 
 futile, given that it doesn't involve making policy.

You are mistaken.  
while all root server operators are part of RSSAC, RSSAC is a much 
larger community
with membership from all the RIRs, ISOC, Research Facilities, and 
Governments.  I'll 
note that ISOC, through the IAB has a presence on RSSAC.  Perhaps we 
could have ISOC 
provide copy editing? 


  The text in 3.2.5 doesn't make sense. NTP can't be on the list if the 
  operator is expected to get time updates in as secure manner as 
  possible. A proposed rewording would be to just remove that phrase 
  because you describe what operationally is needed to use NTP in a 
  non-crypto secure manner.
  
  or ... update the text to describe secure NTP - which is not uniformly 
  used.
  or the use of local clocks.
 
 You can't say can use NTP and in as secure manner as possible: they don't 
 match.

then you recommend we strike SNTP from the document?  There are ways to 
harden 
and NTP only system without going completely to a secured NTP (SNTP) 
system.
And from my experience, if one takes proper precautions and prudent 
design choices
one can deploy  a resistant NTP strucuture without the crypto overhead 
on the SNTP
datagrams or channels.  So I am confident that we can, in fact, say 
with a straight
face say that servers should use NTP or SNTP in as secure a mnner as 
practical/possible.
Its being done.  

 You can use URLs in author references. However, the RSSAC web page is mostly 
 worthless unless you like bureaucratic history. The root-servers.org page is 
 useful. If you don't want to provide a useful URL, that's fine.

again, RSSAC is not just the root operators.  If you want us to include 
a tangentially 
related URL, we could just as easily use  www.ietf.org as 
www.root-servers.org
in as far as the RSSAC represents either of those groups.

 --Paul Hoffman
 
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] draft of RFC 2870-bis for consideration

[bmanning]

will fold them in, thanks.

/bill

On Sun, Feb 05, 2012 at 11:34:06AM -0500, Warren Kumari wrote:
 Nits and notes:
 
 Abstract: 
 O: The DNS is considered a crucial part of that technical infrastrcuture.
 P: The DNS is considered a crucial part of that technical infrastructure.
 C: s/infrastrcuture/infrastructure/   -- typo.
 
 Background:
 O: ...servers to enable robust dand resilientb
 P: ...servers to enable robust and resilientb
 C: s/dand/and/ -- typo.
 
 1.4:
 O: ...temporary simulatneous loss of manyb
 P: ...temporary simultaneous loss of manyb
 C: s/simulatneous/simultaneous/ -- typo.
 
 3.2.1:
 O: ...for TSIG and DNSSEC syncronizationb
 P: ...for TSIG and DNSSEC synchronizationb
 C: s/syncronization/synchronization/ -- typo.
 
 3.2.6:
 O: Servers must log in UTC to facilitate log comparison.
 C: Seems a little strong -- If I want to log in fortnights since lunar 
 eclipse, that's my business -- as long as I'm willing to convert the log to 
 UTC before handing it to be analyzed.
 
 3.2.8:
 O: The server should be protected from attacks based on source routing.  The 
 server must not soley rely on address- or name-based authentication.
 C: Seems like it should have more text. Not entirely sure what is being said 
 here.
 also: s/soley/solely/ -- typo.
 
 3.3.6:
 O: ...based on the currnet update cycleb
 P: ...based on the current update cycleb
 C: s/currnet/current/ -- typo.
 
 3.3.10:
 O: These monitoring processes could be automated. 
 P: These monitoring processes should be automated. 
 
 4.2:
 C: See draft-mcpherson-unique-origin-as-00 (expired). Neither supporting 
 nor opposing the draft, just mentioning it.
 
 5.1: 
 O: ... a scheduled maintaince windowb
 P: ... a scheduled maintenance windowb
 C: s/maintaince/maintenance/ --typo.
 
 
 W
 
 
 
 
 
 On Feb 1, 2012, at 7:11 AM, bmann...@vacation.karoshi.com wrote:
 
  
  The Root Server System Advisory Committee of ICANN has been working on a 
  revision to RFC 2870.
  It is currently posted as:
  
  
  A New Internet-Draft is available from the on-line Internet-Drafts 
  directories.
  
Title   : Root Name Server Operational Requirements
Author(s)   : Root Server System Advisory Committee
Filename: draft-rssac-dnsop-rfc2870bis-03.txt
Pages   : 9
Date: 2012-01-31
  
   As the Internet has become critical to the world's social and economic
   infrastructure, attention has focused on the correct, safe, reliable, and
   secure operation of the Internet infrastructure itself.  The DNS is 
  considered
   a crucial part of that technical infrastrcuture. The root domain and its
   authoritative name servers are a part of that technical infrastructure.
  
   The primary focus of this document is to provide guidelines for secure, 
  stable,
   and resilient authoritative name service for the root zone. Additionally 
  it will
   look into some specifics for the operation of the name servers.  Other 
  operators
   of authoritative name servers such as those for generic top-level domains 
  (gTLDs),
   country code top-level domains (ccTLDs) and other zones may also find it 
  useful.
  
  A URL for this Internet-Draft is:
  http://www.ietf.org/internet-drafts/draft-rssac-dnsop-rfc2870bis-03.txt
  
  
  Your comments would be appreciated.
  
  /bill
  ___
  DNSOP mailing list
  DNSOP@ietf.org
  https://www.ietf.org/mailman/listinfo/dnsop
  
 
 --
 Don't be impressed with unintelligible stuff said condescendingly.
 -- Radia Perlman.
 
 
 
 
 
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] draft of RFC 2870-bis for consideration

[bmanning]

 thanks!  will fold in accordingly.

/bill

On Sun, Feb 05, 2012 at 07:40:49PM -0800, David Conrad wrote:
 Bill,
 
 Comments/nits/etc.
 
 Regards,
 -drc
 
 Last sentence of Abstract:
 
 ... zones may also find it useful.
 
 Might suggest ... zones may also find this document useful.
 ---
 1. Background, second sentence:
 
 The Internet Assigned Numbers Authority (IANA) publishes ...
 
 Should be:
 
 The Internet Assigned Numbers Authority functions operator (IANA) publishes 
 ... 
 ---
 1. Background, next sentence:
 
 ... refer to the many ways a root operator provisions to provide root name 
 service known by its letter, ...
 
 Since the naming convention of the root servers isn't introduced to this 
 point (or discussed later or even germane to the discussion), I'd suggest 
 dropping known by its letter,
 ---
 1. Background, last sentence of first paragraph:
 
 Typo dand.
 ---
 The sub-points of section 1 aren't really introduced, they just sort of show 
 up.  Perhaps before 1.1, putting something like At a high level, the root 
 servers operate under the following general characteristics:  or somesuch. 
 ---
 1.2 For legacy reasons, some of the root servers have also served other 
 important zones, In the future, the data served by root servers may change 
 after careful review by RSSAC and ICANN.
 
 The second comma should probably be a period.  The use of a past-tense verb 
 suggests that some of the root servers are not now serving other important 
 zones.  Since those root servers still serve those zones, it would be  
 clearer to state:
 
 For legacy reasons, some of the root servers serve other important zones. In 
 the future ...
 ---
 1.4   The domain name system has proven to be sufficiently robust that the 
 temporary simulatneous loss of many of the root server instances does not 
 significantly affect secure and stable operation of the Internet. [citeation]
 
 I'm not sure the ambiguous term many is warranted, particularly without a 
 citation.  Perhaps loss of a number of and has not ... affected instead 
 of does not ... affect since that suggests loss occurs with some frequency. 
  Also typo: simultaneous.
 ---
 1.5 Authentication, validation, and security of these data and the 
 communications channels they transit are be considered possible attack 
 vectors.
 
 are to be or should be and I think you want the term vulnerabilities, 
 not attack vectors.
 ---
 1.5 ... equal-cost multipath routing and Anycast routing.  (Anycast is 
 discussed further in Section 4.)
 
 Probably should provide a citation to the documents that define anycast here, 
 e.g., RFC 3258 (as opposed to later).
 ---
 For simplicity, this document uses the term server to refer to however 
 many hosts a root operator provisions to provide root name service at a 
 single address per address family.
 
 Duplicative of wording in the first paragraph of this section.
 ---
 2.  The Servers Themselves
 
 Given there is no mechanism for enforcement, these aren't requirements.  
 They are better termed suggestions or perhaps couched in terms of best 
 current practices.
 ---
 2.1 Not phrased as an imperative.  It also isn't clear as to whether this is 
 discussing the root server _system_ or an individual root server operator's 
 implementation of their part of the system.  Assuming the former, perhaps:
 
 In order to improve overall robustness, the root server system SHOULD 
 utilize heterogeneous hardware, operating systems, network topology, and name 
 serving software across the root name servers.
 ---
 2.2 Not phrased as an imperative.  Perhaps:
 
 While there are no accepted, formal test suites for standards compliance, 
 the maintainers of software used on root servers SHOULD take all reasonable 
 actions to ensure their DNS server software correctly implements the IETF 
 standards for authoritative DNS, including RFC1035[2], RFC2181[3], 
 RFC4035[14] and others that conform to the IETF's then-current documented 
 expectations.
 ---
 2.3 ... each server must be able ...
 
 s/must/SHOULD/
 ---
 2.4 Connectivity to the Internet should be as diverse as possible.
 
 Expansion/clarification of this sentence would probably be helpful.  
 Diversity in terms of what?
 ---
 2.5 s/must/SHOULD/
 
 Also, I might quibble about overgeneralizing.  There are authoritative name 
 servers that cache responses in order to improve performance.  As the root 
 zone grows, this may become more important.  It might be prudent to clarify 
 what sort of caching this suggestion is recommending against.
 ---
 2.6 s/must/SHOULD/
 
 Also, clarification of valid IP address is probably warranted, e.g., 
 allocated IP address.  I think it appropriate for root servers to NOT 
 respond to queries from (e.g.) IPv4 10/8 or anything in IPv6 outside of the 
 current FP.
 ---
 2.8 s/must/SHOULD/
 ---
 3.1 s/will/SHOULD/
 ---
 3.1.1 s/must/SHOULD/
 ---
 3.1.2 s/must/SHOULD/
 ---
 3.1.3 s/must/SHOULD/
 ---
 3.1.4 s/must/SHOULD/
 ---
 3.2.1 routing 

Re: [DNSOP] draft of RFC 2870-bis for consideration

[bmanning]

 thanks.  will fold in your comments.

/bill
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] draft of RFC 2870-bis for consideration

[bmanning]

The Root Server System Advisory Committee of ICANN has been working on a 
revision to RFC 2870.
It is currently posted as:


A New Internet-Draft is available from the on-line Internet-Drafts directories.

   Title   : Root Name Server Operational Requirements
   Author(s)   : Root Server System Advisory Committee
   Filename: draft-rssac-dnsop-rfc2870bis-03.txt
   Pages   : 9
   Date: 2012-01-31

  As the Internet has become critical to the world's social and economic
  infrastructure, attention has focused on the correct, safe, reliable, and
  secure operation of the Internet infrastructure itself.  The DNS is considered
  a crucial part of that technical infrastrcuture. The root domain and its
  authoritative name servers are a part of that technical infrastructure.

  The primary focus of this document is to provide guidelines for secure, 
stable,
  and resilient authoritative name service for the root zone. Additionally it 
will
  look into some specifics for the operation of the name servers.  Other 
operators
  of authoritative name servers such as those for generic top-level domains 
(gTLDs),
  country code top-level domains (ccTLDs) and other zones may also find it 
useful.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-rssac-dnsop-rfc2870bis-03.txt


Your comments would be appreciated.

/bill
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Further observationon AS112 ipv4 cull

[bmanning]

On Thu, Jul 28, 2011 at 02:11:41PM -0400, Warren Kumari wrote:
 
 On Jul 27, 2011, at 10:08 PM, William F. Maton Sotomayor wrote:
 
  On Tue, 26 Jul 2011, George Michaelson wrote:
  
  I would support this latter approach William: I think we should seek WG 
  adoption of three drafts
  
  1) the michaelson as112-ipv6 draft, aiming for at least one 01 spin to a 
  small set of non-controversial V6 delegations, moving to WGLC and IANA 
  asap.
  
  2) your as112-ipv4-cull draft, but shorn of the operational aspects, 
  likewise rapid movement to WGLC and IANA
  
  For the consideration of members of DNSOP to adopt as a working group item, 
  -01 of my draft has been submitted.
  
  3) an AS112 operational draft more in the nature of 6304/5/bis
  
  This one will follow a little later, I suspect more expanded than before.
  
  I would like to ask for WG adoption of AS112-IPv6 on that basis.
  
  +1, especially since some as112 natives are getting restless.
  
 
 I made a suggestion at the mic in the f2f meeting, and then on the as112 
 operators list -- there seems to be some support for it there, so I'm now 
 doing it onlistb
 
 How about simply making AS112 omniscient (know the answers for *all* space)? 
 As decisions to have AS112 answer / not answer for zones get made, 
 delegations can simply be added and removed. 
 
 Obviously this would require synthesizing answers[0], and these servers 
 cannot be used for answering recursive queries (and a few other minor issues) 
 but this will (as far as I can see) solve the lameness / coordination 
 issues...
 
 
 W
 
 [0]: Yes, yes i *did* feel dirty writing thatb.
 
 
  Thanks,
  
  wfms
  ___
  DNSOP mailing list
  DNSOP@ietf.org
  https://www.ietf.org/mailman/listinfo/dnsop
  
 
 ___
 DNSOP mailing list
 DNSOP@ietf.org




been there, done that.  before ICANN existed, I ran the RFC 1918 auth 
servers.
put in a wild card TXT Please read RFC 1918 to any/every query.  
20min later
after the university pres had fielded calls fm industry about being 
hacked- we removed
the wildcard...  until leaking DNS queris fm private netsinto the 
Internetcan
be stopped, you can't reliably anwer the queries.

/bill
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] dns interface to whois? (Re: Taking Back the DNS )

[bmanning]

On Mon, Nov 22, 2010 at 09:58:02PM +, Paul Vixie wrote:
  Date: Mon, 22 Nov 2010 20:36:17 +
  From: bmann...@vacation.karoshi.com
  
  we tried this a couple time last decade with limited success.  (pre
  SRV).  it would work, if and only if there were general agreement by
  the zone admins to actually keep up w/ the data.
 
 while i expect that it would be a gateway rather than a data transform,
 and while i agree that if it's a data transform then it should be done
 often enough to not get out of date, i note that i'm asking a different
 question than would it work.
 
 i'm wondering if there's enough interest to have it be worth writing it
 up as a dns schema so that interested producers and consumers of this
 information in this form can have a standard rendezvous (qname format)
 and delivery system (TXT formats).  that's not would it work.  it's
 could it ever be useful to anybody.

well, at least two schemas have been proposed and there was
limited uptake either time.  perhaps times have changed.

 i am not trying to get input on technical feasibility since i think that's
 pretty obvious.  nor am i trying to get input on governance like should
 registries be required by icann to implement it or should icann implement
 it for root, arpa, and other non-delegated zones.  just is there interest.


well, one thing that kind of makes sense is where to anchor such 
records... two choices - a WKA such as in-addr.arpa, ip6.int, enum.arpa
et.al.  or place the entries at each delegation point and sweep the
tree periodically to build a stale cache of data...


--bill

 ___
 DNSOP mailing list
 DNSOP@ietf.org
 https://www.ietf.org/mailman/listinfo/dnsop
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Fwd: I-D Action:draft-jabley-dnssec-trust-anchor-00.txt

[bmanning]

On Mon, Oct 04, 2010 at 11:14:20AM -0400, Joe Abley wrote:
 
 On 2010-10-04, at 11:11, Eric Rescorla wrote:
 
  Carefully specified, perhaps, but what you're saying here also makes me 
  think it was 
  also incorrectly specified, since, as I said, the technique I described is 
  well-known, 
  and failing to do so leads to precisely the complications that are at issue 
  here.
 
 Regardless of what you think of it, what we have is what we have. Specifying 
 a trust anchor publication strategy that works with something different seems 
 a little pointless.


i think the correct point is, this work documents what _was_ done, eg. 
a historical
fact.  It also lays out what the authors think is best practice, given 
the current
constraints.

Its kind of tough to argue w/ someones beliefs.
Facts - yes, beliefs - not so much.
If there are factual errors in what occured, those can and should be
corrected.

  So, rather than designing a bunch of kludgy workarounds, it would be better 
  to ask
  what the right thing to do is, even if that requires changing some 
  preexisting
  document.
 
 Workarounds to what?
 
 I have not heard a clear description of a problem yet, just a lot of possible 
 solutions.

And yet, you were part of a team that spent hundreds of thousands of 
dollars
and several man-years working on a solution to a, as you state above, 
to a
problem without a clear statement?

I'd susggest that there might be better ways to do key management and 
that EKR 
might have some good ideas on the subject.  But thats _future_ work.

--bill

 
 
 Joe
 
 ___
 DNSOP mailing list
 DNSOP@ietf.org
 https://www.ietf.org/mailman/listinfo/dnsop
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] RFC4641bis - http://www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/trust_anchor_configuration

[bmanning]

On Thu, Jul 08, 2010 at 11:39:33AM +0200, Olaf Kolkman wrote:
 
 I observe though that 4641 is mainly written from the perspective of a 
 'zone-owner' and that I am not quite sure where to give specific advice to 
 administrators of recursive nameservers.
 
 So before text is drafted there is an explicit question to the WG on whether 
 this document should contain a section that gives guidance to recursive 
 nameserver operators?


is there also a distinction between a zone owner and its 
authoritative 
nameservers?

If the document is primarly oriented toward a zone owner then 
references to 
nameserver administrators should be;  a) kept to a minimum, and b) 
clearly stated
at the head of the docuement, the focus of the advice, e.g. to zone 
owners.


  2. There are also multiple ways in which the auth nameserver operators will 
  manage key rollover.
  
  Authoritative operators should free to decide if they want to manage their 
  keys in a RFC5011 manner or not. RFC4641bis should place no restriction on 
  authoritative servers.
 
 
 Hmmm. Currently the document does not restrict auth servers but it does give 
 recommendations such as (in version 02 in the 1 but last paragraph of 3.1.2:
 
  It is therefore recommended to regularly roll KSKs if and only if those 
 rollovers can be
  tracked using automated RFC5011 type mechanisms.
 
 Note the way this is phrased doesn't even say that 5011 is the magic bullet.
 
 Question to the WG: is the document in any way restrictive on not using 5011, 
 or is its consideration for advising RFC5011 to strong?


there have been some arguements about the periodicity of key rolls. 
Unless
this document can have a clearly defenseable position for recommending 
regular
rollovers and having such tied to RFC 5011,  it might be wise to 
decouple this
work from RFC 5011... unless this work really depends on RFC 5011 use.


  
  (3. With RFC5011 we now have some confusion in the current RFCs about the 
  status of the SEP bit.
  
  RFC4034 describes the SEP bit as follows 
  Bit 15 of the Flags field is the Secure Entry Point flag, described in 
  [RFC3757].  If bit 15 has value 1, then the DNSKEY record holds a key 
  intended for use as a secure entry point. This flag is only intended to be 
  a hint to zone signing or debugging software as to the intended use of this 
  DNSKEY record; validators MUST NOT alter their behaviour during the 
  signature validation process in any way based on the setting of this bit.
  
  RFC4041
  RFC4041 recommends In this document, we assume a one-to-one mapping 
  between KSK and SEP keys and we assume the SEP flag to be set on all KSKs
  This clearly alters RFC 4034 and gives some meaning to the SEP bit.
 
 s/4041/4641/


My understanding about the SEP bit is reflected in the RFC 4034 text. 
In 4061, the
authors have exceeded the definition in 4034 and based their work on 
that assumption...
which doesn't appear to be valid :)


  
  RFC5011
  RFC5011 describes a method for securely managing key rollover via the use 
  of the SEP bit and the addition of a revoke bit. This clearly redefines the 
  original meaning of the SEP bit in RFC4034.
 
  
  Could 4641bis or something mention
  
  1. RFC3757 is not obsolete
  2. RFC3757 is updated by RFC5011


RFC 5011 describes A method, not THE ONLY method.  One is or should 
be free to interpret
the SEP as defined in RFC 4034.


 
 I do not think that this (non standards track document) should tinker with 
 the status of any standards track document. Besides I believe that what is in 
 4034 says: SEP is not interpreted during the validation but can be used as a 
 hint for operational matters (and then mentions debugging and zonesigning). 

Agreed.  

 
  The SEP bit is described in [RFC3757] and updated in RFC5011. However, it 
  plays no part in the validation process. It may only be used in the 
  automated key rollover process as described in RFC5011.)
  
 
 While chewing on section 3.1 yesterday and today it seemed that having a 
 separate section on the use of SEP is appropriate.
 
 On this work is in progress.
 
 (I updated  
 http://www.nlnetlabs.nl/svn/rfc4641bis/trunk/open-issues/trust_anchor_configuration)
 
 
 --Olaf
 
 
 
  
 
 Olaf M. KolkmanNLnet Labs
Science Park 140, 
 http://www.nlnetlabs.nl/   1098 XG Amsterdam
 
 ___
 DNSOP mailing list
 DNSOP@ietf.org
 https://www.ietf.org/mailman/listinfo/dnsop
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Fwd: New Version Notification for draft-mekking-dnsop-auto-cpsync-00

[bmanning]

 thanks for this.  :)

--bill


On Tue, Jun 29, 2010 at 03:19:54PM +0200, Matthijs Mekking wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 FYI,
 
 I have submitted this draft on the topic of automatic update of DS (and
 other records).
 
 Best regards,
 
 Matthijs Mekking
 NLnet Labs
 
 -  Original Message 
 Subject: New Version Notification for draft-mekking-dnsop-auto-cpsync-00
 Date: Tue, 29 Jun 2010 06:12:35 -0700 (PDT)
 From: IETF I-D Submission Tool idsubmiss...@ietf.org
 To: matth...@nlnetlabs.nl
 
 
 A new version of I-D, draft-mekking-dnsop-auto-cpsync-00.txt has been
 successfully submitted by Matthijs Mekking and posted to the IETF
 repository.
 
 Filename:  draft-mekking-dnsop-auto-cpsync
 Revision:  00
 Title: Automated (DNSSEC) Child Parent Synchronization using 
 DNS UPDATE
 Creation_date: 2010-06-29
 WG ID: Independent Submission
 Number_of_pages: 6
 
 Abstract:
 This document proposes a way to synchronise existing trust anchors
 automatically between a child zone and its parent.  The algorithm can
 be used for other Resource Records that are required to delegate from
 a parent to a child such as NS and glue records.
 
 
 
 
 The IETF Secretariat.
 
 
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.4.10 (GNU/Linux)
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
 iQEcBAEBAgAGBQJMKfL6AAoJEA8yVCPsQCW5MA8IALsVN2C0raqTybHDtdWqkS19
 uOeKyTP7HvJXXYNbRwbITjDzTyx1aFWuNV+JGou16vlXyJY4gK0Ob3Y6P9aum/L3
 LvCD/6ekPDL4VxwoJFwq1GsudBnNGN9UeO8IK1R2gNmraEiGAcJ7imovc5+YW5wy
 Ihk0t5hEAfhgk/2Nr6pguZBxfz2bbpAyBBaZd0uyLBszwnKNWKLVoWxDpBhfOwgA
 MOWB9owHodjRa6yrJlNJ0IBvdwhC+SyIWyptAwRR810wE3slzYS8xOk1Uvd7a8lF
 cVeint1z/KxFCPvY69UsnFoOpmgrNwG6cmw8Zg5SEfDpHlswfsbn2BNSo6B07FE=
 =0u03
 -END PGP SIGNATURE-
 ___
 DNSOP mailing list
 DNSOP@ietf.org
 https://www.ietf.org/mailman/listinfo/dnsop
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] draft-ietf-dnsop-default-local-zones-13

[bmanning]

On Thu, Jun 17, 2010 at 01:15:06PM +0200, Peter Koch wrote:
 (2) is covered in the IANA considerations section but while that section
 refers to a formal policy it does not offer guidance for review.
 We should capture the considerations from the most recent as well as
 previous discussions like this:
 
 Additions to the registry will not have and instantly relieving
  effect on those authoritative servers otherwise targetted with
  the queries to locally served zones, it can be expected that
  implementations will refresh the list of zones to serve occasionally
  or based on their update cycles.  For the same reason it can not
  be expected that deletions from the registry will allow the
  removed domain name to be resolved on the public Internet any time
  after such removal.


ANY TIME??  ever?  

how about ... deletions from the registry will allow the domain
names to be resolved on the public Internet at some reasonable
time after removal from the registry.

 
 Regarding (3), while it is useful to seed the registry as broad as
 possible, it is safe to err on the side of refusal that to poison
 a prefix by essentially making it non-reverse-mappable.
 That said, there is consensus to drop section 4.7 and not to add
 the ORCHID prefix (resp. its reverse mapping domain name) to the registry.
 
 On a more editorial side, the document should state its threefold purpose
 in the introduction.
 
 The -14 version should then be ready to go to the AD together with the
 two AS112 drafts as a bundle, meking the cross references resolvable.
 
 -Peter (with hat and Stephen's advice)
 ___
 DNSOP mailing list
 DNSOP@ietf.org
 https://www.ietf.org/mailman/listinfo/dnsop
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] draft-ietf-dnsop-default-local-zones-13

[bmanning]

On Mon, Jun 14, 2010 at 07:51:14PM -0700, Paul Hoffman wrote:
 At 12:12 PM +1000 6/15/10, Mark Andrews wrote:
 In message p06240867c8385b270...@[10.20.30.158], Paul Hoffman writes:
  At 4:23 PM -0400 6/11/10, Derek Diget wrote:
  Raising hand timidly
 
  In this group!? :-)
 
  Instead of listing the zones in section 4 (which then will get hard
  coded into implementations), follow section 6 and register the zones in
  the new/to-be-created IANA assignment registry.  This will force
  implementations to go look at the assignment registry and maybe more
  aware of the dynamic nature of some of these zones.  As the draft is
  now, some implementors probably will stop reading after section 5. :(
 
  Good call. +1
 
 The zone listed are intended to be stable enough in usage that they
 can be frozen in code.  Zones added to the registry should be of a
 similar level of stability.  It would be a very rare event for a
 zone to be removed from the registry and it would take decades, if
 ever, that the zone would be untainted.
 
 Probably true, but not relevant to the discussion. The idea is to force 
 implementers to look at the registry so that they see *future* additions to 
 it, even if they get there from reading this RFC-to-be.
 
 --Paul Hoffman, Director
 --VPN Consortium

I'll note in passing that the Martian prefix list took less than 30 
days
to be declared valid to use prefixes and it has taken decades to 
eradicate
them as Martians (by killing off code which chose to freeze them 
because of the
stability of classful addressing)...  there are still vestigages of 
this cruft
around.   I can not and do not share Marks naive presumptions about the 
stability
of prefix use.  Guess I've been burned by that assumption twice - don't 
want to
be bit by it a third time.

--bill
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] BIND use of compiled defaults

[bmanning]

On Tue, Jun 08, 2010 at 02:52:01PM +1000, Mark Andrews wrote:
 
 The zones are consistant with RFC5735 and with operational practice.
 
  So the question -  how common do we expect /32 delegations to become in 
  futur
  e?
 
 From IN-ADDR.ARPA or from some other zone to handle /25-/32 sized
 delegations without using the techniques in RFC2317?  I know there
 are people that argue that one shouldn't do RFC2317 style delegations
 so for the latter I would say a lot.  For the former I don't expect
 any unless we create special purpose blocks smaller than /24.


if you allow 255.255.255.255.in-addr.arpa.  -AS A ZONE-
then i am much more confortable shreding a /24 into 
255 component zones - RFC2317 is designed to do a cut
in the in-addr.arpa space on non-octet alined boundaries 
and since you have demo'd (other than me) the use of 
a zone cut on octet bounds lt /24, I'm a happy camper.

--bill

 
 Mark
 -- 
 Mark Andrews, ISC
 1 Seymour St., Dundas Valley, NSW 2117, Australia
 PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] draft-ietf-dnsop-default-local-zones and the former IP6.INT.

[bmanning]

 as the admin for ip6.int.  the IPv6 wg declared that ip6.int
 should be terminated on 6/6/06 - along with the 6bone.  David
 Conrad removed the delegation shortly there after, even though
 there are still resolvers which look for that delegation instead
 of the ip6.arpa zone - which functions as its replacement.  I had
 proposed using the DNAME construct to allow the 10+ years of 
 resolver code that was/is using ip6.int to continue to function
 well ... but this idea was rejected by the IANA.

--bill


On Tue, Apr 06, 2010 at 03:22:59PM +0200, Alfred Hvnes wrote:
 Folks,
 skimming over your most recent Locally-served DNS Zones I-D,
 draft-ietf-dnsop-default-local-zones-11, I got stuck in section 5.
 
 The 4th paragraph of that section in the draft says:
 
 |  This document also ignores IP6.INT.  IP6.INT has been wound up with
 |  only legacy resolvers now generating reverse queries under IP6.INT
 |  [RFC4159].
 
 I had some vague recollection that IP6.INT had gone out of service
 quite some time ago, and started over to verify that.
 A copy of the INT zone is no more made available online via FTP,
 but I have checked all authoritative name servers for INT., and they
 indeed all consistently respond with NXDOMAIN to any query for IP6.INT.
 
 Recollection starts to leak after 4 years, and for an uninitiated
 reader, the phrase has been wound up seems to be rather ambiguous.
 I'd prefer the draft to state the facts more precisely so that the
 conclusion drawn can be better understood.
 
 Proposed strawman replacement for above clause:
 
 |This document also ignores IP6.INT, which initially hosted the IPv6
 |reverse DNS tree but does not exist any more, after it had been
 |demissed by [RFC4159].  IP6.INT has been wound up with only legacy
 |resolvers now generating reverse queries under IP6.INT.
 
 Kind regards,
   Alfred.
 
 ___
 DNSOP mailing list
 DNSOP@ietf.org
 https://www.ietf.org/mailman/listinfo/dnsop
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] FYI: DNSOPS presentation

[bmanning]

On Wed, Mar 31, 2010 at 11:26:53PM -0700, Christopher Morrow wrote:
 On Wed, Mar 31, 2010 at 1:55 PM, Dan Wing dw...@cisco.com wrote:
 
  But Remi's point is that those same systems (running Windows XP
  and IE6) using 6rd will be denied the ability to access content
  via IPv6.  Which removes an incentive for ISPs to add 6rd (and
  offload the NAT44 they may soon have to install).
 
 I'm not sure this is true:
 o the end-station sends a dns query to the ISP recursive resolver
 o the recursive resolver uses whichever protocol is 'best' for the
 lookup (assuming something like BIND's NS RTT caching happens in the
 majority of cases)
 o if the query goes over ipv6, is for a , a  response could be 
 returned
 o if the query goes over ipv4, is for a , no response is returned
 and presumably a follow-up A query happens.
 
 Igor/Yahoo are proposing that recursive resolvers which have v6
 transport use it and be rewarded for doing so... if they have a
 longer/worse path over ipv6 there's a good chance the user experience
 will also suffer, so the users should use v4.

but the ISP recursive resolver has no clue what the end-station
(stub) is going to do with the result of the lookup. nor does
if have any idea what proxies or forwarders are in the interviening
path between it and the stub.

it might look at the transport it received the query on (from the stub),
cache that information, and then recursively ask the authoritative 
servers
for the data (using whichever transport is best for the specific 
lookup
to the authoritative server in question), then send the response back
to the stub - weighting the response data based on the transport the
stub asked the query on.

regardless of how I (the stub) ask the recursive my question, (via IPv4,
IPv6, DECNETPhaseV, NCP, bisync...) the recursive should give me what
i ask for ... if i want  answers then give me  answers, even if
you get the query over LU6.2.   Don't confuse DNS data with transport.

--bill

 
 -chris
 
 -chris
 ___
 DNSOP mailing list
 DNSOP@ietf.org
 https://www.ietf.org/mailman/listinfo/dnsop
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] [f...@cisco.com: RFC 5006 status]

[bmanning]

- Forwarded message from Fred Baker f...@cisco.com -

This is a structured question for the community.

Jari Arkko tells us that he is getting requests from various sources to take 
RFC 5006 to Proposed Standard. It is now experimental.

http://www.ietf.org/rfc/rfc5006.txt
5006 IPv6 Router Advertisement Option for DNS Configuration. J. Jeong,
Ed., S. Park, L. Beloeil, S. Madanapalli. September 2007. (Format:
TXT=26136 bytes) (Status: EXPERIMENTAL)

(1) Please take a look at the document in the next few days; if you have 
comments on it (eg, you think it should be changed in some way), please comment 
to v6ops.

(2) Vendors, please advise on implementations. Are there any? Has 
interoperability been demonstrated?

(3) Operators, enterprise and/or service provider, please advise on deployment 
experience.


I'm adding a brief discussion to the agenda Monday morning with a view to 
getting a quick thumbs-up/thumbs-down to advise Jari, who can then take that to 
6man later in the week if appropriate.



BTW, I have had a flurry of email related to the agenda. The current agenda may 
be found at http://www.ietf.org/proceedings/10mar/agenda/v6ops.html

- End forwarded message -

morning folks... any thoughts on this draft changing status?

--bill
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] bar-bof - DSauto?

[bmanning]

On Thu, Mar 04, 2010 at 08:11:13AM -0500, Edward Lewis wrote:
 At 4:30 + 3/4/10, bmann...@vacation.karoshi.com wrote:
 
  I'd like to suggest monday - 1500-1700
 
 We can talk then, but the wheels were in motion to put it on 
 Wednesday.  The reason for that was the crowd coming for the Escrow 
 BoF has a good grip on the requirements (which is needed before 
 figuring out the mechanism).
 

great! i suspect that both slots would be productive.

--bill
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] automatic update of DS records

[bmanning]

On Tue, Mar 02, 2010 at 10:04:46AM +0100, Wolfgang Nagele wrote:
 Hi,
 
  granted that this discussion is important and folks
  interested in this might be at the IETF77, could we
  either have a bof (formal) or a small lunch mtg 
  during the week of IETF77?
  
  I'd be glad to attend.
 There has been interest in this at least since IETF75. Anyway, a BoF is a good
 idea. I will not be in Anaheim since the DURZ roll-out for K is in that week.
 However Matthijs (in CC) has done the heavy lifting on the current draft and 
 is
 going to be there and he agreed to attend the BoF.
 
 Cheers,
 Wolfgang

long before IETf75... :) looks like a BOF is out of the question
(too late) .. will have to be informal.  and good luck w/ the DURZ

--bill
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] automatic update of DS records

[bmanning]

On Tue, Mar 02, 2010 at 08:05:38PM +, Alex Bligh wrote:
 Ed,
 
 --On 2 March 2010 14:39:45 -0500 Edward Lewis ed.le...@neustar.biz wrote:
 
 Telling someone one to change the name server from ns1.example.tld. to
 newdns.example. or 127.0.10.2 to 192.0.2.3 is easier than saying
 change something from:
 94DC01F2763CCB12F4B66AC63910830BC34082F6FE95CD75DAA3C5B37F99DD81
 to:
 6CDE2DE97F1D07B23134440F19682E7519ADDAE180E20B1B1EC52E7F58B2831D
 
 So, if the registrar is running DNS, then he pushes the DS keys directly
 using EPP or whatever. And the problem arises, if I understand it right,
 when someone other than the registrar (or for that matter the registry) is
 generating the information that goes in the DS record. And whilst
 nameservers (for instance) are likely to be static, this is relatively
 volatile.
 
 My concern is that whatever automatic update mechanism you choose has
 to use some greater level of security than merely relying on the
 zone being signed. So to pick a trivial example
 _DSKEY IN TXT [blob]
 isn't going work, because if you are changing the DS key because
 you fear your keys may have been compromised, that can be compromised
 too. I may be having a failure of imagination but I don't immediately
 see how without some external authentication (yet another key) you
 can securely automatedly push DS key changes about.
 
 -- 

hum... maybe I should be hounding Ed on this... but I think we should
draw a bright line...  we are (imho) talking about pushing DS records
from child to parent.  entirely w/in the perview of the DNS protocol/wg.

for non-DNSprotocol players (registries/registrars/registrants) that use
EPP or its varients for pushing DNS data around - thats not w/in scope.
at least for this WG's consideration.

--bill
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] automatic update of DS records

[bmanning]

On Wed, Mar 03, 2010 at 01:40:53PM +1300, Jay Daley wrote:
  there is a problem w/ cut/paste ... surely we could do better than that?
 
 I'm sure we could and an automated update of DS records is a good idea.  But 
 my point is that in the absence of a similar automated mechanism for NS 
 records we use cut and paste and it works fine and there is nothing about DS 
 records that is any more complicated so cut and paste would work fine there 
 too.
 
 Jay

the trick there is that an NS update is somewhat humanly parsable.  if 
a cut/paste
cocks up, its fairly easy to tell.  in my limited experience, DS 
records are not
quite as humanly parsable and a cut/paste error is more likely to slip 
through.

--bill
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] Hues

[bmanning]

On Tue, Feb 23, 2010 at 07:09:12AM -0800, Todd Glassey wrote:
 
 As I have said, there is no difference between this and the Jim Crow 
 actions which separated blacks from the white population in then US and 
 the application of the concept of racially unfit parties as Trolls 
 within the IETF, which also of course brings us to the question of how 
 many people of color are management within the IETF?.
 
 Have a nice day.
 
 Todd Glassey

Why thank you, I will.  And the same to you.
In answer to your question; how many people of color are management
within the IETF? I think I have an answer for you.

All of them.  No person that I am aware of in the ietf management
chain are transparent - all reflect light at various points on 
the spectrum.  With this information, you may now make the claim
that the IETF management is opaque, lacking transparency... and
you would be technically correct.

any other little questions bothering you that we might help with?

--bill
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] rfc4641bis: ZSK-roll-frequency

[bmanning]

thanks paul.  

 
 That might be draft-hoffman-dnssec-ecdsa. I let it expire earlier this month 
 because the DNSEXT WG is still not clear on the allowable statuses for crypto 
 documents, but have today revived it based on your comment.
 
 If you don't consider this to be a good draft, I am quite open to 
 suggestions for improvement!
 
 --Paul Hoffman, Director
 --VPN Consortium
 ___
 DNSOP mailing list
 DNSOP@ietf.org
 https://www.ietf.org/mailman/listinfo/dnsop
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Priming query transport selection

[bmanning]

On Wed, Jan 13, 2010 at 09:53:16PM +, Jim Reid wrote:
 On 13 Jan 2010, at 21:35, Alex Bligh wrote:
 
 You've eliminated TCP fallback for non-DNSSEC supporting clients.
 
 So add that to the list:
   [6] TCP (no EDNS0) if [5] fails.
 

dnssec is just the first extention to reliably tickle the size/frag
issues with large UDP responses.  Whatever you blokes come up w/ please
don't make it feature specific.

--bill
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Computerworld apparently has changed DNS protocol

[bmanning]

On Wed, Nov 04, 2009 at 11:09:53AM -0800, Nicholas Weaver wrote:
 Question:  Have people been able to estimate how large the signed root  
 zone response will be?
 
 I'm assuming its below the magic 1500B level for standard queries.  Is  
 this correct?
 
 Oh, and one thing to watch out for:  Some IP stacks I've noticed will  
 set DF on UDP datagrams, if the datagram is too small to require  
 fragmentation onto the local network!
 
 Add this to the list of things DNS operators need to watch out for  
 when turning on DNSSEC.
 
 ___
 DNSOP mailing list
 DNSOP@ietf.org
 https://www.ietf.org/mailman/listinfo/dnsop


David Conrad, ICANN maven and one-time IANA manager, posted some numbers
from their DNSSEC testbed a month or so back.  Responses were just under
1800 bytes. 

The current deployment plan is to stage things to push out large 
responses
early - prior to having any actual DNSSEC usable data ... ostensibly to
flush out DNSmtu problems.

--bill
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] [dnsext] Computerworld apparently has changed DNS protocol

[bmanning]

cool eh?  although I suspect she ment responses.

--bill



On Wed, Nov 04, 2009 at 07:58:41PM +0100, Alfred Hvnes wrote:
 Interesting News!
 
 There must be a hidden trick to introduce DNS Jumbograms we just
 forgot to mention 
 
 
 In a press article [1] entitled
 Root zone changes may shake up Net in Africa,
 Computerworld wrote:
 
 | From January 2010, ICANN will implement DNSSEC -- using a technique
 | also known as root signing -- on the root zone, which will affect
 | the performance of the Internet.  Currently, queries from domain
 | servers to the root are 512 kilobytes or less, but DNSSEC will make
   ^^^
 | them larger because it introduces new signatures and keys as part
   ^^^
 | of the security features.
 
 
 :-}
 
 
 [1]
   
 http://www.computerworld.com/s/article/9140123/Root_zone_changes_may_shake_up_Net_in_Africa
 
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Fw: New Version Notification for draft-bellis-dns-recursive-discovery-00

[bmanning]

On Wed, Oct 21, 2009 at 08:32:49AM +0100, ray.bel...@nominet.org.uk wrote:
  Mark, I din't think this is true given how the proposed protocol
  works.  For a start, you often cannot fetch the DNSKEY RR for ARPA
  before running the protocol.
 
 Indeed LOCAL.ARPA would need to be unsigned.  That needs to be added to 
 the draft.
 
 Since (as Bill points out) LOCAL.ARPA would be served much like RFC 1918 
 space there's no way it could be signed and have the DS key present in the 
 parent, because there will be numerous separate instances of LOCAL.ARPA. 

well...  there are these cases where an island of trust
gets its DS keys treated as a SEP and folks configure them
anyway.

and I'm sure we can get some kind folks to ensure that no one
-EVER- shares a trusted keys file with others.

just saying.

--bill

 
 In any event the seeding query needs to be sent without the DO bit set, 
 since (some) CPE proxies are known to interfere with that.
 
 Ray

 ___
 DNSOP mailing list
 DNSOP@ietf.org
 https://www.ietf.org/mailman/listinfo/dnsop

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Fw: New Version Notification for draft-bellis-dns-recursive-discovery-00

[bmanning]

On Tue, Oct 20, 2009 at 07:38:19PM -0400, Joe Abley wrote:
 
 On 2009-10-20, at 19:29, Mark Andrews wrote:
 
 ARPA will soon be signed, so I don't think this is much to worry
 about.  If the powers that be finally agree to make NXDOMAIN/NODATA
 synthesis the default in the upcoming minor DNSSEC revision, this  
 will
 also help to cut down the number of requests.
 
 And LOCAL.ARPA would need to be a unsigned delegation.
 
 Could you explain this? The draft under discussion specifies that  
 LOCAL.ARPA is not to be delegated at all, so your sentence above  
 confuses me.
 
 

Think ... kind of like RFC 1918 prefixes are not supposed to be 
advertized.

--bill
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] RSST study is out

[bmanning]

http://www.icann.org/en/committees/dns-root/root-scaling-study-report-31aug09-en.pdf

--bill
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Key Management and Provisioningl was Re: .PR ...

[bmanning]

 a few of us actually did a little work in this area three or four years
ago - did working proof of concepts - and were promptly ignored.
(the claim was - this work was premature)

--bill


On Tue, Sep 08, 2009 at 01:23:51PM -0400, Edward Lewis wrote:
 At 13:13 -0400 9/8/09, Paul Wouters wrote:
 
 At least for TLD's, we expect this to be fixed in December with a signed 
 root.
 
 The root may be signed by then.  But I have not seen plans for an 
 interface for the TLDs to use to submit key material.
 
 I am not sure what appliance or software setup '.pr' uses, but it should 
 have
 never allowed to finish the key rollover with the bad key in the ISC DLV.
 
 Avoiding addressing just the symptoms, I will say that the most 
 annoying part in documenting SEP supercession is that we have to 
 wave our hands at that point and say when we notice that the 
 $parent has changed the DS record we proceed to the next step. 
 Besides this hand waving, it's impossible to script this into a test 
 plan.
 -- 
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 Edward Lewis
 NeuStarYou can leave a voice message at +1-571-434-5468
 
 As with IPv6, the problem with the deployment of frictionless surfaces is
 that they're not getting traction.
 ___
 DNSOP mailing list
 DNSOP@ietf.org
 https://www.ietf.org/mailman/listinfo/dnsop
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] comments about draft-morris-dnsop-dnssec-key-timing

[bmanning]

On Tue, May 19, 2009 at 02:38:01PM +0100, John Dickinson wrote:
 Sz sez...
 
 Please don't change this. Making finer distinctions in one document,
 clearly defined, is one thing. But please don't try to change
 terminology we're finally starting to get people to use; it's been
 (and continues to be) hard enough to get them to stop talking about
 one key and the singular act of signing.
 
 
 This was kind of my idea - so maybe I can explain my thinking a bit. I  
 am wondering if this document should restrict itself purely to  
 considering keys and say nothing about what is signed by those keys.  
 Therefore, it would not use the KSK and ZSK terminology.
 
 You could have keys with the following set of properties:
 - how they are rolled (pre-publish or double key)
 - the SEP bit on or off
 - bit 7 (zone key bit always set)
 - bit 8 revoked bit
 - protocol == 3
 - an algorithm
 - a size
 - is this key intended to be pointed to by a DS RR?
 - is the zone operator doing RFC5011?

are you going to focus on the key, its intended/expected use
or something else (the signatures or the items covered by the
signatures...)

 Some of these properties impact on, or are altered by, timing  
 considerations.

for the key... timing is immaterial. only the signature 
has a temporal consideration.  unless you want to equate
key visability with time.

 
 Some combinations of these properties make useful keys and it may well  
 be best practice to use them to sign particular RRSets. However, I  
 wonder if this draft is the place to comment on that issue - would it  
 be better in a BCP. This draft could just consider the timing  
 considerations for keys with particular (anticipated to be useful)  
 sets of properties and be pointed to by a BCP which says which  
 properties a good KSK, ZSK or anotherSK should have and what RRSets  
 they actually sign.
 
 John
 
 ---
 John Dickinson
 http://www.jadickinson.co.uk
 
 I am riding from Lands end to John O'Groats to raise money for  
 Parkinson's Disease Research. Please sponsor me here 
 http://justgiving.com/pedalforparkinsons2009
 
 
 
 ___
 DNSOP mailing list
 DNSOP@ietf.org
 https://www.ietf.org/mailman/listinfo/dnsop
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] WGLC: DNSSEC Trust Anchor Configuration and Maintenance

[bmanning]

On Tue, May 12, 2009 at 04:28:01PM -0400, Paul Wouters wrote:
 On Tue, 12 May 2009, Olafur Gudmundsson wrote:
 
 Section 3: Priming can occur when the validating resolver starts, but a 
 validating resolver SHOULD defer priming of individual trust anchors 
 until each is first needed for verification. I disagree with this as a 
 SHOULD; may want to is much more appropriate. I see nothing wrong with 
 wanting to get the first round of crypto out of the way at startup.
 
 Good point,
 How about s/SHOULD/MAY want to/ ?
 
 I think that would be COULD then

i think i am going to weigh in on th eother side of the coin here.
I'd posit s/SHOULD/SHOULD NOT/ ... Is there any good reason why 
validation and resolution need to be in lock-step?

--bill
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] dns data exchanged between host and local dns-sever

[bmanning]

On Thu, Apr 30, 2009 at 02:15:48PM +0800, madi wrote:
 Hi, Stephane.
  
 To give a countermeasure, the response from a recursive sever might as well 
 be cached in form of both plaintext and ciphertext which is generated by the 
 very recursive server. Thatbcursive server and authoritative name-server is 
 secured by DNSSEC, a similar course should be followed by the recursive sever 
 right after the DNSSEC verification.
  

this presumes that the query to the authoritiative server is not 
intercepted and
replied to by a rogue nameserver -first-

the primary benefit to DNSSEC is that it protects the integrity of the 
data - regardless
of where it is coming from.  if the cache is corrupted/poisoned, the 
data will fail to 
validate - and depending on your validator response - will fail 
resolution.

what is missing/needed here is a way for a validator to mark a 
recursive server as bad
and find/select an alternate server...  which is outside the scope of 
the DNSSEC design.


 Once the requester, a PC typically, gets the response in dual forms, it can 
 then verify the correlation between them. If so, even the attacker has 
 poisoned the DNS information cache, yet the two forms of poisoned cache, 
 plaintext and ciphertext, could not be in accordance with each other. 
 Consequently, the verification to them by a requester will never pass and 
 then the phishing would be avoided.

DNSSEC already does this. 
  
 With respect to the generation and the distribution of the key for the 
 ciphertext mentioned above, further deliberation is needed.
  
 Any critical will be appreciated.
 
 
 2009-04-30 
 
 
 
 madi 
 
 
 
 ed;6d::o Stephane Bortzmeyer 
 ei
f6i4o 2009-04-23  19:40:15 
 f6d;6d::o Scott Rose 
 f
i
o m...@cnnic.cn; dnsop 
 d8;io Re: dns data exchanged between host and local dns-sever 
  
 On Thu, Apr 23, 2009 at 07:10:13AM -0400,
  Scott Rose  sco...@nist.gov  wrote 
  a message of 65 lines which said:
 
 Those are the DNS protocol mechanisms in place.  There is also lower
 level security technologies such as IPsec that could be used between
 stub clients and recursive servers that don't rely on DNSSEC at all.
 
 TSIG, IPsec and friends have all the same issue: they check that the
 response does come from the intended resolver, not that the response
 is authentic. At a time where any hotel provides Internet access with
 a lying resolver, this is probably not sufficient.

 ___
 DNSOP mailing list
 DNSOP@ietf.org
 https://www.ietf.org/mailman/listinfo/dnsop

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Key sizes

[bmanning]

Yo Joe,

many moons back, it was pointed out to me by some cryto folks that 
there is an
interesting relationship btwn key length and signature duration.  One could 
make the argument
that for persistent delegations, you might want to ensure longer length keys 
and possibly
longer duration signatures than you might have for a DHCP lease whos's lifetime 
is 20 minutes.
e.g. a leaf assignment that lasts no longer than 20 minutes might not 
justify the
operational cost of a 4096bit key generation/propogation, while a well-known 
TLD (.JOE)
might well justify a 4096bit key.  you might say that key length should/could 
be inversely
proporational to the delegation placement in the namespace.

but you knew this.

--bill
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] dns data exchanged between host and local dns-sever

[bmanning]

On Thu, Apr 23, 2009 at 06:32:38PM +0800, i),h?* wrote:
 Hi, folks.
  
 As we all know, DNSSEC provides origin authentication and integrity assurance 
 services for DNS data exchanged between DNS resolver and name-sever, while 
 DNSSEC fails to give a means by which the DNS queries or responses 
 transmitted between a host and a recursive server could be guaranteed 
 integrity and authentication. For example, a malicious attacker might hijack 
 the DNS query form a host and fake a response which will help he commit 
 phishing. So I wonder, is there someone having a certain solution, more 
 exactly a software implementation on host, to protect against such attack?
 
 2009-04-23 
 
 m...@cnnic.cn


As mentioned elsewhere,  TSiG, GSS-TSiG,  and IPSEC are all forms of channel 
security. The 
unfortunate truth is, these are unwieldy when managing large numbers of 
connections.  for a 
slightly more scaleable solution, you might consider SIG(0).  -  All of these 
are defined in
RFC's and there are several interoperable implementations.

Other channel security ideas that are floating around (but have nto gained 
traction in the
IETF or market) are:

EDNS-PING
DNS-CURVE



--bill
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] dns data exchanged between host and local dns-sever

[bmanning]

On Thu, Apr 23, 2009 at 12:52:37PM -0400, Edward Lewis wrote:
 At 8:43 -0700 4/23/09, David Conrad wrote:
 
 root servers). However the point is that you need to do the validation
 someplace you can talk securely to.  The easiest answer is to simply do the
 validation on the same host.
 
 I figure stub resolvers were needed when cpu/bandwidth/memory were a bit
 more expensive than now.  It seems a shame to constrain our architecture
 to the '80s...
 
 OTOH, for the one of the same reasons DHCP is so popular, that is 
 centralized local management, it is desirable (in some instances) to 
 have the validation done in the commons and not in end hosts.
 -- 
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 Edward Lewis


locus of control.

i happen to agree w/ David here.  there really is no serious technical
hurdle for moving a full-bore DNS IMR into most platforms these days
(modulo the RFIDs and some of the IoT stuff).

the upsides are huge for mobility, ad-hoc, and temporally disconnected
networks.

the downsides are the LEOS (protecting our security), and the Shylocks
who need to collect what remains of the lunch money.  


--bill
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] MX 0 . standard way of saying we don't do email ?

[bmanning]

On Fri, Apr 10, 2009 at 04:19:03PM -0400, Edward Lewis wrote:
 At 13:04 -0700 4/10/09, SM wrote:
 
 This message ( 
 http://www.ops.ietf.org/lists/namedroppers/namedroppers.2005/msg00944.html 
 ) and some other messages on the ietf-smtp mailing list could be 
 read as a lack of support for the draft.
 
 Don't confuse disinterest with disapproval. ;)
 -- 

come on ed, just 'cause you disapproved of sub-typing TXT records...


--bill
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Some second-hand remarks on draft-liman-tld-names-00.txt

[bmanning]

On Tue, Mar 10, 2009 at 10:27:21AM +0100, Stephane Bortzmeyer wrote:
 On Mon, Mar 09, 2009 at 01:04:42PM -0400,
  Andrew Sullivan a...@shinkuro.com wrote 
  a message of 59 lines which said:
 
  John's view is that the original alphabetic restriction in 1123
  was indeed intended as a restriction,
 
 I was not there at the creation but I find it worrying to rely on the
 recollection of one specific person. The alphabetic-only rule in RFC
 1123 is just a side note, never detailed, and presented as a fact
 (which it was at this time), not as a mandatory restriction.

we -could- ask the author of RFC 1123.


--bill 
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Truncation discussion in draft-ietf-dnsop-dnssec-trust-anchor-02

[bmanning]

On Tue, Mar 10, 2009 at 08:35:40AM +1100, Mark Andrews wrote:
 
 In message 200903091515.n29ffetp055...@stora.ogud.com, Olafur Gudmundsson 
 wri
 tes:
  --===0733757033==
  Content-Type: multipart/alternative;
  boundary==_777355448==.ALT
  
  --=_777355448==.ALT
  Content-Type: text/plain; charset=us-ascii; format=flowed
  
  At 13:46 06/08/2008, Paul Hoffman wrote:
  Greetings again. The end of section 2 of this document says:
  Another advantage of configuring a trust anchor using a DS record is
  that the entire hash of the public key in the DS RDATA need not
  necessarily be specified.  A validating resolver MAY support
  configuration using a truncated DS hash value as a human-factors
  convenience: shorter strings are easier to type and less prone to
  error when entered manually.  Even with a truncated hash configured,
  a validating resolver can still verify that the corresponding DNSKEY
  is present in the trust anchor zone's apex DNSKEY RRSet.  RFC 2104
  [RFC2104] offers guidance on acceptable truncation lengths.
  
  This is not correct. You cannot say here is the SHA-256 hash of a 
  value and then give less than 256 bits of the hash. If you wanted 
  to do this, you need to define the truncated hash and use that new 
  hash algorithm. So far, none of these truncated hashes have been 
  defined for DNSSEC, although ones could be defined.
  
  Further, it is somewhat optimistic (and possibly sadistic) to think 
  that a user can type Base64 by hand for more than maybe ten 
  characters. This document should assume that the user is using 
  copy-and-paste, and therefore using the full 256 bits of the hash is 
  just as easy as using a truncated hash. If not, new, inherently 
 weaker, truncated hash algorithms need to be defined.
  
  --Paul Hoffman, Director
  --VPN Consortium
  _
  
  You are not the first person to bring this issue up, and upon reflection
  we have dropped truncation discussion.
  
   Olafur
 
   On a related issue DS - DNSKEY translations cannot be
   performed until the DNSKEY is published in the zone.  The
   use of DS prevents pre-publishing of keys.
 
   I can see no real reason to recommend that DS records be
   published in preference to DNSKEY records.
 
   DNSKEY - DS is a conversion that can be at anytime.
 
   This make DNSKEY a better manditory record to publish.
 
   Mark
 -- 
 Mark Andrews, ISC
 1 Seymour St., Dundas Valley, NSW 2117, Australia
 PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
 ___
 DNSOP mailing list
 DNSOP@ietf.org
 https://www.ietf.org/mailman/listinfo/dnsop


if the child produces the DS, then the TTL is preserved.
if the parent produces the DS, then the TTL is not.

i'd think that would be a reason to use DS as the record to 
publish.


--bill
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Truncation discussion in draft-ietf-dnsop-dnssec-trust-anchor-02

[bmanning]

On Tue, Mar 10, 2009 at 12:55:51PM +1100, Mark Andrews wrote:
 
 In message f7c89744-a1ca-4fd6-b793-2f4e337e3...@verisign.com, David Blacka 
 wr
 ites:
  
  On Mar 9, 2009, at 5:35 PM, Mark Andrews wrote:
  
 On a related issue DS - DNSKEY translations cannot be
 performed until the DNSKEY is published in the zone.  The
 use of DS prevents pre-publishing of keys.
  
  Huh?  You can generate a DS from the DNSKEY record that you have  
  generated but not yet published, so you can pre-publish the DS just as  
  soon as you could pre-publish your DNSKEY.  As for actually *using*  
  the DS as a trust anchor, you can't use either the DS or the DNSKEY  
  prior to actually publishing and *using* the DNSKEY.  Or maybe I just  
  don't understand your point.
 
   When you pre-publish a DS you prevent implementations that
   use DNSKEYs from taking advantage of that pre-publication.


sounds like an implementation bugll


--bill


 
   When you pre-prepublish DNSKEYs implementations that use
   DS or DNSKEYs can taking advantage of that pre-publication.
 
 I can see no real reason to recommend that DS records be
 published in preference to DNSKEY records.
  
  They are small and easier to eyeball as correct.
  
 DNSKEY - DS is a conversion that can be at anytime.
  
 This make DNSKEY a better manditory record to publish.
  
  I don't follow.
 -- 
 Mark Andrews, ISC
 1 Seymour St., Dundas Valley, NSW 2117, Australia
 PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
 ___
 DNSOP mailing list
 DNSOP@ietf.org
 https://www.ietf.org/mailman/listinfo/dnsop
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] I-D Action:draft-liman-tld-names-00.txt

[bmanning]

does this mean my chances for  ^B. are nil?  :)

--bill


On Sat, Mar 07, 2009 at 12:07:01PM +0100, Patrik Fdltstrvm wrote:
 On 6 mar 2009, at 21.54, Edward Lewis wrote:
 
 And, from what I have heard, I believe display issues is at the  
 heart of the problem.
 
 I'm sure Patrik is active in the IDNABIS WG.  So if it is an issue,  
 he'd have spoken about it.
 
 Yes, active there, following this list.
 
 Still, seriously, all this aside, I doubt we will ever want  
 manpages.5 as a domain name.
 
 I think regarding digits in TLDs (or rather, non-letters), this is the  
 right time when one definitely should have the basic rule to not add  
 something until it breaks, but instead, only add things we do know  
 will not create any harm. And I think within those basic rules, we  
 should just say no to digits in TLDs. Anywhere. Or rather, every  
 character in a U-label in a TLD have to have an explicit directionality.
 
 I think it is time to not have a general rule lets add something if  
 not proven that adding will create harm, but instead lets add  
 something only if proven that it absolutely not does create any harm,  
 and then have the people that want certain dangerous characters in  
 there explain why it is safe.
 
Patrik
 
 ___
 DNSOP mailing list
 DNSOP@ietf.org
 https://www.ietf.org/mailman/listinfo/dnsop
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Potential root impact of draft-wing-behave-learn-prefix-00

[bmanning]

On Thu, Nov 20, 2008 at 12:14:45PM +0100, Florian Weimer wrote:
 I came across the following in some IPv6-related draft and thought I'd
 share it.
 
 |3.1.  Using DNS to Learn IPv6 Prefix and Length
 |
 |   In order for an IPv6 host to determine if a NAT64 is present on its
 |   network, it sends a DNS query.  Because a host doesn't always know
 |   its network's default domain name, the procedure described below
 |   provides a way for the host to learn it in order to authorize that
 |   network's address family translator:
 |
 |   1.  Send a DNS  query for _aft_prefix, without a domain name.
 |   If this does not return an IPv6 address it means a address family
 |   translator is not present and processing MUST stop.
 
 [...]
 
 |   3.  If validation of this information is not necessary, then:
 |
 |   a.  Send a DNS TXT query for _aft_prefix, without the domain
 |   name, to learn the number of bits of the prefix.
 |
 
 [...]
 
 |  Discussion:  without a domain name, it is unavoidable that root
 |  nameservers will see this query.  Need to think about ways to
 |  reduce the effect of those queries (e.g., make them authoritative
 |  and return all 0's which will get cached).
 
 So they are aware that this is broken.  Let's hope that this type of
 service discovery through a fraction DNS root doesn't make its way
 into the final standard.

would they complain if the roots actually provided an authoritative
answer (other than NXDOMAIN) at some point in the future?

--bill
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Cache poisoning on DNSSEC

[bmanning]

On Thu, Aug 28, 2008 at 12:04:15AM -0400, Brian Dickson wrote:
 
 The DS may be provided by the operator of the subordinate zone, or built 
 by the parent operator,
 most likely the latter.


thats an interesting premise.  
why do you think this will be the case?

(I would posit that the folks generating the DNSKEY will also 
want to generate the DS hash on their known, trusted signing tools
instead of trusting the parent w/ the DNSKEY materials)


 Brian


--bill

___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Cache poisoning on DNSSEC

[bmanning]

On Fri, Aug 29, 2008 at 10:23:53AM +1000, Mark Andrews wrote:
 
   - The parent is already trusted with DNSSEC tools, since the parent is 
   signing the parent's zone (including the DS record!)
  
  assuming facts not in evidence. there is active discussion 
  about having unsigned zones w/ DS records included.
 
   Well you are not talking about DNSSEC 4035 then.  Such DS
   records are just noise to DNSSEC 4035.

Well, i never said I was talking abt DNSSEC 4035. (what is that
anyway?  DNSSEC as defiend by RFC 4035?)  I was talking about 
who generates DS rr's.  Brian postualates the parent is always
ready and willing to do so, I disagree, based on empirical 
evidence.

--bill

   Mark
 -- 
 Mark Andrews, ISC
 1 Seymour St., Dundas Valley, NSW 2117, Australia
 PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Public Suffix List - Please move discussion to dnsop

[bmanning]

 
 http://publicsuffix/learn/ has more info (and I've just checked in
 another update, which should be visible in the next day or so. There's a
 human in the update loop).
 
 Gerv
 ___

that URL does not resolve in the way you might
expect.

--bill
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] WGLC: Considerations for the use of DNS Reverse Mapping

[bmanning]

I'm going to ask this question here too..  are we talking about the DNS
or are we talking about an applications use of data published in the DNS?

i see this draft in the context of the historical DNS ... it is a mapping
service,  a name to an address AND an address to a name.  the mapping service
is OPTIONAL ... the Internet does not now (and should NEVER) depend on this
service being available for any other service to work.

I think a key point here is that -reciprocity- is and should be highly valued
feature of DNS provisioning.

that said, if one provisions mapping in one direction, it should also be
provided in the other.  

e.g.  

label1 == address1  implies   address1 == label1

so, if it is legal to have this construct:

label == address1
  == address2
  ...
  == addressN

then this construct should also be legal:

address == name1
== name2
...
== nameN

what we have is a mess

label1 == address1918
address1918 == lable8

which, while technicallu legal, violates the spirit of the 
lema posited above, as does;

label35 == address1918
and address1918 has no matching label.


we now return you to your SMTP coloured discussion.

--bill
___
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] draft-licanhuang-dnsop-urnresolution-00

[bmanning]

On Wed, Dec 05, 2007 at 02:10:52AM +, Lican Huang wrote:
 If  SEARCH outside DNS were full power, then  DNS would disappear soon.  And 
 all DNS registrar companies would broken out.

perhaps you are right.  at this point we don't have enough data.

   What is the difference between www.microsoft.com and www.jksdfjsdfdfsdf.com 
  if they represent for the same address of  http page?  We can browser the 
 micorsoft's web page through the link of the SEARCH output easily.  But if 
 microsoft company used www.jksdfjsdfdfsdf.com  for its domain name,   then 
 what useful this kind of  DNS  would exist? 

at what poiint in time did the string microsoft gain any sort
of human memorable meaning?  what would have been the result if
Bill Gates named his new company jksdfjsdfdfsdf?  25 years
later, it would be a globally recognizable mark and you would   
be arguing over other strings.


   My opion is that in the future if DNS would survive, DNS must have some 
 reform.

you are entitled to your opinion.  others are entitled to thier
opinions as well.  you seem to have failed, this time, to persuade
people that adding search to the DNS is a wise  prudent thing for
the evolution of the protocol.  im my own case, having implemented
rudimentary search in the DNS - i can't recommend it for anyting
other than as an interesting academic exercise.  the pieces
you have written drafts about fail to include a key, critical 
component of a DNS with Search capability.  Still, an interesting
stab at a perceived problem.  It might make more sense if you actually
had all the required peices documented.

--bill

   
 [EMAIL PROTECTED] wrote:
   On Tue, Dec 04, 2007 at 04:27:06AM +, Lican Huang wrote:
  When Ipv4 addresses will be Exhausted in the near future and the next 
  generation Intenert( Ipv6) will take over, DNS names will also be exhausted 
  soon with the increase of hosts and users. Lenny Foner has pointed other 
  disadvantage in the today's DNS.
  Please see the section of What's broken? in the article of Lenny Foner in 
  http://www.cfp2000.org/workshop/materials/projects-dns.html.
 
 Full IPv4 utilization and increasing use of IPv6 is completely
 orthonginal to DNS label exaustion. Some have argued that all
 the good names are taken; e.g. the DNS is exausted. This was
 first proposed in 1996 (to my memory) yet more than a decade later,
 we see that the domain name system is robust and growing.
 With the inherent hierarchical structure of the DNS lable, the 
 mathmatical upper bound is pretty high and we are no where near 
 DNS name exaustion. If you have actual data indicating otherwise,
 I'd love to see the studies.
 
  
  Domain Names in DNS must have some human-understanding meaning it, 
  otherwise, we can just use IP addresses or numerials for the names. In 
  other words, if we use human-not-understanding Names in DNS, the DNS system 
  can be throwed away.
  
  The draft namespace is different with the today's DNS namespace. But, due 
  to the exhaustion of Names in DNS in the near future, The DNS will add new 
  domains.
  Why adding new domain names with semantic meaning in the future?
 
 DNS names do not -HAVE- to have human understandable components.
 In many cases, this is highly desired -BUT- is not required for
 use. And yes, numeric literals have been used in the past. 
 Use of the IP address instead of the name is one of the failures
 of application design. The IP address indicates WHERE a node is 
 in the Internet topology, not the identity of the node. The
 Name is the indicator of the node IDENTITY. the DNS maps names to
 addresses and makes no assurance as to the human friendliness of the
 name or the reachability of the address. Your assertion that the
 DNS system can be thowed away is vacuously true. If you find it
 non-useful, there is no requirement for you to use it. Many people
 use the DNS to get a lable, memorable or not, and then use other
 tools to map that lable into something meaningful... e.g. SEARCH.
 It does not invalidate the use of the DNS in any way.
 
  
  This draft can be used for search the locatons of the resources if the DNS 
  using classified hierarchical Domain Names. 
  
 
 I think I prefer SEARCH to be outside the DNS (having actually
 built a varient of the DNS which supported regular expression
 expansion of the ? and * characters...)
 
 Your milage will vary.
 
 --bill
 
 
  Mohsen Souissi wrote:
  I have read the I-D as well and I second Joe's point of view and his 
  arguments below.
  
  Mohsen.
  
  On 03 Dec, Joe Abley wrote:
  | Hi,
  | 
  | I have read your draft, draft-licanhuang-dnsop-urnresolution-00.
  | 
  | The question was raised just now in the dnsop working group meeting in 
  | Vancouver as to whether the content of this draft was suitable for 
  | adoption as a working group item. The question was triggered 

Re: [DNSOP] draft-licanhuang-dnsop-urnresolution-00

[bmanning]

On Tue, Dec 04, 2007 at 04:27:06AM +, Lican Huang wrote:
 When Ipv4 addresses will be Exhausted in the near future and the next 
 generation Intenert( Ipv6) will take over,  DNS names will also be exhausted 
 soon with the increase of  hosts and users. Lenny Foner  has pointed 
 other disadvantage in the today's DNS.
   Please see the section of What's broken? in the article of Lenny Foner in 
   http://www.cfp2000.org/workshop/materials/projects-dns.html.

Full IPv4 utilization and increasing use of IPv6 is completely
orthonginal to DNS label exaustion.  Some have argued that all
the good names are taken; e.g. the DNS is exausted.  This was
first proposed in 1996 (to my memory) yet more than a decade later,
we see that the domain name system is robust and growing.
With the inherent hierarchical structure of the DNS lable, the 
mathmatical upper bound is pretty high and we are no where near 
DNS name exaustion.  If you have actual data indicating otherwise,
I'd love to see the studies.


   Domain Names in DNS must have some human-understanding meaning it,  
 otherwise, we can just use IP addresses or numerials for the names.  In other 
 words, if we use human-not-understanding  Names in DNS, the DNS system 
 can be throwed away.

   The draft namespace is different with the today's DNS namespace. But,  due 
 to the exhaustion of Names in DNS in the near future, The DNS will add new 
 domains.
   Why adding new domain names with semantic meaning in the future?

DNS names do not -HAVE- to have human understandable components.
In many cases, this is highly desired -BUT- is not required for
use.  And yes, numeric literals have been used in the past. 
Use of the IP address instead of the name is one of the failures
of application design.  The IP address indicates WHERE a node is 
in the Internet topology, not the identity of the node.  The
Name is the indicator of the node IDENTITY.  the DNS maps names to
addresses and makes no assurance as to the human friendliness of the
name or the reachability of the address.  Your assertion that the
DNS system can be thowed away is vacuously true.  If you find it
non-useful, there is no requirement for you to use it.  Many people
use the DNS to get a lable, memorable or not, and then use other
tools to map that lable into something meaningful... e.g. SEARCH.
It does not invalidate the use of the DNS in any way.


   This draft can be used for search the locatons of the resources if the DNS 
 using classified hierarchical  Domain Names. 


I think I prefer SEARCH to be outside the DNS (having actually
built a varient of the DNS which supported regular expression
expansion of the ? and * characters...)

Your milage will vary.

--bill


   Mohsen Souissi [EMAIL PROTECTED] wrote:
   I have read the I-D as well and I second Joe's point of view and his 
 arguments below.
 
 Mohsen.
 
 On 03 Dec, Joe Abley wrote:
 | Hi,
 | 
 | I have read your draft, draft-licanhuang-dnsop-urnresolution-00.
 | 
 | The question was raised just now in the dnsop working group meeting in 
 | Vancouver as to whether the content of this draft was suitable for 
 | adoption as a working group item. The question was triggered by the 
 | presence of dnsop in the draft name.
 | 
 | I have read your document. I do not believe it is a suitable basis for 
 | a dnsop working group item. Specifically:
 | 
 | 1. The document describes a namespace which is substantially different 
 | form what is available in the DNS today. The existing DNS namespace is 
 | not addressed at all.
 | 
 | 2. The document seems to address an extension to (or an application 
 | for) the protocol described in draft-licanhuang-dnsop-distributeddns, 
 | which (to this reader) seems clearly not to be the DNS, at least any 
 | conventional meaning of that term.
 
 

 -
  Support the World Aids Awareness campaign this month with Yahoo! for Good
 ___
 DNSOP mailing list
 DNSOP@ietf.org
 https://www1.ietf.org/mailman/listinfo/dnsop


___
DNSOP mailing list
DNSOP@ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] AS112 LOA?

[bmanning]

On Wed, Nov 28, 2007 at 08:15:51AM -0500, Joe Abley wrote:
 
 On 27-Nov-2007, at 10:23, Paul Vixie wrote:
 
 [EMAIL PROTECTED] (Warren Kumari) writes:
 
 ... What do people think about setting up a legal entity called RSTOA
 that would then perform some very simple checks before handing out  
 a LOA?
 
 RSTOA is an existing unincorporated association.  you can ask it to  
 do this
 kind of thing.  just find any root name server operator and make  
 your case.
 (a convenient list of same can be found at http://www.root-servers.org/ 
 .)
 
 So, would it be possible for one or more of the root server operators  
 to prepare a generic-yet-official-looking LOA on suitable letterhead  
 and perhaps stash it on www.root-servers.org somewhere?
 
 Such an LOA would probably be less remarkable to your average transit  
 provider; the response to here's a signed LOA as a PDF is certainly  
 likely to be more useful in practice than here's an un-signed ASCII  
 text file filled with legal boilerplate which really is an LOA, honest.
 
 I can suggest the kind of text I think is needed off-line if that  
 seems useful.
 
 [I copy the list on this so that it doesn't appear that the thread  
 ended over-abruptly in the archive.]
 
 
 Joe
 
 ___
 DNSOP mailing list
 DNSOP@ietf.org
 https://www1.ietf.org/mailman/listinfo/dnsop

Sure...  It should be there shortly.

--bill

___
DNSOP mailing list
DNSOP@ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop

Re: L-Root address change [Re: [DNSOP] AS112 for TLDs]

[bmanning]

On Wed, Nov 28, 2007 at 10:58:17AM -0500, Matt Larson wrote:
 On Wed, 28 Nov 2007, Peter Koch wrote:
  On Tue, Nov 27, 2007 at 02:35:29PM -0800, John Crain wrote:
  
   Currently about 60% New IP to 40% old IP... and rising slowly
   
   So clearly a lot of folks still need to up date their hints files :(
  
  part of that traffic will be due to old hints files, but priming was
  actually supposed to accelerate the migration.  40% of total L traffic
  seems a bit much for 1/13 of the priming traffic?
 
 Why old root server IP addresses recieve so much traffic is a great
 mystery and has been for several years.  We addressed this in 2004 in
 the Life and Times of J-root presentation for NANOG 32:
 
   http://www.nanog.org/mtg-0410/pdf/kosters.pdf
 
 Note that at the time, I fingerprinted the responsive queriers and
 many were late-model BIND, all of which are known to prime.
 
 As I write this, J root's old IP address is receiving 1000 queries per
 second and that's over five years after we changed its address.
 Perhaps this is some sort of DNS equivlanet to cosmic background
 radiation, dating back the beginning of the Internet?
 
 Matt
 

and perhaps more interesting, the old address for B
showed a tapering off of traffic and then an INCREASE
last year.   Old L and J got their numbers less than a
decade ago.  ...  so i would not go back as far as the
begining of the Internet.  Old B has been around for quite
a while longer.

--bill

___
DNSOP mailing list
DNSOP@ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop

Re: L-Root address change [Re: [DNSOP] AS112 for TLDs]

[bmanning]

On Wed, Nov 28, 2007 at 05:15:59PM +0100, bert hubert wrote:
 On Wed, Nov 28, 2007 at 04:07:59PM +, [EMAIL PROTECTED] wrote:
  and perhaps more interesting, the old address for B
  showed a tapering off of traffic and then an INCREASE
  last year.   Old L and J got their numbers less than a
  decade ago.  ...  so i would not go back as far as the
  begining of the Internet.  Old B has been around for quite
  a while longer.
 
 The increase in traffic might easily be due to more favourable connectivity
 to 'B', which would lead many resolver implementations to shift more queries
 to it.
 
   Bert
 

old B topolgy didnt change... :)

--bill

___
DNSOP mailing list
DNSOP@ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop

Re: B-Root address change [Re: [DNSOP] AS112 for TLDs]

[bmanning]

On Wed, Nov 28, 2007 at 05:28:47PM +0100, bert hubert wrote:
 On Wed, Nov 28, 2007 at 04:22:41PM +, [EMAIL PROTECTED] wrote:
   The increase in traffic might easily be due to more favourable 
   connectivity
   to 'B', which would lead many resolver implementations to shift more 
   queries
   to it.
   
 Bert
   
  
  old B topolgy didnt change... :)
 
 Admittedly, you have a far better view of the internet than I do :-) - But
 I'm not ruling out changes *other* people made to their networks.
 
 Also, perhaps the other roots just became less attractive.
 
   Bert
 

the increase in queries occured after we stopped running
a nameserver on the address and more than a year after 
the public announcement and change in the hints files.

not saying other topology change didn't have the effects
you describe, it just seems odd.

--bill

___
DNSOP mailing list
DNSOP@ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Always registering the IP address of the name servers during a delegation?

[bmanning]

On Tue, Nov 27, 2007 at 01:18:04PM -0500, Edward Lewis wrote:
 At 5:59 PM + 11/27/07, [EMAIL PROTECTED] wrote:
 
  so WHO is the owner of that IP data, the zone admin
  for example.org or the machine admin for ns1.example.org?
 
 The zone admin for sure.  It is the registration of the domain name 
 that is specifying the address records of the name servers.

then we have a small issue...  you as zone admin, can't 
dictate which IP's i must use on my machines, since you don't
control my connectivity.  as zone admin, your job is to 
provide accurate mapping betwn lable and address ... the
extent of your influence is over the lables used, not their
IP addresses.

 The reason I say for sure comes from an experience of Harald 
 Alvestrand.  (I can't find a URL referencing the problem.)  Some 
 years ago one of his slave servers was in a domain whose registration 
 expired and was taken up by a different registrant.  Had he 
 registered the IP address of the slave he intended to be using, it 
 would have been easier to debug why every Nth query seemed to get 
 answered incorrectly.
 
  historically, the HOST has had an independent admin, precisely
  because they control the IP's used by the machine, not the zone
  admin.
 
 Historically, we didn't worry about domain name registrations changing 
 hands.

Historically, we did worry. We also worried about changes in
topology. 

 
 -- 
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 Edward Lewis+1-571-434-5468
 NeuStar
 
 Think glocally.  Act confused.
 
 ___
 DNSOP mailing list
 DNSOP@ietf.org
 https://www1.ietf.org/mailman/listinfo/dnsop

___
DNSOP mailing list
DNSOP@ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Always registering the IP address of the name servers during a delegation?

[bmanning]

On Tue, Nov 27, 2007 at 01:03:59PM -0800, David Conrad wrote:
 Bill,
 
  i have a zone, example.org and chose the following
  nameservers:
  
  moe.rice.edu
  ns.isi.edu
  PDC.example.org
  
  as the admin of PDC.example.org, I know what IP addresses
  are assigned and can change them on whim.  However, It is
  the Height of Arrogance to presume I can tell the rice.edu
  or isi.edu people what IP addresses to use on their machines.
 
 Presumably (assuming we're talking about professionally run infrastructure),
 there is an agreement between the zone administrator and the providers of
 secondary services.  The IP addresses in use for the secondary service
 should be part of that agreement.
 
 Regards,
 -drc
 

there may be some debate as to how much information is subject
to contractual binding.  I would hate to be bound to a multiyear
contract w/ CSC for nameservice that tied me to one of their old
IP blocks.  Net 10 is used in so many more places these days.

--bill

___
DNSOP mailing list
DNSOP@ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] AS112 LOA?

[bmanning]

On Mon, Nov 26, 2007 at 01:26:00PM -0500, Warren Kumari wrote:
 
 On Nov 26, 2007, at 11:48 AM, Joe Abley wrote:
 
 
 I don't have strong feelings about whether the LOA in an RFC idea  
 is plausible, or even good, but I thought I'd throw it out anyway.  
 If there was consensus that such a document was worthwhile, I'd  
 happy to do the legwork (and it'd be sufficiently brief in content  
 and purpose that I could imagine it being thrown up to the IESG  
 fairly swiftly).
 
 I think it sounds like an excellent idea -- I think that you may still  
 have some issues getting providers to accept it, but hopefully way  
 fewer issues than you would otherwise...
 
 The other option would be to actually create a legal entity called   
 Root Server Technical Operations Assn and have some way of  
 automatically generating LOA's (maybe a web form that generates a  
 PDF!), but this sounds like it may be a bad idea...
 
 W
 
 
 Comments and opinions welcome :-)
 
 
 Joe

humph I think this is a surefire way to poison this prefix
forever.  if the IETF is the body holding the delegation, then
they would be able to sign the ROA... otherwise, the body holding
the prefix (paying the bills) will be signing the ROA...  the
system is not prepared to deal w/ anonymous roll/shell accounts.
(see the RBN mess)

so, i'm not persuaded that this si a smart or wise idea.  its
hardcoding another special use prefix in millions of places all
over the net.  

that said, i;m sure it will be seen as a provident/prudent way
forward and there will be herds of folks lining up in support.
good luck :)

--bill


___
DNSOP mailing list
DNSOP@ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] draft-ietf-dnsop-default-local-zones-01

[bmanning]

On Fri, Jun 08, 2007 at 02:57:35PM +1000, Mark Andrews wrote:
 
  I also concur with the various protests against using . for the RNAME,
  and would suggest instead nobody.localhost. along with a ref to
  2606. That should be sufficiently clear to any human who looks at it,
  and also meets the goal of not providing any useful data to a spam bot.
 
   Not nobody.invalid.?
 
   [EMAIL PROTECTED] is likely to be a real mailbox.
   [EMAIL PROTECTED] should bounce.

why do you think so?

 
   Mark
 
 -- 
 Mark Andrews, ISC
 1 Seymour St., Dundas Valley, NSW 2117, Australia
 PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
 
 ___
 DNSOP mailing list
 DNSOP@ietf.org
 https://www1.ietf.org/mailman/listinfo/dnsop

___
DNSOP mailing list
DNSOP@ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] draft-ietf-dnsop-default-local-zones-01

[bmanning]

On Thu, Jun 07, 2007 at 07:18:01AM -0400, Joe Abley wrote:
 
 On 7-Jun-2007, at 01:20, Mark Andrews wrote:
 
  Show me the xml.  There should be a way to do a table.
 
 t
   list
 t0.IN-ADDR.ARPA   /* IPv4 THIS NETWORK  
 *//t
 t127.IN-ADDR.ARPA /* IPv4 LOOP-BACK  
 NETWORK *//t
 t254.169.IN-ADDR.ARPA /* IPv4 LINK LOCAL *//t
 t2.0.192.IN-ADDR.ARPA /* IPv4 TEST NET *//t
 t255.255.255.255.IN-ADDR.ARPA /* IPv4 BROADCAST *//t
   /list
 /t
 
 There is a way to do a table:
 
   texttable
 ttcolZone/ttcolttcolDescription/ttcol
 c0.IN-ADDR.ARPA/c/cIPv4 THIS NETWORK/c
 c127.IN-ADDR.ARPA/ccIPv4 LOOP-BACK NETWORK/c
 c254.169.IN-ADDR.ARPA/ccIPv4 LINK LOCAL/c
 c2.0.192.IN-ADDR.ARPA/ccIPv4 TEST NET/c
 c255.255.255.255.IN-ADDR.ARPA/ccIPv4 BROADCAST/c
   /texttable
 
 There are details in http://xml.resource.org/authoring/draft-mrose- 
 writing-rfcs.html (see section 2.3.1.4).
 
 
 JoeA


to borrow a phrase:

I'm too young for nroff and too old for xml...
 I'm generation V(i)!

--bill

___
DNSOP mailing list
DNSOP@ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Adopt draft-koch-dnsop-resolver-priming as WG work item?

[bmanning]

On Thu, Jun 07, 2007 at 10:24:41AM -0400, Andrew Sullivan wrote:
 On Thu, Jun 07, 2007 at 10:20:33AM -0400, Thierry Moreau wrote:
  
  OK, 0.02 worth of unsupported personal attacks against me. Out of topic. 
  Counter-productive. Not worth replying.
 
 Perhaps the next time you think something is not worth replying to,
 you could follow that conclusion with what would seem to be the
 obvious non-action?
 
 A
 
 -- 
 Andrew Sullivan 204-4141 Yonge Street

actually, the key point here is that apparently a number of 
(good) people are avoiding the IETF process because they
believe their ideas, intended to be partof open standards
development, are being patented by others and then used as 
leverage to force particular outcomes.  

Such beliefs are corrosive and distructive to the IETF process
and it is not clear how such concerns could be avoided in
todays environment.  

So work is being done outside the IETF, where there is trust.

--bill

___
DNSOP mailing list
DNSOP@ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop

Re: [DNSOP] Best Practice document on local copy of the root zone?

[bmanning]

On Sat, Feb 10, 2007 at 09:50:43PM +0100, Paul Wouters wrote:
 On Sat, 10 Feb 2007, Pekka Savola wrote:
 
  As Bert mentioned in the next message, the risk of outdated (and therefor
  out-of-sync) roots is real.
 
 I just compared the root zone as RedHat shipped it on Fri 07 Sep 2001,
 with the root zone as published on root-servers.org, and only B and J
 are different. So even using a 6 year old root zone will work fine in
 the case of a flat out successfull attack against all root servers. I
 will buy a beer for everyone on this list who doesn't have 6 year old
 or newer root zone lying around within two hops of their desktop.
 
 Paul

really?  there have been several new TLDs added in the past few years
and dozens of glue changes.  I'd posit that the root zone of six years
ago is quite a bit different than the root zone of today.

and if B  J are different that A,C-I,K-M, then this should only be
due to rounding error of a few hours.

--bill

___
DNSOP mailing list
DNSOP@ietf.org
https://www1.ietf.org/mailman/listinfo/dnsop